[PATCH v2] Add SELinux policy for virt

Daniel P. Berrangé berrange at redhat.com
Mon May 24 12:36:29 UTC 2021 

On Mon, May 24, 2021 at 05:25:19AM -0700, Andrea Bolognani wrote:
> On Fri, May 21, 2021 at 03:37:00PM +0100, Daniel P. Berrangé wrote:
> > On Fri, May 21, 2021 at 04:22:59PM +0200, Vit Mojzis wrote:
> > > On 4/30/21 10:28 PM, Vit Mojzis wrote:
> > > > On 4/26/21 7:31 PM, Daniel P. Berrangé wrote:
> > > > > On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
> > > > > > Sorry for the long delay. This is our first request to ship a
> > > > > > policy for
> > > > > > multiple selinux stores (targeted, mls and minimum).
> > > > > >
> > > > > > Changes:
> > > > > > * Replace all selinux-policy-%{policytype} dependencies with
> > > > > > selinux-policy-base
> > > > > > * Add Ghost files representing installed policy modules in all
> > > > > > policy stores
> > > > > > * Rewrite policy compilation script in python
> > > > > > * Compile the policy module twice (1 version for
> > > > > > targeted/minimum - with
> > > > > >    enable_mcs, and 1 for mls - with enable_mls)
> > > > > > * Manage policy (un)installation using triggers based on which policy
> > > > > >    type is available
> > > > > >
> > > > > > The new policy was only tested in "targeted" mode so far and
> > > > > > we'll need to make
> > > > > > sure it works properly in "mls". As for "minimum", we know it will not
> > > > > > work properly (as is the case of the current policy) by default (some
> > > > > > other "contrib" policy modules need to be enabled).
> > > > > > I'd argue there is no point trying to get it to work in "minimum",
> > > > > > mostly because it (minimum) will be retired soon.
> > > > >
> > > > > I'm wondering how SELinux is supposed to integrate with containers when
> > > > > using a modular policy.
> > > > >
> > > > > Right now you can install RPMs in a container, and use selinux
> > > > > enforcement
> > > > > on that container because the host OS policy provides all the rules
> > > > > in the
> > > > > monolithic blob.
> > > > > If we take this policy into libvirt, then when you install libvirt in a
> > > > > container, there will be no selinux policy available.
> > > > >
> > > > > Users can't install libvirt-selinux inside the container, as it
> > > > > needs to be
> > > > > built against the main policy in the host.
> > > > >
> > > > > User likely won't install libvirt-selinux outside the container as that
> > > > > defeats the purpose of using containers for their deployment mechanism.
> > > > >
> > > > > Container based deployment of libvirt is important for both OpenStack
> > > > > and KubeVirt.
> > >
> > > So from discussions with respective developers i got the following:
> > >
> > > KubeVirt runs the libvirt containers with a custom policy https://github.com/kubevirt/kubevirt/blob/81cb9f79e0144af0e6e43c439eab7f8dac81de31/cmd/virt-handler/virt_launcher.cil,
> > > that depends on libvirt module (uses svirt_sandbox_domain). Libvirt is only
> > > installed inside the container and there is no bind mount of
> > > /sys/fs/selinux. So they will need to install libvirt-daemon-selinux on the
> > > host.
> >
> > With OpenStack I believe their deployment tool manages the config of
> > the entire host, so installing the libvirt-daemon-selinux package
> > ought to be reasonably straightforward for them.
> >
> > I worry about KubeVirt though. IIUC in their deployment, the hosts
> > in use are all provisioned by OpenShift upfront & when KubeVirt is
> > deployed, the only pieces they're deploying live inside the host.
> >
> > IOW, it seems like libvirt-daemon-selinux would have to be provided
> > ahead of time by OpenShift if it is to be used, and I'm not sure
> > if that's a practical requirement.
> >
> > I think we need to get explicit confirmation from KubeVirt that
> > a requirement to installing RPMs directly on the host is going
> > to be acceptable.
> 
> I'm afraid that's not going to fly for KubeVirt.
> 
> Adding Roman and Vladik so they can provide more information.
> 
> For context, the discussion is about shipping the SELinux policy
> for libvirt as part of a sub-package of libvirt instead of the main
> selinux-policy package.

Reading again, I realize Vit links to a URL above that shows
virt-handler  includes a custom selinux policy.

How does that get deployed, and can the libvirt-daemon-selinux
stuff be deployed in the same way ?

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list