[libvirt PATCH 02/13] selinux: introduce build, install, packaging for selinux policy

From: Vit Mojzis <vmojzis(a)redhat.com&gt; Compile the policy using a script executed by meson. Generate 2 versions of the binary policy to allow installation to systems with any selinux type (targeted, mls and minimum). Signed-off-by: Vit Mojzis <vmojzis(a)redhat.com&gt; --- libvirt.spec.in | 92 ++++++++++++++++ src/security/meson.build | 13 +++ src/security/selinux/compile_policy.py | 144 +++++++++++++++++++++++++ src/security/selinux/mcs/meson.build | 20 ++++ src/security/selinux/meson.build | 7 ++ src/security/selinux/mls/meson.build | 20 ++++ 6 files changed, 296 insertions(+) create mode 100755 src/security/selinux/compile_policy.py create mode 100644 src/security/selinux/mcs/meson.build create mode 100644 src/security/selinux/meson.build create mode 100644 src/security/selinux/mls/meson.build diff --git a/libvirt.spec.in b/libvirt.spec.in index c3f50224cc..aa50db3c16 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -3,6 +3,12 @@ # This spec file assumes you are building on a Fedora or RHEL version # that's still supported by the vendor. It may work on other distros # or versions, but no effort will be made to ensure that going forward. + +%if 0%{?fedora} > 34 || 0%{?rhel} > 8 + %global with_selinux 1 + %global modulename virt +%endif + %define min_rhel 8 %define min_fedora 33 @@ -427,6 +433,12 @@ Requires(pre): shadow-utils # Needed by /usr/libexec/libvirt-guests.sh script. Requires: gettext +%if 0%{?with_selinux} +# This ensures that the *-selinux package and all it’s dependencies are not pulled +# into containers and other systems that do not use SELinux +Requires: (%{name}-daemon-selinux if selinux-policy-base) +%endif + # Ensure smooth upgrades Obsoletes: libvirt-admin < 7.3.0 Provides: libvirt-admin = %{version}-%{release} @@ -930,6 +942,19 @@ Requires: libvirt-daemon-driver-network = %{version}-%{release} %description nss Libvirt plugin for NSS for translating domain names into IP addresses. +%if 0%{?with_selinux} +# SELinux subpackage +%package daemon-selinux +Summary: Libvirt daemon SELinux policy +Requires: selinux-policy-base +Requires(post): selinux-policy-base +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} + +%description daemon-selinux +SELinux policy module for libvirt daemons. +%endif %prep @@ -1603,6 +1628,63 @@ getent group virtlogin >/dev/null || groupadd -r virtlogin exit 0 %endif +%if 0%{?with_selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre daemon-selinux +if [ -e /etc/selinux/config ]; then + . /etc/selinux/config + %selinux_relabel_pre -s ${SELINUXTYPE} +fi + +%post daemon-selinux +# only policy reload is needed - module installation is managed by triggers +/usr/sbin/selinuxenabled && /usr/sbin/load_policy || : + +%postun daemon-selinux +if [ $1 -eq 0 ]; then + /usr/sbin/selinuxenabled && /usr/sbin/load_policy || : +fi + +%posttrans daemon-selinux +if [ -e /etc/selinux/config ]; then + . /etc/selinux/config + %selinux_relabel_post -s ${SELINUXTYPE} +fi + +# install the policy module to corresponding policy store if +# selinux-policy-{targeted|mls|minimum} package is installed on the system +%triggerin -n %{name}-daemon-selinux -- selinux-policy-targeted +/usr/sbin/semodule -n -s targeted -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || : + +%triggerin -n %{name}-daemon-selinux -- selinux-policy-minimum +/usr/sbin/semodule -n -s minimum -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || : +# libvirt module is installed by default, but disabled -- enable it +/usr/sbin/semodule -n -s minimum -e %{modulename} || : + +%triggerin -n %{name}-daemon-selinux -- selinux-policy-mls +/usr/sbin/semodule -n -s mls -X 200 -i %{_datadir}/selinux/packages/mls/%{modulename}.pp.bz2 || : + +# remove the policy module from corresponding module store if +# libvirt-selinux or selinux-policy-* was removed from the system, +# but not when either package gets updated +%triggerun -n %{name}-daemon-selinux -- selinux-policy-targeted +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename} ]; then + /usr/sbin/semodule -n -s targeted -X 200 -r %{modulename} || : +fi + +%triggerun -n %{name}-daemon-selinux -- selinux-policy-minimum +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename} ]; then + /usr/sbin/semodule -n -s minimum -X 200 -r %{modulename} || : + /usr/sbin/semodule -n -d %{modulename} || : +fi + +%triggerun -n %{name}-daemon-selinux -- selinux-policy-mls +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename} ]; then + /usr/sbin/semodule -n -s mls -X 200 -r %{modulename} || : +fi +%endif + %files %files docs @@ -2063,5 +2145,15 @@ exit 0 %{_datadir}/libvirt/api/libvirt-qemu-api.xml %{_datadir}/libvirt/api/libvirt-lxc-api.xml +%if 0%{?with_selinux} +%files daemon-selinux +%{_datadir}/selinux/packages/%{modulename}.pp.* +%{_datadir}/selinux/packages/mls/%{modulename}.pp.* +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename} +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename} +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename} +%{_datadir}/selinux/devel/include/distributed/%{modulename}.if +%endif + %changelog diff --git a/src/security/meson.build b/src/security/meson.build index 6f5e1dec1d..ac360fa37a 100644 --- a/src/security/meson.build +++ b/src/security/meson.build @@ -55,3 +55,16 @@ endif if conf.has('WITH_APPARMOR_PROFILES') subdir('apparmor') endif + +os_release = run_command('grep', '^ID=', '/etc/os-release').stdout() +os_version = run_command('grep', '^VERSION_ID=', '/etc/os-release').stdout().split('=') +if (os_version.length() == 2) + os_version = os_version[1] +else + os_version = 0 +endif + +if ((os_release.contains('fedora') and os_version.version_compare('>33')) or + (os_release.contains('rhel') and os_version.version_compare('>8'))) + subdir('selinux') +endif diff --git a/src/security/selinux/compile_policy.py b/src/security/selinux/compile_policy.py new file mode 100755 index 0000000000..95f0741d1a --- /dev/null +++ b/src/security/selinux/compile_policy.py @@ -0,0 +1,144 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2021 Red Hat, Inc. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see +# <http://www.gnu.org/licenses/>;. + +# This script is based on selinux-policy Makefile +# https://github.com/fedora-selinux/selinux-policy/blob/rawhide/support/Mak... + +import subprocess +import sys +import os +import glob + +if len(sys.argv) != 7: + print(("Usage: {} <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>" + " <type (mls/mcs)>").format(sys.argv[0]), file=sys.stderr) + exit(os.EX_USAGE) + +module_name = os.path.splitext(os.path.basename(sys.argv[1]))[0] + +m4param = ["-D", "distro_redhat", "-D", "hide_broken_symptoms", + "-D", "mls_num_sens=16", "-D", "mls_num_cats=1024", + "-D", "mcs_num_cats=1024"] + +if sys.argv[6] == "mls": + m4param = ["-D", "enable_mls"] + m4param +else: + m4param = ["-D", "enable_mcs"] + m4param + +SHAREDIR = "/usr/share/selinux" +HEADERDIR = os.path.join(SHAREDIR, "devel/include") + +m4support = sorted(glob.glob("{}/support/*.spt".format(HEADERDIR))) +header_layers = glob.glob("{}/*/".format(HEADERDIR)) +header_layers = sorted([x for x in header_layers + if os.path.join(HEADERDIR, "support") not in x]) + +header_interfaces = [] +for layer in header_layers: + header_interfaces.extend(glob.glob("{}/*.if".format(layer))) +header_interfaces.sort() + +# prepare temp folder +try: + os.makedirs(sys.argv[5]) +except Exception: + pass + +# remove old trash from the temp folder +tmpfiles = ["{}.{}".format(module_name, ext) + for ext in ["mod", "mod.fc", "tmp"]] +for name in ["iferror.m4", "all_interfaces.conf"] + tmpfiles: + try: + os.remove(os.path.join(sys.argv[5], name)) + except Exception: + pass + +# tmp/all_interfaces.conf +# echo "ifdef(\`__if_error',\`m4exit(1)')" > $5/iferror.m4 +with open(os.path.join(sys.argv[5], "iferror.m4"), "w") as file: + file.write("ifdef(`__if_error',`m4exit(1)')\n") + +# echo "divert(-1)" > $5/all_interfaces.conf +with open(os.path.join(sys.argv[5], "all_interfaces.conf"), "w") as int_file: + int_file.write("divert(-1)\n") + +# m4 $M4SUPPORT $HEADER_INTERFACES $2 $5/iferror.m4 +# | sed -e s/dollarsstar/\$\$\*/g >> $5/all_interfaces.conf +m4_run = subprocess.run(r"m4 {} | sed -e s/dollarsstar/\$\$\*/g >> {}".format( + " ".join([*m4support, *header_interfaces, sys.argv[2], + os.path.join(sys.argv[5], "iferror.m4")]), + os.path.join(sys.argv[5], "all_interfaces.conf")), + shell=True, check=True, stderr=subprocess.PIPE, + universal_newlines=True) + +# Filter out messages about duplicate definition of interfaces. e.g. +# virt.if:13: Error: duplicate definition of virt_stub_lxc(). Original +# definition on 13. +# They are expected and can be safely ignored. +for line in m4_run.stderr.split('\n'): + if line and "Error: duplicate definition of" not in line: + print(line, file=sys.stderr) + +# doesn't work properly without "shell=True" +# m4_process = Popen(["m4", *m4support, *header_interfaces, sys.argv[2], +# os.path.join(sys.argv[5], "iferror.m4")], +# stdout=PIPE, stderr=PIPE) +# sed_process = Popen(["sed", "-e", "s/dollarsstar/\$\$\*/g"], +# stdin=m4_process.stdout, stdout=int_file) +# outs, errs = m4_process.communicate() + +# echo "divert" >> $5/all_interfaces.conf +with open(os.path.join(sys.argv[5], "all_interfaces.conf"), "a") as file: + file.write("divert\n") + +# tmp/%.mod +# m4 $M4PARAM -s $M4SUPPORT $5/all_interfaces.conf $1 > $5/$MODULE_NAME.tmp +with open(os.path.join(sys.argv[5], "{}.tmp".format(module_name)), + "w") as tmp_file: + subprocess.run(["m4", *m4param, "-s", *m4support, + os.path.join(sys.argv[5], "all_interfaces.conf"), + sys.argv[1]], stdout=tmp_file, check=True) + +# /usr/bin/checkmodule -M -m $5/$MODULE_NAME.tmp -o $5/$MODULE_NAME.mod +subprocess.run(["/usr/bin/checkmodule", + "-M", + "-m", + os.path.join(sys.argv[5], "{}.tmp".format(module_name)), + "-o", + os.path.join(sys.argv[5], "{}.mod".format(module_name))], + check=True) + + +# tmp/%.mod.fc +# m4 $M4PARAM $M4SUPPORT $3 > $5/$MODULE_NAME.mod.fc +with open(os.path.join(sys.argv[5], + "{}.mod.fc".format(module_name)), "w") as mod_fc_file: + subprocess.run(["m4", *m4param, *m4support, sys.argv[3]], + stdout=mod_fc_file, check=True) + +# %.pp +# /usr/bin/semodule_package -o $4 -m $5/$MODULE_NAME.mod +# -f $5/$MODULE_NAME.mod.fc +subprocess.run(["/usr/bin/semodule_package", + "-o", + sys.argv[4], + "-m", + os.path.join(sys.argv[5], "{}.mod".format(module_name)), + "-f", + os.path.join(sys.argv[5], "{}.mod.fc".format(module_name))], + check=True) diff --git a/src/security/selinux/mcs/meson.build b/src/security/selinux/mcs/meson.build new file mode 100644 index 0000000000..419253f151 --- /dev/null +++ b/src/security/selinux/mcs/meson.build @@ -0,0 +1,20 @@ +selinux_sources = [ + '../virt.te', + '../virt.if', + '../virt.fc', +] + +# targeted/minimum policy module +virt_pp = custom_target('virt.pp', + output : 'virt.pp', + input : selinux_sources, + command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/mcs/tmp', 'mcs'], + install : false) + +bzip = custom_target('virt.pp.bz2', + output : 'virt.pp.bz2', + input : virt_pp, + command : [bzip2_prog, '-c', '-9', '@INPUT@'], + capture : true, + install : true, + install_dir : 'share/selinux/packages') diff --git a/src/security/selinux/meson.build b/src/security/selinux/meson.build new file mode 100644 index 0000000000..f9dde73e62 --- /dev/null +++ b/src/security/selinux/meson.build @@ -0,0 +1,7 @@ +set_variable('compile_policy_prog', find_program('compile_policy.py')) +set_variable('bzip2_prog', find_program('bzip2')) + +install_data('virt.if', install_dir : 'share/selinux/devel/include/distributed') + +subdir('mcs') +subdir('mls') diff --git a/src/security/selinux/mls/meson.build b/src/security/selinux/mls/meson.build new file mode 100644 index 0000000000..20bab41fea --- /dev/null +++ b/src/security/selinux/mls/meson.build @@ -0,0 +1,20 @@ +selinux_sources = [ + '../virt.te', + '../virt.if', + '../virt.fc', +] + +# MLS policy module +virt_pp_mls = custom_target('virt.pp', + output : 'virt.pp', + input : selinux_sources, + command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/mls/tmp', 'mls'], + install : false) + +bzip_mls = custom_target('virt.pp.bz2', + output : 'virt.pp.bz2', + input : virt_pp_mls, + command : [bzip2_prog, '-c', '-9', '@INPUT@'], + capture : true, + install : true, + install_dir : 'share/selinux/packages/mls') -- 2.31.1