On Fri, Mar 03, 2023 at 09:06:38AM -0800, Andrea Bolognani wrote:
On Fri, Mar 03, 2023 at 03:47:23PM +0000, Daniel P. Berrangé wrote:
On Fri, Mar 03, 2023 at 07:23:41AM -0800, Andrea Bolognani wrote:
I'm in no way a SELinux expert, but the idea of figuring out the runtime label for the process based on information found on the filesystem makes me uncomfortable. The idea of using some sort of text transformation to get from one to the other, even more so.
Using the label on the filesystem is precisely the right way to do this with SELinux. It is what the kernel does every time a binary is invokved, unless the caller has overriden the target type.
Since we know that we're launching passt and not some other random helper, why can't we simply use passt_t directly here? It feels like that would be less prone to issues caused by accidental (or intentional) misconfigurations.
That ties libvirt's code to a specific policy impl which is not a desirable thing. Same reason we don't hardcode svirt_t as a type for QEMU, but instead query it dynamically from the installed policy.
Do I understand correctly that this happens in virSecuritySELinuxQEMUInitialize(), by parsing the contents of the file located via a call to selinux_virtual_domain_context_path()?
Yes.
Poking around at the other files present in the same directory I see various formats being used, including... XML? It looks like SELinux implements facilities for exposing arbitrary information about the active policy at well-known locations, with (I assume) the explicit purpose of enabling this kind of interaction.
So wouldn't that be the way to go for passt, and other helpers too? Have SELinux expose a virtual_helpers_context file, that we can parse to figure out the appropriate labels to use for passt and friends?
No, I don't think so. The helpers file is a bit of a special case that was needed because there were multiple contexts we needed to cope with for running QEMU. I don't see any reason not to follow what the kernel already does by relying on the labelled file context. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|