On Fri, Mar 03, 2023 at 09:06:38AM -0800, Andrea Bolognani wrote:
On Fri, Mar 03, 2023 at 03:47:23PM +0000, Daniel P. Berrangé wrote:
> On Fri, Mar 03, 2023 at 07:23:41AM -0800, Andrea Bolognani wrote:
> > I'm in no way a SELinux expert, but the idea of figuring out the
> > runtime label for the process based on information found on the
> > filesystem makes me uncomfortable. The idea of using some sort of
> > text transformation to get from one to the other, even more so.
>
> Using the label on the filesystem is precisely the right way to
> do this with SELinux. It is what the kernel does every time a
> binary is invokved, unless the caller has overriden the target
> type.
>
> > Since we know that we're launching passt and not some other random
> > helper, why can't we simply use passt_t directly here? It feels like
> > that would be less prone to issues caused by accidental (or
> > intentional) misconfigurations.
>
> That ties libvirt's code to a specific policy impl which is
> not a desirable thing. Same reason we don't hardcode svirt_t
> as a type for QEMU, but instead query it dynamically from
> the installed policy.
Do I understand correctly that this happens in
virSecuritySELinuxQEMUInitialize(), by parsing the contents of the
file located via a call to selinux_virtual_domain_context_path()?
Yes.
Poking around at the other files present in the same directory I see
various formats being used, including... XML? It looks like SELinux
implements facilities for exposing arbitrary information about the
active policy at well-known locations, with (I assume) the explicit
purpose of enabling this kind of interaction.
So wouldn't that be the way to go for passt, and other helpers too?
Have SELinux expose a virtual_helpers_context file, that we can parse
to figure out the appropriate labels to use for passt and friends?
No, I don't think so. The helpers file is a bit of a special case
that was needed because there were multiple contexts we needed to
cope with for running QEMU.
I don't see any reason not to follow what the kernel already does
by relying on the labelled file context.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|