Re: [PATCH v2] Add SELinux policy for virt

Monday, 26 April 2021

On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
...
 Sorry for the long delay. This is our first request to ship a policy
for
 multiple selinux stores (targeted, mls and minimum).

 Changes:
 * Replace all selinux-policy-%{policytype} dependencies with selinux-policy-base
 * Add Ghost files representing installed policy modules in all policy stores
 * Rewrite policy compilation script in python
 * Compile the policy module twice (1 version for targeted/minimum - with 
   enable_mcs, and 1 for mls - with enable_mls)
 * Manage policy (un)installation using triggers based on which policy
   type is available

 The new policy was only tested in "targeted" mode so far and we'll need to
make 
 sure it works properly in "mls". As for "minimum", we know it will
not
 work properly (as is the case of the current policy) by default (some 
 other "contrib" policy modules need to be enabled).
 I'd argue there is no point trying to get it to work in "minimum",
 mostly because it (minimum) will be retired soon. 
Running a build with this seris causes a tonne of warning messages
on the console:

[1310/1319] Generating virt.pp with a custom command
/usr/share/selinux/devel/include/services/container.if:13: Error: duplicate definition of
container_runtime_domtrans(). Original definition on 13.
/usr/share/selinux/devel/include/services/container.if:40: Error: duplicate definition of
container_runtime_run(). Original definition on 40.
/usr/share/selinux/devel/include/services/container.if:61: Error: duplicate definition of
container_runtime_exec(). Original definition on 61.
/usr/share/selinux/devel/include/services/container.if:80: Error: duplicate definition of
container_read_state(). Original definition on 80.
/usr/share/selinux/devel/include/services/container.if:98: Error: duplicate definition of
container_search_lib(). Original definition on 98.
/usr/share/selinux/devel/include/services/container.if:117: Error: duplicate definition of
container_exec_lib(). Original definition on 117.
/usr/share/selinux/devel/include/services/container.if:136: Error: duplicate definition of
container_read_lib_files(). Original definition on 136.
/usr/share/selinux/devel/include/services/container.if:155: Error: duplicate definition of
container_read_share_files(). Original definition on 155.
/usr/share/selinux/devel/include/services/container.if:176: Error: duplicate definition of
container_runtime_read_tmpfs_files(). Original definition on 176.
/usr/share/selinux/devel/include/services/container.if:197: Error: duplicate definition of
container_manage_share_files(). Original definition on 197.
/usr/share/selinux/devel/include/services/container.if:218: Error: duplicate definition of
container_manage_share_dirs(). Original definition on 218.
/usr/share/selinux/devel/include/services/container.if:238: Error: duplicate definition of
container_exec_share_files(). Original definition on 238.
/usr/share/selinux/devel/include/services/container.if:256: Error: duplicate definition of
container_manage_config_files(). Original definition on 256.
/usr/share/selinux/devel/include/services/container.if:275: Error: duplicate definition of
container_manage_lib_files(). Original definition on 275.
/usr/share/selinux/devel/include/services/container.if:295: Error: duplicate definition of
container_manage_files(). Original definition on 295.
/usr/share/selinux/devel/include/services/container.if:314: Error: duplicate definition of
container_manage_dirs(). Original definition on 314.
/usr/share/selinux/devel/include/services/container.if:332: Error: duplicate definition of
container_manage_lib_dirs(). Original definition on 332.
/usr/share/selinux/devel/include/services/container.if:368: Error: duplicate definition of
container_lib_filetrans(). Original definition on 368.
/usr/share/selinux/devel/include/services/container.if:386: Error: duplicate definition of
container_read_pid_files(). Original definition on 386.
/usr/share/selinux/devel/include/services/container.if:405: Error: duplicate definition of
container_systemctl(). Original definition on 405.
/usr/share/selinux/devel/include/services/container.if:430: Error: duplicate definition of
container_rw_sem(). Original definition on 430.
/usr/share/selinux/devel/include/services/container.if:449: Error: duplicate definition of
container_append_file(). Original definition on 449.
/usr/share/selinux/devel/include/services/container.if:467: Error: duplicate definition of
container_use_ptys(). Original definition on 467.
/usr/share/selinux/devel/include/services/container.if:485: Error: duplicate definition of
container_filetrans_named_content(). Original definition on 485.
/usr/share/selinux/devel/include/services/container.if:549: Error: duplicate definition of
container_stream_connect(). Original definition on 549.
/usr/share/selinux/devel/include/services/container.if:570: Error: duplicate definition of
container_spc_stream_connect(). Original definition on 570.
/usr/share/selinux/devel/include/services/container.if:591: Error: duplicate definition of
container_admin(). Original definition on 591.
/usr/share/selinux/devel/include/services/container.if:638: Error: duplicate definition of
container_auth_domtrans(). Original definition on 638.
/usr/share/selinux/devel/include/services/container.if:657: Error: duplicate definition of
container_auth_exec(). Original definition on 657.
/usr/share/selinux/devel/include/services/container.if:676: Error: duplicate definition of
container_auth_stream_connect(). Original definition on 676.
/usr/share/selinux/devel/include/services/container.if:695: Error: duplicate definition of
container_runtime_typebounds(). Original definition on 695.
/usr/share/selinux/devel/include/services/container.if:714: Error: duplicate definition of
container_runtime_entrypoint(). Original definition on 714.
/usr/share/selinux/devel/include/services/container.if:721: Error: duplicate definition of
docker_exec_lib(). Original definition on 721.
/usr/share/selinux/devel/include/services/container.if:725: Error: duplicate definition of
docker_read_share_files(). Original definition on 725.
/usr/share/selinux/devel/include/services/container.if:729: Error: duplicate definition of
docker_exec_share_files(). Original definition on 729.
/usr/share/selinux/devel/include/services/container.if:733: Error: duplicate definition of
docker_manage_lib_files(). Original definition on 733.
/usr/share/selinux/devel/include/services/container.if:738: Error: duplicate definition of
docker_manage_lib_dirs(). Original definition on 738.
/usr/share/selinux/devel/include/services/container.if:742: Error: duplicate definition of
docker_lib_filetrans(). Original definition on 742.
/usr/share/selinux/devel/include/services/container.if:746: Error: duplicate definition of
docker_read_pid_files(). Original definition on 746.
/usr/share/selinux/devel/include/services/container.if:750: Error: duplicate definition of
docker_systemctl(). Original definition on 750.
/usr/share/selinux/devel/include/services/container.if:754: Error: duplicate definition of
docker_use_ptys(). Original definition on 754.
/usr/share/selinux/devel/include/services/container.if:758: Error: duplicate definition of
docker_stream_connect(). Original definition on 758.
/usr/share/selinux/devel/include/services/container.if:762: Error: duplicate definition of
docker_spc_stream_connect(). Original definition on 762.
/usr/share/selinux/devel/include/services/container.if:776: Error: duplicate definition of
container_spc_read_state(). Original definition on 776.
/usr/share/selinux/devel/include/services/container.if:795: Error: duplicate definition of
container_runtime_domain_template(). Original definition on 795.
/usr/share/selinux/devel/include/services/container.if:833: Error: duplicate definition of
container_domain_template(). Original definition on 833.
/usr/share/selinux/devel/include/services/container.if:861: Error: duplicate definition of
container_spc_rw_pipes(). Original definition on 861.
../selinux/virt.if:13: Error: duplicate definition of virt_stub_lxc(). Original definition
on 13.
../selinux/virt.if:29: Error: duplicate definition of virt_stub_svirt_sandbox_domain().
Original definition on 29.
../selinux/virt.if:45: Error: duplicate definition of virt_stub_container_image().
Original definition on 45.
../selinux/virt.if:51: Error: duplicate definition of virt_stub_svirt_sandbox_file().
Original definition on 51.
../selinux/virt.if:69: Error: duplicate definition of virt_domain_template(). Original
definition on 69.
../selinux/virt.if:206: Error: duplicate definition of virt_image(). Original definition
on 112.
../selinux/virt.if:228: Error: duplicate definition of virt_getattr_exec(). Original
definition on 134.
../selinux/virt.if:248: Error: duplicate definition of virt_domtrans(). Original
definition on 152.
../selinux/virt.if:266: Error: duplicate definition of virt_exec(). Original definition on
170.
../selinux/virt.if:286: Error: duplicate definition of virt_stream_connect(). Original
definition on 205.
../selinux/virt.if:328: Error: duplicate definition of virt_stream_connect_svirt().
Original definition on 224.
../selinux/virt.if:348: Error: duplicate definition of virt_rw_stream_sockets_svirt().
Original definition on 244.
../selinux/virt.if:366: Error: duplicate definition of virt_attach_tun_iface(). Original
definition on 262.
../selinux/virt.if:387: Error: duplicate definition of virt_attach_sandbox_tun_iface().
Original definition on 281.
../selinux/virt.if:406: Error: duplicate definition of virt_read_config(). Original
definition on 300.
../selinux/virt.if:427: Error: duplicate definition of virt_manage_config(). Original
definition on 321.
../selinux/virt.if:448: Error: duplicate definition of virt_getattr_content(). Original
definition on 342.
../selinux/virt.if:466: Error: duplicate definition of virt_read_content(). Original
definition on 360.
../selinux/virt.if:504: Error: duplicate definition of virt_write_content(). Original
definition on 398.
../selinux/virt.if:522: Error: duplicate definition of virt_read_pid_symlinks(). Original
definition on 416.
../selinux/virt.if:543: Error: duplicate definition of virt_read_pid_files(). Original
definition on 435.
../selinux/virt.if:566: Error: duplicate definition of virt_manage_pid_dirs(). Original
definition on 455.
../selinux/virt.if:590: Error: duplicate definition of virt_manage_pid_files(). Original
definition on 477.
../selinux/virt.if:630: Error: duplicate definition of virt_pid_filetrans(). Original
definition on 515.
../selinux/virt.if:650: Error: duplicate definition of virt_search_lib(). Original
definition on 533.
../selinux/virt.if:669: Error: duplicate definition of virt_read_lib_files(). Original
definition on 552.
../selinux/virt.if:690: Error: duplicate definition of virt_dontaudit_read_lib_files().
Original definition on 573.
../selinux/virt.if:709: Error: duplicate definition of virt_manage_lib_files(). Original
definition on 592.
../selinux/virt.if:729: Error: duplicate definition of virt_read_log(). Original
definition on 612.
../selinux/virt.if:749: Error: duplicate definition of virt_append_log(). Original
definition on 632.
../selinux/virt.if:768: Error: duplicate definition of virt_manage_log(). Original
definition on 651.
../selinux/virt.if:788: Error: duplicate definition of virt_getattr_images(). Original
definition on 671.
../selinux/virt.if:807: Error: duplicate definition of virt_search_images(). Original
definition on 690.
../selinux/virt.if:826: Error: duplicate definition of virt_read_images(). Original
definition on 709.
../selinux/virt.if:863: Error: duplicate definition of virt_read_blk_images(). Original
definition on 746.
../selinux/virt.if:881: Error: duplicate definition of virt_rw_chr_files(). Original
definition on 764.
../selinux/virt.if:900: Error: duplicate definition of virt_manage_cache(). Original
definition on 783.
../selinux/virt.if:921: Error: duplicate definition of virt_manage_images(). Original
definition on 804.
../selinux/virt.if:946: Error: duplicate definition of virt_manage_default_image_type().
Original definition on 829.
../selinux/virt.if:986: Error: duplicate definition of virt_systemctl(). Original
definition on 851.
../selinux/virt.if:1010: Error: duplicate definition of virt_ptrace(). Original definition
on 875.
../selinux/virt.if:1028: Error: duplicate definition of virt_exec_sandbox_files().
Original definition on 893.
../selinux/virt.if:1047: Error: duplicate definition of virt_sandbox_entrypoint().
Original definition on 912.
../selinux/virt.if:1064: Error: duplicate definition of virt_list_sandbox_dirs(). Original
definition on 929.
../selinux/virt.if:1082: Error: duplicate definition of virt_read_sandbox_files().
Original definition on 947.
../selinux/virt.if:1102: Error: duplicate definition of virt_manage_sandbox_files().
Original definition on 967.
../selinux/virt.if:1125: Error: duplicate definition of virt_getattr_sandbox_filesystem().
Original definition on 990.
../selinux/virt.if:1143: Error: duplicate definition of virt_relabel_sandbox_filesystem().
Original definition on 1008.
../selinux/virt.if:1161: Error: duplicate definition of virt_mounton_sandbox_file().
Original definition on 1026.
../selinux/virt.if:1179: Error: duplicate definition of virt_stream_connect_sandbox().
Original definition on 1044.
../selinux/virt.if:1207: Error: duplicate definition of virt_transition_svirt(). Original
definition on 1072.
../selinux/virt.if:1241: Error: duplicate definition of virt_dontaudit_write_pipes().
Original definition on 1106.
../selinux/virt.if:1260: Error: duplicate definition of virt_kill_svirt(). Original
definition on 1125.
../selinux/virt.if:1278: Error: duplicate definition of virt_kill(). Original definition
on 1143.
../selinux/virt.if:1298: Error: duplicate definition of virt_signal(). Original definition
on 1161.
../selinux/virt.if:1318: Error: duplicate definition of virt_signull(). Original
definition on 1179.
../selinux/virt.if:1338: Error: duplicate definition of virt_signal_svirt(). Original
definition on 1197.
../selinux/virt.if:1356: Error: duplicate definition of virt_signal_sandbox(). Original
definition on 1215.
../selinux/virt.if:1374: Error: duplicate definition of virt_manage_home_files(). Original
definition on 1233.
../selinux/virt.if:1394: Error: duplicate definition of virt_read_tmpfs_files(). Original
definition on 1253.
../selinux/virt.if:1413: Error: duplicate definition of virt_manage_tmpfs_files().
Original definition on 1272.
../selinux/virt.if:1432: Error: duplicate definition of virt_filetrans_home_content().
Original definition on 1291.
../selinux/virt.if:1462: Error: duplicate definition of virt_dontaudit_read_chr_dev().
Original definition on 1321.
../selinux/virt.if:1518: Error: duplicate definition of virt_sandbox_domain_template().
Original definition on 1340.
../selinux/virt.if:1550: Error: duplicate definition of virt_sandbox_domain(). Original
definition on 1372.
../selinux/virt.if:1568: Error: duplicate definition of virt_sandbox_net_domain().
Original definition on 1390.
../selinux/virt.if:1605: Error: duplicate definition of virt_exec_qemu(). Original
definition on 1409.
../selinux/virt.if:1623: Error: duplicate definition of virt_filetrans_named_content().
Original definition on 1427.
../selinux/virt.if:1651: Error: duplicate definition of virt_transition_svirt_sandbox().
Original definition on 1455.
../selinux/virt.if:1676: Error: duplicate definition of virt_sandbox_read_state().
Original definition on 1480.
../selinux/virt.if:1694: Error: duplicate definition of virt_rw_svirt_dev(). Original
definition on 1498.
../selinux/virt.if:1712: Error: duplicate definition of virt_rw_svirt_image(). Original
definition on 1516.
../selinux/virt.if:1730: Error: duplicate definition of virt_rlimitinh(). Original
definition on 1534.
../selinux/virt.if:1748: Error: duplicate definition of virt_noatsecure(). Original
definition on 1552.
../selinux/virt.if:1773: Error: duplicate definition of virt_admin(). Original definition
on 1577.
../selinux/virt.if:1820: Error: duplicate definition of virt_default_capabilities().
Original definition on 1622.
../selinux/virt.if:1839: Error: duplicate definition of virt_dbus_chat(). Original
definition on 1642.
../selinux/virt.if:1879: Error: duplicate definition of virt_sandbox_domtrans(). Original
definition on 1678.
../selinux/virt.if:1897: Error: duplicate definition of virt_dontaudit_read_state().
Original definition on 1696.
../selinux/virt.if:1917: Error: duplicate definition of virt_dgram_send(). Original
definition on 1716.
../selinux/virt.if:1956: Error: duplicate definition of virt_svirt_manage_tmp(). Original
definition on 1735.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [PATCH v2] Add SELinux policy for virt