[PATCH v2 1/4] Add SELinux policy for virt

Vit Mojzis vmojzis at redhat.com
Fri May 21 10:34:34 UTC 2021 

On 4/28/21 11:29 AM, Daniel P. Berrangé wrote:
> On Wed, Apr 28, 2021 at 10:48:09AM +0200, Vit Mojzis wrote:
>> On 4/26/21 7:39 PM, Daniel P. Berrangé wrote:
>>> On Wed, Apr 07, 2021 at 07:08:34AM -0700, Vit Mojzis wrote:
>>>> From: Nikola Knazekova <nknazeko at redhat.com>
>>>>
>>>> SELinux policy was created for:
>>>>
>>>> Hypervisor drivers:
>>>> - virtqemud (QEMU/KVM)
>>>> - virtlxcd (LXC)
>>>> - virtvboxd (VirtualBox)
>>>>
>>>> Secondary drivers:
>>>> - virtstoraged (host storage mgmt)
>>>> - virtnetworkd (virtual network mgmt)
>>>> - virtinterface (network interface mgmt)
>>>> - virtnodedevd (physical device mgmt)
>>>> - virtsecretd (security credential mgmt)
>>>> - virtnwfilterd (ip[6]tables/ebtables mgmt)
>>>> - virtproxyd (proxy daemon)
>>>>
>>>> SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made.
>>>>
>>>> Signed-off-by: Nikola Knazekova <nknazeko at redhat.com>
>>>> ---
>>>>    libvirt.spec.in |   64 ++
>>>>    selinux/virt.fc |  111 +++
>>>>    selinux/virt.if | 1984 ++++++++++++++++++++++++++++++++++++++++++++
>>>>    selinux/virt.te | 2086 +++++++++++++++++++++++++++++++++++++++++++++++
>>>>    4 files changed, 4245 insertions(+)
>>>>    create mode 100644 selinux/virt.fc
>>>>    create mode 100644 selinux/virt.if
>>>>    create mode 100644 selinux/virt.te
>>> I was expecting to see the /etc/selinux/targeted/contexts/ files
>>> that belong to the virt policy included as well.
>> Those are compiled from the whole policy and would not be created without
>> the corresponding selinux-policy-* package.
> AFAICT, these are not compiled at all, they're just static data files
> in git:
>
>    https://github.com/fedora-selinux/selinux-policy/blob/rawhide/config/appconfig-mcs/virtual_domain_context
>
> They're refering to contexts that are defined in the virt.if policy,
> so I'd expect the static data files to live with libvirt.git, so that
> we can add to them at a later time if we modify virt.if
Oh, yes, correct. Those are basically config files.

Not sure how to handle the transfer though. It would be best to have a 
period when the policy and all related files are in both 
selinux-policy-* and libvirt-daemon-selinux packages, but that would 
present a conflict for these files.


>
>
>
>>>> diff --git a/selinux/virt.te b/selinux/virt.te
>>>> new file mode 100644
>>>> index 0000000000..59dedb8754
>>>> --- /dev/null
>>>> +++ b/selinux/virt.te
>>>> @@ -0,0 +1,2086 @@
>>>> +policy_module(virt, 1.5.0)
>>> Is there some include file syntax we can use with this so
>>> that we can split it up.  I'm not asking you to split it,
>>> but I'll later want to make it have one file for each daemon
>>> and a few files for the common pieces, to make this easier
>>> to manage.
>> I'm not aware of any include syntax other than .if files. In theory you
>> could use multiple interface files, each containing an interface covering a
>> single daemon. All of those interfaces would then be "called" from virt.te.
>>
>> Other than that you'd need to have multiple policy modules in order to use
>> multiple .te files.
> Or probably easiest if we just pre-process the files ourselves to combine
> them
+1
>
>
> Regards,
> Daniel

More information about the libvir-list mailing list