passt SELinux labelling (was: Re: [PATCH v2 1/3] qemu_passt: Don't make passt transition to svirt_t/libvirt_domain on start)

Daniel P. Berrangé berrange at redhat.com
Fri Mar 3 17:15:43 UTC 2023 

On Fri, Mar 03, 2023 at 09:06:38AM -0800, Andrea Bolognani wrote:
> On Fri, Mar 03, 2023 at 03:47:23PM +0000, Daniel P. Berrangé wrote:
> > On Fri, Mar 03, 2023 at 07:23:41AM -0800, Andrea Bolognani wrote:
> > > I'm in no way a SELinux expert, but the idea of figuring out the
> > > runtime label for the process based on information found on the
> > > filesystem makes me uncomfortable. The idea of using some sort of
> > > text transformation to get from one to the other, even more so.
> >
> > Using the label on the filesystem is precisely the right way to
> > do this with SELinux. It is what the kernel does every time a
> > binary is invokved, unless the caller has overriden the target
> > type.
> >
> > > Since we know that we're launching passt and not some other random
> > > helper, why can't we simply use passt_t directly here? It feels like
> > > that would be less prone to issues caused by accidental (or
> > > intentional) misconfigurations.
> >
> > That ties libvirt's code to a specific policy impl which is
> > not a desirable thing. Same reason we don't hardcode svirt_t
> > as a type for QEMU, but instead query it dynamically from
> > the installed policy.
> 
> Do I understand correctly that this happens in
> virSecuritySELinuxQEMUInitialize(), by parsing the contents of the
> file located via a call to selinux_virtual_domain_context_path()?

Yes.

> Poking around at the other files present in the same directory I see
> various formats being used, including... XML? It looks like SELinux
> implements facilities for exposing arbitrary information about the
> active policy at well-known locations, with (I assume) the explicit
> purpose of enabling this kind of interaction.
> 
> So wouldn't that be the way to go for passt, and other helpers too?
> Have SELinux expose a virtual_helpers_context file, that we can parse
> to figure out the appropriate labels to use for passt and friends?

No, I don't think so. The helpers file is a bit of a special case
that was needed because there were multiple contexts we needed to
cope with for running QEMU.

I don't see any reason not to follow what the kernel already does
by relying on the labelled file context.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list