Re: [PATCH v2 1/4] Add SELinux policy for virt
On 4/28/21 11:29 AM, Daniel P. Berrangé wrote:
On Wed, Apr 28, 2021 at 10:48:09AM +0200, Vit Mojzis wrote:
> On 4/26/21 7:39 PM, Daniel P. Berrangé wrote:
>> On Wed, Apr 07, 2021 at 07:08:34AM -0700, Vit Mojzis wrote:
>>> From: Nikola Knazekova <nknazeko(a)redhat.com>
>>>
>>> SELinux policy was created for:
>>>
>>> Hypervisor drivers:
>>> - virtqemud (QEMU/KVM)
>>> - virtlxcd (LXC)
>>> - virtvboxd (VirtualBox)
>>>
>>> Secondary drivers:
>>> - virtstoraged (host storage mgmt)
>>> - virtnetworkd (virtual network mgmt)
>>> - virtinterface (network interface mgmt)
>>> - virtnodedevd (physical device mgmt)
>>> - virtsecretd (security credential mgmt)
>>> - virtnwfilterd (ip[6]tables/ebtables mgmt)
>>> - virtproxyd (proxy daemon)
>>>
>>> SELinux policy for virtvxz and virtxend has not been created yet, because I
wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until
the AVC messages are reproduced internally and policy for these drivers is made.
>>>
>>> Signed-off-by: Nikola Knazekova <nknazeko(a)redhat.com>
>>> ---
>>> libvirt.spec.in | 64 ++
>>> selinux/virt.fc | 111 +++
>>> selinux/virt.if | 1984 ++++++++++++++++++++++++++++++++++++++++++++
>>> selinux/virt.te | 2086 +++++++++++++++++++++++++++++++++++++++++++++++
>>> 4 files changed, 4245 insertions(+)
>>> create mode 100644 selinux/virt.fc
>>> create mode 100644 selinux/virt.if
>>> create mode 100644 selinux/virt.te
>> I was expecting to see the /etc/selinux/targeted/contexts/ files
>> that belong to the virt policy included as well.
> Those are compiled from the whole policy and would not be created without
> the corresponding selinux-policy-* package.
AFAICT, these are not compiled at all, they're just static data files
in git:
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/config/appc...
They're refering to contexts that are defined in the virt.if policy,
so I'd expect the static data files to live with libvirt.git, so that
we can add to them at a later time if we modify virt.if
Oh, yes, correct. Those are
basically config files.
Not sure how to handle the transfer though. It would be best to have a
period when the policy and all related files are in both
selinux-policy-* and libvirt-daemon-selinux packages, but that would
present a conflict for these files.
>>> diff --git a/selinux/virt.te b/selinux/virt.te
>>> new file mode 100644
>>> index 0000000000..59dedb8754
>>> --- /dev/null
>>> +++ b/selinux/virt.te
>>> @@ -0,0 +1,2086 @@
>>> +policy_module(virt, 1.5.0)
>> Is there some include file syntax we can use with this so
>> that we can split it up. I'm not asking you to split it,
>> but I'll later want to make it have one file for each daemon
>> and a few files for the common pieces, to make this easier
>> to manage.
> I'm not aware of any include syntax other than .if files. In theory you
> could use multiple interface files, each containing an interface covering a
> single daemon. All of those interfaces would then be "called" from
virt.te.
>
> Other than that you'd need to have multiple policy modules in order to use
> multiple .te files.
Or probably easiest if we just pre-process the files ourselves to combine
them
+1
Regards,
Daniel