On 4/26/21 7:39 PM, Daniel P. Berrangé wrote:
On Wed, Apr 07, 2021 at 07:08:34AM -0700, Vit Mojzis wrote:
> From: Nikola Knazekova <nknazeko(a)redhat.com>
>
> SELinux policy was created for:
>
> Hypervisor drivers:
> - virtqemud (QEMU/KVM)
> - virtlxcd (LXC)
> - virtvboxd (VirtualBox)
>
> Secondary drivers:
> - virtstoraged (host storage mgmt)
> - virtnetworkd (virtual network mgmt)
> - virtinterface (network interface mgmt)
> - virtnodedevd (physical device mgmt)
> - virtsecretd (security credential mgmt)
> - virtnwfilterd (ip[6]tables/ebtables mgmt)
> - virtproxyd (proxy daemon)
>
> SELinux policy for virtvxz and virtxend has not been created yet, because I
wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until
the AVC messages are reproduced internally and policy for these drivers is made.
>
> Signed-off-by: Nikola Knazekova <nknazeko(a)redhat.com>
> ---
> libvirt.spec.in | 64 ++
> selinux/virt.fc | 111 +++
> selinux/virt.if | 1984 ++++++++++++++++++++++++++++++++++++++++++++
> selinux/virt.te | 2086 +++++++++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 4245 insertions(+)
> create mode 100644 selinux/virt.fc
> create mode 100644 selinux/virt.if
> create mode 100644 selinux/virt.te
I was expecting to see the /etc/selinux/targeted/contexts/ files
that belong to the virt policy included as well.
Those are compiled from the whole policy and would not be created
without the corresponding selinux-policy-* package.
Also, do we need to make the virt.if file be part of one of
the RPMs ? flatpak-selinux includes its .if file.
Yes, good point. We had some issues shipping custom interface files on
rhel 8, but those have been resolved (and yours doesn't contain ifndefs,
which was the culprit).
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index f9af330186..9cbdb2c513 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -3,6 +3,13 @@
> # This spec file assumes you are building on a Fedora or RHEL version
> # that's still supported by the vendor. It may work on other distros
> # or versions, but no effort will be made to ensure that going forward.
> +
> +%if 0%{?fedora} > 33 || 0%{?rhel} > 8
> + %global with_selinux 1
> + %global selinuxtype targeted
> + %global modulename virt
> +%endif
> +
> %define min_rhel 7
> %define min_fedora 31
>
> @@ -256,6 +263,12 @@ Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
> Requires: libvirt-client = %{version}-%{release}
> Requires: libvirt-libs = %{version}-%{release}
>
> +%if 0%{?with_selinux}
> +# This ensures that the *-selinux package and all it’s dependencies are not pulled
> +# into containers and other systems that do not use SELinux
> +Requires: (%{name}-selinux if selinux-policy-base)
> +%endif
This is in the main "libvirt" package which is just an empty shim.
I think we'll need it in the "libvirt-daemon" package instead to
start off with.
Thanks, moved.
> +%if 0%{?with_selinux}
> +# SELinux subpackage
> +%package selinux
s/selinux/daemon-selinux/ since its only used by the daemons.
Updated.
> +Summary: Libvirt SELinux policy
> +Requires: selinux-policy-base
> +Requires(post): selinux-policy-base
> +BuildRequires: selinux-policy-devel
> +BuildArch: noarch
> +%{?selinux_requires}
> +
> +%description selinux
> +SELinux policy module for libvirt.
> +%endif
> diff --git a/selinux/virt.te b/selinux/virt.te
> new file mode 100644
> index 0000000000..59dedb8754
> --- /dev/null
> +++ b/selinux/virt.te
> @@ -0,0 +1,2086 @@
> +policy_module(virt, 1.5.0)
Is there some include file syntax we can use with this so
that we can split it up. I'm not asking you to split it,
but I'll later want to make it have one file for each daemon
and a few files for the common pieces, to make this easier
to manage.
I'm not aware of any include syntax other than .if files. In theory
you
could use multiple interface files, each containing an interface
covering a single daemon. All of those interfaces would then be "called"
from virt.te.
Other than that you'd need to have multiple policy modules in order to
use multiple .te files.
Regards,
Daniel