[PATCH v2 1/4] Add SELinux policy for virt
vmojzis at redhat.com
Fri May 21 10:34:34 UTC 2021
On 4/28/21 11:29 AM, Daniel P. Berrangé wrote:
> On Wed, Apr 28, 2021 at 10:48:09AM +0200, Vit Mojzis wrote:
>> On 4/26/21 7:39 PM, Daniel P. Berrangé wrote:
>>> On Wed, Apr 07, 2021 at 07:08:34AM -0700, Vit Mojzis wrote:
>>>> From: Nikola Knazekova <nknazeko at redhat.com>
>>>> SELinux policy was created for:
>>>> Hypervisor drivers:
>>>> - virtqemud (QEMU/KVM)
>>>> - virtlxcd (LXC)
>>>> - virtvboxd (VirtualBox)
>>>> Secondary drivers:
>>>> - virtstoraged (host storage mgmt)
>>>> - virtnetworkd (virtual network mgmt)
>>>> - virtinterface (network interface mgmt)
>>>> - virtnodedevd (physical device mgmt)
>>>> - virtsecretd (security credential mgmt)
>>>> - virtnwfilterd (iptables/ebtables mgmt)
>>>> - virtproxyd (proxy daemon)
>>>> SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made.
>>>> Signed-off-by: Nikola Knazekova <nknazeko at redhat.com>
>>>> libvirt.spec.in | 64 ++
>>>> selinux/virt.fc | 111 +++
>>>> selinux/virt.if | 1984 ++++++++++++++++++++++++++++++++++++++++++++
>>>> selinux/virt.te | 2086 +++++++++++++++++++++++++++++++++++++++++++++++
>>>> 4 files changed, 4245 insertions(+)
>>>> create mode 100644 selinux/virt.fc
>>>> create mode 100644 selinux/virt.if
>>>> create mode 100644 selinux/virt.te
>>> I was expecting to see the /etc/selinux/targeted/contexts/ files
>>> that belong to the virt policy included as well.
>> Those are compiled from the whole policy and would not be created without
>> the corresponding selinux-policy-* package.
> AFAICT, these are not compiled at all, they're just static data files
> in git:
> They're refering to contexts that are defined in the virt.if policy,
> so I'd expect the static data files to live with libvirt.git, so that
> we can add to them at a later time if we modify virt.if
Oh, yes, correct. Those are basically config files.
Not sure how to handle the transfer though. It would be best to have a
period when the policy and all related files are in both
selinux-policy-* and libvirt-daemon-selinux packages, but that would
present a conflict for these files.
>>>> diff --git a/selinux/virt.te b/selinux/virt.te
>>>> new file mode 100644
>>>> index 0000000000..59dedb8754
>>>> --- /dev/null
>>>> +++ b/selinux/virt.te
>>>> @@ -0,0 +1,2086 @@
>>>> +policy_module(virt, 1.5.0)
>>> Is there some include file syntax we can use with this so
>>> that we can split it up. I'm not asking you to split it,
>>> but I'll later want to make it have one file for each daemon
>>> and a few files for the common pieces, to make this easier
>>> to manage.
>> I'm not aware of any include syntax other than .if files. In theory you
>> could use multiple interface files, each containing an interface covering a
>> single daemon. All of those interfaces would then be "called" from virt.te.
>> Other than that you'd need to have multiple policy modules in order to use
>> multiple .te files.
> Or probably easiest if we just pre-process the files ourselves to combine
More information about the libvir-list