Re: [libvirt PATCH 01/13] security: add SELinux policy for virt
On 20. 08. 21 13:33, Daniel P. Berrangé wrote: On Thu, Aug 19, 2021 at 05:23:48PM +0200, Vit Mojzis wrote: On 10. 08. 21 18:35, Daniel P. Berrangé wrote: On Tue, Aug 10, 2021 at 10:39:23AM +0200, Pavel Hrdina wrote: On Fri, Aug 06, 2021 at 06:47:58PM +0100, Daniel P. Berrangé wrote: From: Nikola Knazekova SELinux policy was created for: Hypervisor drivers: - virtqemud (QEMU/KVM) - virtlxcd (LXC) - virtvboxd (VirtualBox) Secondary drivers: - virtstoraged (host storage mgmt) - virtnetworkd (virtual network mgmt) - virtinterface (network interface mgmt) - virtnodedevd (physical device mgmt) - virtsecretd (security credential mgmt) - virtnwfilterd (ip[6]tables/ebtables mgmt) - virtproxyd (proxy daemon) SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made. Signed-off-by: Nikola Knazekova --- src/security/selinux/virt.fc | 111 ++ src/security/selinux/virt.if | 1984 src/security/selinux/virt.te | 2078 ++ 3 files changed, 4173 insertions(+) create mode 100644 src/security/selinux/virt.fc create mode 100644 src/security/selinux/virt.if create mode 100644 src/security/selinux/virt.te diff --git a/src/security/selinux/virt.fc b/src/security/selinux/virt.fc new file mode 100644 index 00..554e1094d9 --- /dev/null +++ b/src/security/selinux/virt.fc @@ -0,0 +1,111 @@ +HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) These two doesn't look like libvirt selinux bits, more like virt-manager or some other tool. Rationale is largely lost in the mists of time to be honest. $HOME/VirtualMachines does make sense for desktop virt use case I think, while the below rules make sense as a direct translation of libvirt's system paths. I think its ok to have both really +HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) + +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) Based on commit from selinux-policy 63ead48cf8 this seems vdsm related. I don't think that we use this directory in libvirt. Yeah, that's dubious. Good point, we'll move it out of virt policy. +/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) +# Avoid calling m4's "interface" by using en empty string +/var/run/libvirt/interfac(e)(/.*)? gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/libvirt/nodedev(/.*)? gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/libvirt/nwfilter(/.*)? gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/secrets(/.*)? gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/libvirt/storage(/.*)? gen_context(system_u:object_r:virtstoraged_var_run_t,s0) + +/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/virtlxcd\.pid -- gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/virtqemud\.pid-- gen_context(system_u:object_r:virtqemud_var_run_t,s0) +/var/run/virtvboxd\.pid-- gen_context(system_u:object_r:virtvboxd_var_run_t,s0) +/var/run/virtproxyd\.pid -- gen_context(system_u:object_r:virtproxyd_var_run_t,s0) +/v
Re: [libvirt PATCH 01/13] security: add SELinux policy for virt
On Thu, Aug 19, 2021 at 05:23:48PM +0200, Vit Mojzis wrote: > > On 10. 08. 21 18:35, Daniel P. Berrangé wrote: > > On Tue, Aug 10, 2021 at 10:39:23AM +0200, Pavel Hrdina wrote: > > > On Fri, Aug 06, 2021 at 06:47:58PM +0100, Daniel P. Berrangé wrote: > > > > From: Nikola Knazekova > > > > > > > > SELinux policy was created for: > > > > > > > > Hypervisor drivers: > > > > - virtqemud (QEMU/KVM) > > > > - virtlxcd (LXC) > > > > - virtvboxd (VirtualBox) > > > > > > > > Secondary drivers: > > > > - virtstoraged (host storage mgmt) > > > > - virtnetworkd (virtual network mgmt) > > > > - virtinterface (network interface mgmt) > > > > - virtnodedevd (physical device mgmt) > > > > - virtsecretd (security credential mgmt) > > > > - virtnwfilterd (ip[6]tables/ebtables mgmt) > > > > - virtproxyd (proxy daemon) > > > > > > > > SELinux policy for virtvxz and virtxend has not been created yet, > > > > because I wasn't able to reproduce AVC messages. These drivers > > > > run in unconfined_domain until the AVC messages are reproduced > > > > internally and policy for these drivers is made. > > > > > > > > Signed-off-by: Nikola Knazekova > > > > --- > > > > src/security/selinux/virt.fc | 111 ++ > > > > src/security/selinux/virt.if | 1984 > > > > src/security/selinux/virt.te | 2078 ++ > > > > 3 files changed, 4173 insertions(+) > > > > create mode 100644 src/security/selinux/virt.fc > > > > create mode 100644 src/security/selinux/virt.if > > > > create mode 100644 src/security/selinux/virt.te > > > > > > > > diff --git a/src/security/selinux/virt.fc b/src/security/selinux/virt.fc > > > > new file mode 100644 > > > > index 00..554e1094d9 > > > > --- /dev/null > > > > +++ b/src/security/selinux/virt.fc > > > > @@ -0,0 +1,111 @@ > > > > +HOME_DIR/\.libvirt(/.*)? > > > > gen_context(system_u:object_r:virt_home_t,s0) > > > > +HOME_DIR/\.libvirt/qemu(/.*)? > > > > gen_context(system_u:object_r:svirt_home_t,s0) > > > > +HOME_DIR/\.cache/libvirt(/.*)? > > > > gen_context(system_u:object_r:virt_home_t,s0) > > > > +HOME_DIR/\.cache/libvirt/qemu(/.*)? > > > > gen_context(system_u:object_r:svirt_home_t,s0) > > > > +HOME_DIR/\.config/libvirt(/.*)? > > > > gen_context(system_u:object_r:virt_home_t,s0) > > > > +HOME_DIR/\.config/libvirt/qemu(/.*)? > > > > gen_context(system_u:object_r:svirt_home_t,s0) > > > > +HOME_DIR/VirtualMachines(/.*)? > > > > gen_context(system_u:object_r:virt_home_t,s0) > > > > +HOME_DIR/VirtualMachines/isos(/.*)? > > > > gen_context(system_u:object_r:virt_content_t,s0) > > > These two doesn't look like libvirt selinux bits, more like virt-manager > > > or some other tool. > > Rationale is largely lost in the mists of time to be honest. > > $HOME/VirtualMachines > > does make sense for desktop virt use case I think, while the below rules > > make > > sense as a direct translation of libvirt's system paths. > > > > I think its ok to have both really > > > > > > +HOME_DIR/\.local/share/libvirt/images(/.*)? > > > > gen_context(system_u:object_r:svirt_home_t,s0) > > > > +HOME_DIR/\.local/share/libvirt/boot(/.*)? > > > > gen_context(system_u:object_r:svirt_home_t,s0) > > > > +/var/lib/libvirt(/.*)? > > > > gen_context(system_u:object_r:virt_var_lib_t,s0) > > > > +/var/lib/libvirt/boot(/.*)? > > > > gen_context(system_u:object_r:virt_content_t,s0) > > > > +/var/lib/libvirt/images(/.*)? > > > > gen_context(system_u:object_r:virt_image_t,s0) > > > > +/var/lib/libvirt/isos(/.*)? > > > > gen_context(system_u:object_r:virt_content_t,s0) > > > > +/var/lib/libvirt/lockd(/.*)? > > > > gen_context(system_u:object_r:virt_var_lockd_t,s0) > > > > +/var/lib/libvirt/qemu(/.*)? > > > > gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) > > > > + > > > > +/var/log/log(/.*)? > > > > gen_context(system_u:object_r:virt_log_t,s0) > > > Based on commit from selinux-policy 63ead48cf8 this seems vdsm related. > > > I don't think that we use this directory in libvirt. > > Yeah, that's dubious. > Good point, we'll move it out of virt policy. > > > > > > +/var/log/libvirt(/.*)? > > > > gen_context(system_u:object_r:virt_log_t,s0) > > > > +/var/run/libvirtd\.pid -- > > > > gen_context(system_u:object_r:virt_var_run_t,s0) > > > > +# Avoid calling m4's "interface" by using en empty string > > > > +/var/run/libvirt/interfac(e)(/.*)? > > > > gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) > > > > +/var/run/libvirt/nodedev(/.*)? > > > > gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) > > > > +/var/run/libvirt/nwfilter(/.*)? > > > > gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) > > > > +/var/run/libvirt/secrets(/.*)?
Re: [libvirt PATCH 01/13] security: add SELinux policy for virt
On 10. 08. 21 18:35, Daniel P. Berrangé wrote: On Tue, Aug 10, 2021 at 10:39:23AM +0200, Pavel Hrdina wrote: On Fri, Aug 06, 2021 at 06:47:58PM +0100, Daniel P. Berrangé wrote: From: Nikola Knazekova SELinux policy was created for: Hypervisor drivers: - virtqemud (QEMU/KVM) - virtlxcd (LXC) - virtvboxd (VirtualBox) Secondary drivers: - virtstoraged (host storage mgmt) - virtnetworkd (virtual network mgmt) - virtinterface (network interface mgmt) - virtnodedevd (physical device mgmt) - virtsecretd (security credential mgmt) - virtnwfilterd (ip[6]tables/ebtables mgmt) - virtproxyd (proxy daemon) SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made. Signed-off-by: Nikola Knazekova --- src/security/selinux/virt.fc | 111 ++ src/security/selinux/virt.if | 1984 src/security/selinux/virt.te | 2078 ++ 3 files changed, 4173 insertions(+) create mode 100644 src/security/selinux/virt.fc create mode 100644 src/security/selinux/virt.if create mode 100644 src/security/selinux/virt.te diff --git a/src/security/selinux/virt.fc b/src/security/selinux/virt.fc new file mode 100644 index 00..554e1094d9 --- /dev/null +++ b/src/security/selinux/virt.fc @@ -0,0 +1,111 @@ +HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) These two doesn't look like libvirt selinux bits, more like virt-manager or some other tool. Rationale is largely lost in the mists of time to be honest. $HOME/VirtualMachines does make sense for desktop virt use case I think, while the below rules make sense as a direct translation of libvirt's system paths. I think its ok to have both really +HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) + +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) Based on commit from selinux-policy 63ead48cf8 this seems vdsm related. I don't think that we use this directory in libvirt. Yeah, that's dubious. Good point, we'll move it out of virt policy. +/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) +# Avoid calling m4's "interface" by using en empty string +/var/run/libvirt/interfac(e)(/.*)? gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/libvirt/nodedev(/.*)? gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/libvirt/nwfilter(/.*)? gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/secrets(/.*)? gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/libvirt/storage(/.*)? gen_context(system_u:object_r:virtstoraged_var_run_t,s0) + +/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/virtlxcd\.pid -- gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/virtqemud\.pid-- gen_context(system_u:object_r:virtqemud_var_run_t,s0) +/var/run/virtvboxd\.pid-- gen_context(system_u:object_r:virtvboxd_var_run_t,s0) +/var/run/virtproxyd\.pid -- gen_context(system_u:object_r:virtproxyd_var_run_t,s0) +/var/run/virtinterfaced\.pid -- gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run
Re: [libvirt PATCH 01/13] security: add SELinux policy for virt
On Tue, Aug 10, 2021 at 10:39:23AM +0200, Pavel Hrdina wrote: > On Fri, Aug 06, 2021 at 06:47:58PM +0100, Daniel P. Berrangé wrote: > > From: Nikola Knazekova > > > > SELinux policy was created for: > > > > Hypervisor drivers: > > - virtqemud (QEMU/KVM) > > - virtlxcd (LXC) > > - virtvboxd (VirtualBox) > > > > Secondary drivers: > > - virtstoraged (host storage mgmt) > > - virtnetworkd (virtual network mgmt) > > - virtinterface (network interface mgmt) > > - virtnodedevd (physical device mgmt) > > - virtsecretd (security credential mgmt) > > - virtnwfilterd (ip[6]tables/ebtables mgmt) > > - virtproxyd (proxy daemon) > > > > SELinux policy for virtvxz and virtxend has not been created yet, > > because I wasn't able to reproduce AVC messages. These drivers > > run in unconfined_domain until the AVC messages are reproduced > > internally and policy for these drivers is made. > > > > Signed-off-by: Nikola Knazekova > > --- > > src/security/selinux/virt.fc | 111 ++ > > src/security/selinux/virt.if | 1984 > > src/security/selinux/virt.te | 2078 ++ > > 3 files changed, 4173 insertions(+) > > create mode 100644 src/security/selinux/virt.fc > > create mode 100644 src/security/selinux/virt.if > > create mode 100644 src/security/selinux/virt.te > > > > diff --git a/src/security/selinux/virt.fc b/src/security/selinux/virt.fc > > new file mode 100644 > > index 00..554e1094d9 > > --- /dev/null > > +++ b/src/security/selinux/virt.fc > > @@ -0,0 +1,111 @@ > > +HOME_DIR/\.libvirt(/.*)? > > gen_context(system_u:object_r:virt_home_t,s0) > > +HOME_DIR/\.libvirt/qemu(/.*)? > > gen_context(system_u:object_r:svirt_home_t,s0) > > +HOME_DIR/\.cache/libvirt(/.*)? > > gen_context(system_u:object_r:virt_home_t,s0) > > +HOME_DIR/\.cache/libvirt/qemu(/.*)? > > gen_context(system_u:object_r:svirt_home_t,s0) > > +HOME_DIR/\.config/libvirt(/.*)? > > gen_context(system_u:object_r:virt_home_t,s0) > > +HOME_DIR/\.config/libvirt/qemu(/.*)? > > gen_context(system_u:object_r:svirt_home_t,s0) > > +HOME_DIR/VirtualMachines(/.*)? > > gen_context(system_u:object_r:virt_home_t,s0) > > +HOME_DIR/VirtualMachines/isos(/.*)? > > gen_context(system_u:object_r:virt_content_t,s0) > > These two doesn't look like libvirt selinux bits, more like virt-manager > or some other tool. Rationale is largely lost in the mists of time to be honest. $HOME/VirtualMachines does make sense for desktop virt use case I think, while the below rules make sense as a direct translation of libvirt's system paths. I think its ok to have both really > > +HOME_DIR/\.local/share/libvirt/images(/.*)? > > gen_context(system_u:object_r:svirt_home_t,s0) > > +HOME_DIR/\.local/share/libvirt/boot(/.*)? > > gen_context(system_u:object_r:svirt_home_t,s0) > > +/var/lib/libvirt(/.*)? > > gen_context(system_u:object_r:virt_var_lib_t,s0) > > +/var/lib/libvirt/boot(/.*)? > > gen_context(system_u:object_r:virt_content_t,s0) > > +/var/lib/libvirt/images(/.*)? > > gen_context(system_u:object_r:virt_image_t,s0) > > +/var/lib/libvirt/isos(/.*)? > > gen_context(system_u:object_r:virt_content_t,s0) > > +/var/lib/libvirt/lockd(/.*)? > > gen_context(system_u:object_r:virt_var_lockd_t,s0) > > +/var/lib/libvirt/qemu(/.*)? > > gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) > > + > > +/var/log/log(/.*)? > > gen_context(system_u:object_r:virt_log_t,s0) > > Based on commit from selinux-policy 63ead48cf8 this seems vdsm related. > I don't think that we use this directory in libvirt. Yeah, that's dubious. > > > +/var/log/libvirt(/.*)? > > gen_context(system_u:object_r:virt_log_t,s0) > > +/var/run/libvirtd\.pid -- > > gen_context(system_u:object_r:virt_var_run_t,s0) > > +# Avoid calling m4's "interface" by using en empty string > > +/var/run/libvirt/interfac(e)(/.*)? > > gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) > > +/var/run/libvirt/nodedev(/.*)? > > gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) > > +/var/run/libvirt/nwfilter(/.*)? > > gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) > > +/var/run/libvirt/secrets(/.*)? > > gen_context(system_u:object_r:virtsecretd_var_run_t,s0) > > +/var/run/libvirt/storage(/.*)? > > gen_context(system_u:object_r:virtstoraged_var_run_t,s0) > > + > > +/var/run/virtlogd\.pid -- > > gen_context(system_u:object_r:virtlogd_var_run_t,s0) > > +/var/run/virtlxcd\.pid -- > > gen_context(system_u:object_r:virt_lxc_var_run_t,s0) > > +/var/run/virtqemud\.pid-- > > gen_context(system_u:object_r:virtqemud_var_run_t,s
Re: [libvirt PATCH 01/13] security: add SELinux policy for virt
On Fri, Aug 06, 2021 at 06:47:58PM +0100, Daniel P. Berrangé wrote: > From: Nikola Knazekova > > SELinux policy was created for: > > Hypervisor drivers: > - virtqemud (QEMU/KVM) > - virtlxcd (LXC) > - virtvboxd (VirtualBox) > > Secondary drivers: > - virtstoraged (host storage mgmt) > - virtnetworkd (virtual network mgmt) > - virtinterface (network interface mgmt) > - virtnodedevd (physical device mgmt) > - virtsecretd (security credential mgmt) > - virtnwfilterd (ip[6]tables/ebtables mgmt) > - virtproxyd (proxy daemon) > > SELinux policy for virtvxz and virtxend has not been created yet, > because I wasn't able to reproduce AVC messages. These drivers > run in unconfined_domain until the AVC messages are reproduced > internally and policy for these drivers is made. > > Signed-off-by: Nikola Knazekova > --- > src/security/selinux/virt.fc | 111 ++ > src/security/selinux/virt.if | 1984 > src/security/selinux/virt.te | 2078 ++ > 3 files changed, 4173 insertions(+) > create mode 100644 src/security/selinux/virt.fc > create mode 100644 src/security/selinux/virt.if > create mode 100644 src/security/selinux/virt.te > > diff --git a/src/security/selinux/virt.fc b/src/security/selinux/virt.fc > new file mode 100644 > index 00..554e1094d9 > --- /dev/null > +++ b/src/security/selinux/virt.fc > @@ -0,0 +1,111 @@ > +HOME_DIR/\.libvirt(/.*)? > gen_context(system_u:object_r:virt_home_t,s0) > +HOME_DIR/\.libvirt/qemu(/.*)? > gen_context(system_u:object_r:svirt_home_t,s0) > +HOME_DIR/\.cache/libvirt(/.*)? > gen_context(system_u:object_r:virt_home_t,s0) > +HOME_DIR/\.cache/libvirt/qemu(/.*)? > gen_context(system_u:object_r:svirt_home_t,s0) > +HOME_DIR/\.config/libvirt(/.*)? > gen_context(system_u:object_r:virt_home_t,s0) > +HOME_DIR/\.config/libvirt/qemu(/.*)? > gen_context(system_u:object_r:svirt_home_t,s0) > +HOME_DIR/VirtualMachines(/.*)? > gen_context(system_u:object_r:virt_home_t,s0) > +HOME_DIR/VirtualMachines/isos(/.*)? > gen_context(system_u:object_r:virt_content_t,s0) These two doesn't look like libvirt selinux bits, more like virt-manager or some other tool. > +HOME_DIR/\.local/share/libvirt/images(/.*)? > gen_context(system_u:object_r:svirt_home_t,s0) > +HOME_DIR/\.local/share/libvirt/boot(/.*)? > gen_context(system_u:object_r:svirt_home_t,s0) > + > +/etc/libvirt -d > gen_context(system_u:object_r:virt_etc_t,s0) > +/etc/libvirt/virtlogd\.conf -- > gen_context(system_u:object_r:virtlogd_etc_t,s0) > +/etc/libvirt/[^/]* -- > gen_context(system_u:object_r:virt_etc_t,s0) > +/etc/libvirt/[^/]* -d > gen_context(system_u:object_r:virt_etc_rw_t,s0) > +/etc/libvirt/.*/.* > gen_context(system_u:object_r:virt_etc_rw_t,s0) > +/etc/rc\.d/init\.d/libvirtd -- > gen_context(system_u:object_r:virtd_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/virtlogd -- > gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0) > + > +/usr/libexec/libvirt_lxc -- > gen_context(system_u:object_r:virtd_lxc_exec_t,s0) > + > +/usr/sbin/libvirtd -- > gen_context(system_u:object_r:virtd_exec_t,s0) > +/usr/sbin/virtlockd -- > gen_context(system_u:object_r:virtlogd_exec_t,s0) > +/usr/sbin/virtlogd -- > gen_context(system_u:object_r:virtlogd_exec_t,s0) > +/usr/bin/virsh -- > gen_context(system_u:object_r:virsh_exec_t,s0) > + > +/usr/sbin/virtinterfaced -- > gen_context(system_u:object_r:virtinterfaced_exec_t,s0) > +/usr/sbin/virtlxcd -- > gen_context(system_u:object_r:virtd_lxc_exec_t,s0) > +/usr/sbin/virtnetworkd -- > gen_context(system_u:object_r:virtnetworkd_exec_t,s0) > +/usr/sbin/virtnodedevd -- > gen_context(system_u:object_r:virtnodedevd_exec_t,s0) > +/usr/sbin/virtnwfilterd -- > gen_context(system_u:object_r:virtnwfilterd_exec_t,s0) > +/usr/sbin/virtproxyd -- > gen_context(system_u:object_r:virtproxyd_exec_t,s0) > +/usr/sbin/virtqemud -- > gen_context(system_u:object_r:virtqemud_exec_t,s0) > +/usr/sbin/virtsecretd-- > gen_context(system_u:object_r:virtsecretd_exec_t,s0) > +/usr/sbin/virtstoraged -- > gen_context(system_u:object_r:virtstoraged_exec_t,s0) > +/usr/sbin/virtvboxd -- > gen_context(system_u:object_r:virtvboxd_exec_t,s0) > +/usr/sbin/virtvzd-- > gen_context(system_u:object_r:virtvzd_exec_t,s0) > +/usr/sbin/virtxend -- > gen_context(system_u:object_r:virtxend_exec_t,s0) > + > +/var/cache/libvirt(/.*)? > gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) > + > +/var/lib/libvirt(/.*)? > gen_context(system_u:object_r:virt_var_lib_t,s0) > +/var/lib/libvirt/boot(/
[libvirt PATCH 01/13] security: add SELinux policy for virt
From: Nikola Knazekova SELinux policy was created for: Hypervisor drivers: - virtqemud (QEMU/KVM) - virtlxcd (LXC) - virtvboxd (VirtualBox) Secondary drivers: - virtstoraged (host storage mgmt) - virtnetworkd (virtual network mgmt) - virtinterface (network interface mgmt) - virtnodedevd (physical device mgmt) - virtsecretd (security credential mgmt) - virtnwfilterd (ip[6]tables/ebtables mgmt) - virtproxyd (proxy daemon) SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made. Signed-off-by: Nikola Knazekova --- src/security/selinux/virt.fc | 111 ++ src/security/selinux/virt.if | 1984 src/security/selinux/virt.te | 2078 ++ 3 files changed, 4173 insertions(+) create mode 100644 src/security/selinux/virt.fc create mode 100644 src/security/selinux/virt.if create mode 100644 src/security/selinux/virt.te diff --git a/src/security/selinux/virt.fc b/src/security/selinux/virt.fc new file mode 100644 index 00..554e1094d9 --- /dev/null +++ b/src/security/selinux/virt.fc @@ -0,0 +1,111 @@ +HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) + +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/virtlogd\.conf-- gen_context(system_u:object_r:virtlogd_etc_t,s0) +/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/rc\.d/init\.d/libvirtd-- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/virtlogd-- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0) + +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) + +/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) + +/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtinterfaced_exec_t,s0) +/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtnetworkd_exec_t,s0) +/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtnodedevd_exec_t,s0) +/usr/sbin/virtnwfilterd-- gen_context(system_u:object_r:virtnwfilterd_exec_t,s0) +/usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtproxyd_exec_t,s0) +/usr/sbin/virtqemud-- gen_context(system_u:object_r:virtqemud_exec_t,s0) +/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtsecretd_exec_t,s0) +/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtstoraged_exec_t,s0) +/usr/sbin/virtvboxd-- gen_context(system_u:object_r:virtvboxd_exec_t,s0) +/usr/sbin/virtvzd -- gen_context(system_u:object_r:virtvzd_exec_t,s0) +/usr/sbin/virtxend -- gen_context(system_u:object_r:virtxend_exec_t,s0) + +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) + +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(s
[PATCH v5 1/3] Add SELinux policy for virt
From: Nikola Knazekova SELinux policy was created for: Hypervisor drivers: - virtqemud (QEMU/KVM) - virtlxcd (LXC) - virtvboxd (VirtualBox) Secondary drivers: - virtstoraged (host storage mgmt) - virtnetworkd (virtual network mgmt) - virtinterface (network interface mgmt) - virtnodedevd (physical device mgmt) - virtsecretd (security credential mgmt) - virtnwfilterd (ip[6]tables/ebtables mgmt) - virtproxyd (proxy daemon) SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made. Signed-off-by: Nikola Knazekova --- Changes: - Rebase - Remove some unneeded interface calls from the policy - Update interface file path src/security/selinux/virt.fc | 111 ++ src/security/selinux/virt.if | 1984 src/security/selinux/virt.te | 2078 ++ 3 files changed, 4173 insertions(+) create mode 100644 src/security/selinux/virt.fc create mode 100644 src/security/selinux/virt.if create mode 100644 src/security/selinux/virt.te diff --git a/src/security/selinux/virt.fc b/src/security/selinux/virt.fc new file mode 100644 index 00..554e1094d9 --- /dev/null +++ b/src/security/selinux/virt.fc @@ -0,0 +1,111 @@ +HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) + +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/virtlogd\.conf-- gen_context(system_u:object_r:virtlogd_etc_t,s0) +/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/rc\.d/init\.d/libvirtd-- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/virtlogd-- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0) + +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) + +/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) + +/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtinterfaced_exec_t,s0) +/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtnetworkd_exec_t,s0) +/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtnodedevd_exec_t,s0) +/usr/sbin/virtnwfilterd-- gen_context(system_u:object_r:virtnwfilterd_exec_t,s0) +/usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtproxyd_exec_t,s0) +/usr/sbin/virtqemud-- gen_context(system_u:object_r:virtqemud_exec_t,s0) +/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtsecretd_exec_t,s0) +/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtstoraged_exec_t,s0) +/usr/sbin/virtvboxd-- gen_context(system_u:object_r:virtvboxd_exec_t,s0) +/usr/sbin/virtvzd -- gen_context(system_u:object_r:virtvzd_exec_t,s0) +/usr/sbin/virtxend -- gen_context(system_u:object_r:virtxend_exec_t,s0) + +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) + +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/lockd(/.*)?
Re: [PATCH v2] Add SELinux policy for virt
On 24. 05. 21 14:36, Daniel P. Berrangé wrote:
On Mon, May 24, 2021 at 05:25:19AM -0700, Andrea Bolognani wrote:
On Fri, May 21, 2021 at 03:37:00PM +0100, Daniel P. Berrangé wrote:
On Fri, May 21, 2021 at 04:22:59PM +0200, Vit Mojzis wrote:
On 4/30/21 10:28 PM, Vit Mojzis wrote:
On 4/26/21 7:31 PM, Daniel P. Berrangé wrote:
On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
Sorry for the long delay. This is our first request to ship a
policy for
multiple selinux stores (targeted, mls and minimum).
Changes:
* Replace all selinux-policy-%{policytype} dependencies with
selinux-policy-base
* Add Ghost files representing installed policy modules in all
policy stores
* Rewrite policy compilation script in python
* Compile the policy module twice (1 version for
targeted/minimum - with
enable_mcs, and 1 for mls - with enable_mls)
* Manage policy (un)installation using triggers based on which policy
type is available
The new policy was only tested in "targeted" mode so far and
we'll need to make
sure it works properly in "mls". As for "minimum", we know it will not
work properly (as is the case of the current policy) by default (some
other "contrib" policy modules need to be enabled).
I'd argue there is no point trying to get it to work in "minimum",
mostly because it (minimum) will be retired soon.
I'm wondering how SELinux is supposed to integrate with containers when
using a modular policy.
Right now you can install RPMs in a container, and use selinux
enforcement
on that container because the host OS policy provides all the rules
in the
monolithic blob.
If we take this policy into libvirt, then when you install libvirt in a
container, there will be no selinux policy available.
Users can't install libvirt-selinux inside the container, as it
needs to be
built against the main policy in the host.
User likely won't install libvirt-selinux outside the container as that
defeats the purpose of using containers for their deployment mechanism.
Container based deployment of libvirt is important for both OpenStack
and KubeVirt.
So from discussions with respective developers i got the following:
KubeVirt runs the libvirt containers with a custom policy
https://github.com/kubevirt/kubevirt/blob/81cb9f79e0144af0e6e43c439eab7f8dac81de31/cmd/virt-handler/virt_launcher.cil,
that depends on libvirt module (uses svirt_sandbox_domain). Libvirt is only
installed inside the container and there is no bind mount of
/sys/fs/selinux. So they will need to install libvirt-daemon-selinux on the
host.
With OpenStack I believe their deployment tool manages the config of
the entire host, so installing the libvirt-daemon-selinux package
ought to be reasonably straightforward for them.
I worry about KubeVirt though. IIUC in their deployment, the hosts
in use are all provisioned by OpenShift upfront & when KubeVirt is
deployed, the only pieces they're deploying live inside the host.
IOW, it seems like libvirt-daemon-selinux would have to be provided
ahead of time by OpenShift if it is to be used, and I'm not sure
if that's a practical requirement.
I think we need to get explicit confirmation from KubeVirt that
a requirement to installing RPMs directly on the host is going
to be acceptable.
I'm afraid that's not going to fly for KubeVirt.
Adding Roman and Vladik so they can provide more information.
For context, the discussion is about shipping the SELinux policy
for libvirt as part of a sub-package of libvirt instead of the main
selinux-policy package.
Reading again, I realize Vit links to a URL above that shows
virt-handler includes a custom selinux policy.
How does that get deployed, and can the libvirt-daemon-selinux
stuff be deployed in the same way ?
Based on a quick look at virt-handler it seems like the policy is
installed by installPolicy in cmd/virt-handler/virt-handler.go, which
just calls "semodule -i".
Shipping the policy is much more straight-forward in this case, since
it's in "cil" format, which means it does not need to be compiled before
installation.
I expect that it would be easier to include virt-daemon-selinux as a
dependency, instead of managing the virt policy.
Vit
Regards,
Daniel
Re: [PATCH v2] Add SELinux policy for virt
On Mon, May 24, 2021 at 05:25:19AM -0700, Andrea Bolognani wrote:
> On Fri, May 21, 2021 at 03:37:00PM +0100, Daniel P. Berrangé wrote:
> > On Fri, May 21, 2021 at 04:22:59PM +0200, Vit Mojzis wrote:
> > > On 4/30/21 10:28 PM, Vit Mojzis wrote:
> > > > On 4/26/21 7:31 PM, Daniel P. Berrangé wrote:
> > > > > On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
> > > > > > Sorry for the long delay. This is our first request to ship a
> > > > > > policy for
> > > > > > multiple selinux stores (targeted, mls and minimum).
> > > > > >
> > > > > > Changes:
> > > > > > * Replace all selinux-policy-%{policytype} dependencies with
> > > > > > selinux-policy-base
> > > > > > * Add Ghost files representing installed policy modules in all
> > > > > > policy stores
> > > > > > * Rewrite policy compilation script in python
> > > > > > * Compile the policy module twice (1 version for
> > > > > > targeted/minimum - with
> > > > > > enable_mcs, and 1 for mls - with enable_mls)
> > > > > > * Manage policy (un)installation using triggers based on which
> > > > > > policy
> > > > > > type is available
> > > > > >
> > > > > > The new policy was only tested in "targeted" mode so far and
> > > > > > we'll need to make
> > > > > > sure it works properly in "mls". As for "minimum", we know it will
> > > > > > not
> > > > > > work properly (as is the case of the current policy) by default
> > > > > > (some
> > > > > > other "contrib" policy modules need to be enabled).
> > > > > > I'd argue there is no point trying to get it to work in "minimum",
> > > > > > mostly because it (minimum) will be retired soon.
> > > > >
> > > > > I'm wondering how SELinux is supposed to integrate with containers
> > > > > when
> > > > > using a modular policy.
> > > > >
> > > > > Right now you can install RPMs in a container, and use selinux
> > > > > enforcement
> > > > > on that container because the host OS policy provides all the rules
> > > > > in the
> > > > > monolithic blob.
> > > > > If we take this policy into libvirt, then when you install libvirt in
> > > > > a
> > > > > container, there will be no selinux policy available.
> > > > >
> > > > > Users can't install libvirt-selinux inside the container, as it
> > > > > needs to be
> > > > > built against the main policy in the host.
> > > > >
> > > > > User likely won't install libvirt-selinux outside the container as
> > > > > that
> > > > > defeats the purpose of using containers for their deployment
> > > > > mechanism.
> > > > >
> > > > > Container based deployment of libvirt is important for both OpenStack
> > > > > and KubeVirt.
> > >
> > > So from discussions with respective developers i got the following:
> > >
> > > KubeVirt runs the libvirt containers with a custom policy
> > > https://github.com/kubevirt/kubevirt/blob/81cb9f79e0144af0e6e43c439eab7f8dac81de31/cmd/virt-handler/virt_launcher.cil,
> > > that depends on libvirt module (uses svirt_sandbox_domain). Libvirt is
> > > only
> > > installed inside the container and there is no bind mount of
> > > /sys/fs/selinux. So they will need to install libvirt-daemon-selinux on
> > > the
> > > host.
> >
> > With OpenStack I believe their deployment tool manages the config of
> > the entire host, so installing the libvirt-daemon-selinux package
> > ought to be reasonably straightforward for them.
> >
> > I worry about KubeVirt though. IIUC in their deployment, the hosts
> > in use are all provisioned by OpenShift upfront & when KubeVirt is
> > deployed, the only pieces they're deploying live inside the host.
> >
> > IOW, it seems like libvirt-daemon-selinux would have to be provided
> > ahead of time by OpenShift if it is to be used, and I'm not sure
> > if that's a practical requirement.
> >
> > I think we need to get explicit confirmation from KubeVirt that
> > a requirement to installing RPMs directly on the host is going
> > to be acceptable.
>
> I'm afraid that's not going to fly for KubeVirt.
>
> Adding Roman and Vladik so they can provide more information.
>
> For context, the discussion is about shipping the SELinux policy
> for libvirt as part of a sub-package of libvirt instead of the main
> selinux-policy package.
Reading again, I realize Vit links to a URL above that shows
virt-handler includes a custom selinux policy.
How does that get deployed, and can the libvirt-daemon-selinux
stuff be deployed in the same way ?
Regards,
Daniel
--
|: https://berrange.com -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
Re: [PATCH v2] Add SELinux policy for virt
On Fri, May 21, 2021 at 03:37:00PM +0100, Daniel P. Berrangé wrote:
> On Fri, May 21, 2021 at 04:22:59PM +0200, Vit Mojzis wrote:
> > On 4/30/21 10:28 PM, Vit Mojzis wrote:
> > > On 4/26/21 7:31 PM, Daniel P. Berrangé wrote:
> > > > On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
> > > > > Sorry for the long delay. This is our first request to ship a
> > > > > policy for
> > > > > multiple selinux stores (targeted, mls and minimum).
> > > > >
> > > > > Changes:
> > > > > * Replace all selinux-policy-%{policytype} dependencies with
> > > > > selinux-policy-base
> > > > > * Add Ghost files representing installed policy modules in all
> > > > > policy stores
> > > > > * Rewrite policy compilation script in python
> > > > > * Compile the policy module twice (1 version for
> > > > > targeted/minimum - with
> > > > > enable_mcs, and 1 for mls - with enable_mls)
> > > > > * Manage policy (un)installation using triggers based on which policy
> > > > > type is available
> > > > >
> > > > > The new policy was only tested in "targeted" mode so far and
> > > > > we'll need to make
> > > > > sure it works properly in "mls". As for "minimum", we know it will not
> > > > > work properly (as is the case of the current policy) by default (some
> > > > > other "contrib" policy modules need to be enabled).
> > > > > I'd argue there is no point trying to get it to work in "minimum",
> > > > > mostly because it (minimum) will be retired soon.
> > > >
> > > > I'm wondering how SELinux is supposed to integrate with containers when
> > > > using a modular policy.
> > > >
> > > > Right now you can install RPMs in a container, and use selinux
> > > > enforcement
> > > > on that container because the host OS policy provides all the rules
> > > > in the
> > > > monolithic blob.
> > > > If we take this policy into libvirt, then when you install libvirt in a
> > > > container, there will be no selinux policy available.
> > > >
> > > > Users can't install libvirt-selinux inside the container, as it
> > > > needs to be
> > > > built against the main policy in the host.
> > > >
> > > > User likely won't install libvirt-selinux outside the container as that
> > > > defeats the purpose of using containers for their deployment mechanism.
> > > >
> > > > Container based deployment of libvirt is important for both OpenStack
> > > > and KubeVirt.
> >
> > So from discussions with respective developers i got the following:
> >
> > KubeVirt runs the libvirt containers with a custom policy
> > https://github.com/kubevirt/kubevirt/blob/81cb9f79e0144af0e6e43c439eab7f8dac81de31/cmd/virt-handler/virt_launcher.cil,
> > that depends on libvirt module (uses svirt_sandbox_domain). Libvirt is only
> > installed inside the container and there is no bind mount of
> > /sys/fs/selinux. So they will need to install libvirt-daemon-selinux on the
> > host.
>
> With OpenStack I believe their deployment tool manages the config of
> the entire host, so installing the libvirt-daemon-selinux package
> ought to be reasonably straightforward for them.
>
> I worry about KubeVirt though. IIUC in their deployment, the hosts
> in use are all provisioned by OpenShift upfront & when KubeVirt is
> deployed, the only pieces they're deploying live inside the host.
>
> IOW, it seems like libvirt-daemon-selinux would have to be provided
> ahead of time by OpenShift if it is to be used, and I'm not sure
> if that's a practical requirement.
>
> I think we need to get explicit confirmation from KubeVirt that
> a requirement to installing RPMs directly on the host is going
> to be acceptable.
I'm afraid that's not going to fly for KubeVirt.
Adding Roman and Vladik so they can provide more information.
For context, the discussion is about shipping the SELinux policy
for libvirt as part of a sub-package of libvirt instead of the main
selinux-policy package.
--
Andrea Bolognani / Red Hat / Virtualization
Re: [PATCH v2] Add SELinux policy for virt
On Fri, May 21, 2021 at 04:22:59PM +0200, Vit Mojzis wrote:
>
> On 4/30/21 10:28 PM, Vit Mojzis wrote:
> >
> > On 4/26/21 7:31 PM, Daniel P. Berrangé wrote:
> > > On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
> > > > Sorry for the long delay. This is our first request to ship a
> > > > policy for
> > > > multiple selinux stores (targeted, mls and minimum).
> > > >
> > > > Changes:
> > > > * Replace all selinux-policy-%{policytype} dependencies with
> > > > selinux-policy-base
> > > > * Add Ghost files representing installed policy modules in all
> > > > policy stores
> > > > * Rewrite policy compilation script in python
> > > > * Compile the policy module twice (1 version for
> > > > targeted/minimum - with
> > > > enable_mcs, and 1 for mls - with enable_mls)
> > > > * Manage policy (un)installation using triggers based on which policy
> > > > type is available
> > > >
> > > > The new policy was only tested in "targeted" mode so far and
> > > > we'll need to make
> > > > sure it works properly in "mls". As for "minimum", we know it will not
> > > > work properly (as is the case of the current policy) by default (some
> > > > other "contrib" policy modules need to be enabled).
> > > > I'd argue there is no point trying to get it to work in "minimum",
> > > > mostly because it (minimum) will be retired soon.
> > > I'm wondering how SELinux is supposed to integrate with containers when
> > > using a modular policy.
> > >
> > > Right now you can install RPMs in a container, and use selinux
> > > enforcement
> > > on that container because the host OS policy provides all the rules
> > > in the
> > > monolithic blob.
> > > If we take this policy into libvirt, then when you install libvirt in a
> > > container, there will be no selinux policy available.
> > >
> > > Users can't install libvirt-selinux inside the container, as it
> > > needs to be
> > > built against the main policy in the host.
> > >
> > > User likely won't install libvirt-selinux outside the container as that
> > > defeats the purpose of using containers for their deployment mechanism.
> > >
> > > Container based deployment of libvirt is important for both OpenStack
> > > and KubeVirt.
>
> So from discussions with respective developers i got the following:
>
> KubeVirt runs the libvirt containers with a custom policy
> https://github.com/kubevirt/kubevirt/blob/81cb9f79e0144af0e6e43c439eab7f8dac81de31/cmd/virt-handler/virt_launcher.cil,
> that depends on libvirt module (uses svirt_sandbox_domain). Libvirt is only
> installed inside the container and there is no bind mount of
> /sys/fs/selinux. So they will need to install libvirt-daemon-selinux on the
> host.
With OpenStack I believe their deployment tool manages the config of
the entire host, so installing the libvirt-daemon-selinux package
ought to be reasonably straightforward for them.
I worry about KubeVirt though. IIUC in their deployment, the hosts
in use are all provisioned by OpenShift upfront & when KubeVirt is
deployed, the only pieces they're deploying live inside the host.
IOW, it seems like libvirt-daemon-selinux would have to be provided
ahead of time by OpenShift if it is to be used, and I'm not sure
if that's a practical requirement.
I think we need to get explicit confirmation from KubeVirt that
a requirement to installing RPMs directly on the host is going
to be acceptable.
Regards,
Daniel
--
|: https://berrange.com -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
Re: [PATCH v2] Add SELinux policy for virt
On 4/30/21 10:28 PM, Vit Mojzis wrote:
On 4/26/21 7:31 PM, Daniel P. Berrangé wrote:
On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
Sorry for the long delay. This is our first request to ship a policy
for
multiple selinux stores (targeted, mls and minimum).
Changes:
* Replace all selinux-policy-%{policytype} dependencies with
selinux-policy-base
* Add Ghost files representing installed policy modules in all
policy stores
* Rewrite policy compilation script in python
* Compile the policy module twice (1 version for targeted/minimum -
with
enable_mcs, and 1 for mls - with enable_mls)
* Manage policy (un)installation using triggers based on which policy
type is available
The new policy was only tested in "targeted" mode so far and we'll
need to make
sure it works properly in "mls". As for "minimum", we know it will not
work properly (as is the case of the current policy) by default (some
other "contrib" policy modules need to be enabled).
I'd argue there is no point trying to get it to work in "minimum",
mostly because it (minimum) will be retired soon.
I'm wondering how SELinux is supposed to integrate with containers when
using a modular policy.
Right now you can install RPMs in a container, and use selinux
enforcement
on that container because the host OS policy provides all the rules
in the
monolithic blob.
If we take this policy into libvirt, then when you install libvirt in a
container, there will be no selinux policy available.
Users can't install libvirt-selinux inside the container, as it needs
to be
built against the main policy in the host.
User likely won't install libvirt-selinux outside the container as that
defeats the purpose of using containers for their deployment mechanism.
Container based deployment of libvirt is important for both OpenStack
and KubeVirt.
So from discussions with respective developers i got the following:
KubeVirt runs the libvirt containers with a custom policy
https://github.com/kubevirt/kubevirt/blob/81cb9f79e0144af0e6e43c439eab7f8dac81de31/cmd/virt-handler/virt_launcher.cil,
that depends on libvirt module (uses svirt_sandbox_domain). Libvirt is
only installed inside the container and there is no bind mount of
/sys/fs/selinux. So they will need to install libvirt-daemon-selinux on
the host.
OpenStack is currently also installing libvirt and QEMU packages only in
"nova_libvirt" container (however there is some talk of decontainising
libvirt in osp 17). Libvirt policy from the host system is propagated
into the container and used to run the QEMU process as svirt_t
(http://file.emea.redhat.com/~kchamart/SELinux_libvirt_and_QEMU_in_a_container.html).
/sys/fs/selinux is bindmounted in this case (so it would be possible to
install Libvirt policy module to the host machine from the container),
but it would be better to install libvirt-daemon-selinux only on the host.
We'll need to work with both groups to make sure that their use case
works properly with the new policy supporting split-daemon
configuration, and that they install libvirt-daemon-selinux on the host
machine.
Honestly, I don't know how this is handled in OpenStack or KubeVirt.
Normally the whole container (any processes inside) runs under
container_t or spc_t and you can't interact with selinux from inside
the container (all selinux tools would act as if selinux was
disabled). It is possible to bindmount /sys/fs/selinux of the host
system into the container. Then you can interact with system policy of
the host system from the container (even load policy modules).
I assumed that anything container-related would be handled by the
container policy module (there is even a special domain for kata
containers).
I'll try and get more information about this (Dan Walsh would probably
be the right person to if you wanted to investigate on your own).
Regards,
Daniel
Re: [PATCH v2 1/4] Add SELinux policy for virt
On 4/28/21 11:29 AM, Daniel P. Berrangé wrote: On Wed, Apr 28, 2021 at 10:48:09AM +0200, Vit Mojzis wrote: On 4/26/21 7:39 PM, Daniel P. Berrangé wrote: On Wed, Apr 07, 2021 at 07:08:34AM -0700, Vit Mojzis wrote: From: Nikola Knazekova SELinux policy was created for: Hypervisor drivers: - virtqemud (QEMU/KVM) - virtlxcd (LXC) - virtvboxd (VirtualBox) Secondary drivers: - virtstoraged (host storage mgmt) - virtnetworkd (virtual network mgmt) - virtinterface (network interface mgmt) - virtnodedevd (physical device mgmt) - virtsecretd (security credential mgmt) - virtnwfilterd (ip[6]tables/ebtables mgmt) - virtproxyd (proxy daemon) SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made. Signed-off-by: Nikola Knazekova --- libvirt.spec.in | 64 ++ selinux/virt.fc | 111 +++ selinux/virt.if | 1984 selinux/virt.te | 2086 +++ 4 files changed, 4245 insertions(+) create mode 100644 selinux/virt.fc create mode 100644 selinux/virt.if create mode 100644 selinux/virt.te I was expecting to see the /etc/selinux/targeted/contexts/ files that belong to the virt policy included as well. Those are compiled from the whole policy and would not be created without the corresponding selinux-policy-* package. AFAICT, these are not compiled at all, they're just static data files in git: https://github.com/fedora-selinux/selinux-policy/blob/rawhide/config/appconfig-mcs/virtual_domain_context They're refering to contexts that are defined in the virt.if policy, so I'd expect the static data files to live with libvirt.git, so that we can add to them at a later time if we modify virt.if Oh, yes, correct. Those are basically config files. Not sure how to handle the transfer though. It would be best to have a period when the policy and all related files are in both selinux-policy-* and libvirt-daemon-selinux packages, but that would present a conflict for these files. diff --git a/selinux/virt.te b/selinux/virt.te new file mode 100644 index 00..59dedb8754 --- /dev/null +++ b/selinux/virt.te @@ -0,0 +1,2086 @@ +policy_module(virt, 1.5.0) Is there some include file syntax we can use with this so that we can split it up. I'm not asking you to split it, but I'll later want to make it have one file for each daemon and a few files for the common pieces, to make this easier to manage. I'm not aware of any include syntax other than .if files. In theory you could use multiple interface files, each containing an interface covering a single daemon. All of those interfaces would then be "called" from virt.te. Other than that you'd need to have multiple policy modules in order to use multiple .te files. Or probably easiest if we just pre-process the files ourselves to combine them +1 Regards, Daniel
[PATCH v4 1/3] Add SELinux policy for virt
From: Nikola Knazekova SELinux policy was created for: Hypervisor drivers: - virtqemud (QEMU/KVM) - virtlxcd (LXC) - virtvboxd (VirtualBox) Secondary drivers: - virtstoraged (host storage mgmt) - virtnetworkd (virtual network mgmt) - virtinterface (network interface mgmt) - virtnodedevd (physical device mgmt) - virtsecretd (security credential mgmt) - virtnwfilterd (ip[6]tables/ebtables mgmt) - virtproxyd (proxy daemon) SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made. Signed-off-by: Nikola Knazekova --- Cahnges: - Policy upadated to work properly on mls systems src/security/selinux/virt.fc | 111 ++ src/security/selinux/virt.if | 1984 src/security/selinux/virt.te | 2090 ++ 3 files changed, 4185 insertions(+) create mode 100644 src/security/selinux/virt.fc create mode 100644 src/security/selinux/virt.if create mode 100644 src/security/selinux/virt.te diff --git a/src/security/selinux/virt.fc b/src/security/selinux/virt.fc new file mode 100644 index 00..554e1094d9 --- /dev/null +++ b/src/security/selinux/virt.fc @@ -0,0 +1,111 @@ +HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) + +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/virtlogd\.conf-- gen_context(system_u:object_r:virtlogd_etc_t,s0) +/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/rc\.d/init\.d/libvirtd-- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/virtlogd-- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0) + +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) + +/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) + +/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtinterfaced_exec_t,s0) +/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtnetworkd_exec_t,s0) +/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtnodedevd_exec_t,s0) +/usr/sbin/virtnwfilterd-- gen_context(system_u:object_r:virtnwfilterd_exec_t,s0) +/usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtproxyd_exec_t,s0) +/usr/sbin/virtqemud-- gen_context(system_u:object_r:virtqemud_exec_t,s0) +/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtsecretd_exec_t,s0) +/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtstoraged_exec_t,s0) +/usr/sbin/virtvboxd-- gen_context(system_u:object_r:virtvboxd_exec_t,s0) +/usr/sbin/virtvzd -- gen_context(system_u:object_r:virtvzd_exec_t,s0) +/usr/sbin/virtxend -- gen_context(system_u:object_r:virtxend_exec_t,s0) + +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) + +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_loc
Re: [PATCH v2] Add SELinux policy for virt
On 4/26/21 7:31 PM, Daniel P. Berrangé wrote:
On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
Sorry for the long delay. This is our first request to ship a policy for
multiple selinux stores (targeted, mls and minimum).
Changes:
* Replace all selinux-policy-%{policytype} dependencies with selinux-policy-base
* Add Ghost files representing installed policy modules in all policy stores
* Rewrite policy compilation script in python
* Compile the policy module twice (1 version for targeted/minimum - with
enable_mcs, and 1 for mls - with enable_mls)
* Manage policy (un)installation using triggers based on which policy
type is available
The new policy was only tested in "targeted" mode so far and we'll need to make
sure it works properly in "mls". As for "minimum", we know it will not
work properly (as is the case of the current policy) by default (some
other "contrib" policy modules need to be enabled).
I'd argue there is no point trying to get it to work in "minimum",
mostly because it (minimum) will be retired soon.
I'm wondering how SELinux is supposed to integrate with containers when
using a modular policy.
Right now you can install RPMs in a container, and use selinux enforcement
on that container because the host OS policy provides all the rules in the
monolithic blob.
If we take this policy into libvirt, then when you install libvirt in a
container, there will be no selinux policy available.
Users can't install libvirt-selinux inside the container, as it needs to be
built against the main policy in the host.
User likely won't install libvirt-selinux outside the container as that
defeats the purpose of using containers for their deployment mechanism.
Container based deployment of libvirt is important for both OpenStack
and KubeVirt.
Honestly, I don't know how this is handled in OpenStack or KubeVirt.
Normally the whole container (any processes inside) runs under
container_t or spc_t and you can't interact with selinux from inside the
container (all selinux tools would act as if selinux was disabled). It
is possible to bindmount /sys/fs/selinux of the host system into the
container. Then you can interact with system policy of the host system
from the container (even load policy modules).
I assumed that anything container-related would be handled by the
container policy module (there is even a special domain for kata
containers).
I'll try and get more information about this (Dan Walsh would probably
be the right person to if you wanted to investigate on your own).
Regards,
Daniel
Re: [PATCH v2 1/4] Add SELinux policy for virt
On Wed, Apr 28, 2021 at 10:48:09AM +0200, Vit Mojzis wrote: > > On 4/26/21 7:39 PM, Daniel P. Berrangé wrote: > > On Wed, Apr 07, 2021 at 07:08:34AM -0700, Vit Mojzis wrote: > > > From: Nikola Knazekova > > > > > > SELinux policy was created for: > > > > > > Hypervisor drivers: > > > - virtqemud (QEMU/KVM) > > > - virtlxcd (LXC) > > > - virtvboxd (VirtualBox) > > > > > > Secondary drivers: > > > - virtstoraged (host storage mgmt) > > > - virtnetworkd (virtual network mgmt) > > > - virtinterface (network interface mgmt) > > > - virtnodedevd (physical device mgmt) > > > - virtsecretd (security credential mgmt) > > > - virtnwfilterd (ip[6]tables/ebtables mgmt) > > > - virtproxyd (proxy daemon) > > > > > > SELinux policy for virtvxz and virtxend has not been created yet, because > > > I wasn't able to reproduce AVC messages. These drivers run in > > > unconfined_domain until the AVC messages are reproduced internally and > > > policy for these drivers is made. > > > > > > Signed-off-by: Nikola Knazekova > > > --- > > > libvirt.spec.in | 64 ++ > > > selinux/virt.fc | 111 +++ > > > selinux/virt.if | 1984 > > > selinux/virt.te | 2086 +++ > > > 4 files changed, 4245 insertions(+) > > > create mode 100644 selinux/virt.fc > > > create mode 100644 selinux/virt.if > > > create mode 100644 selinux/virt.te > > I was expecting to see the /etc/selinux/targeted/contexts/ files > > that belong to the virt policy included as well. > > Those are compiled from the whole policy and would not be created without > the corresponding selinux-policy-* package. AFAICT, these are not compiled at all, they're just static data files in git: https://github.com/fedora-selinux/selinux-policy/blob/rawhide/config/appconfig-mcs/virtual_domain_context They're refering to contexts that are defined in the virt.if policy, so I'd expect the static data files to live with libvirt.git, so that we can add to them at a later time if we modify virt.if > > > diff --git a/selinux/virt.te b/selinux/virt.te > > > new file mode 100644 > > > index 00..59dedb8754 > > > --- /dev/null > > > +++ b/selinux/virt.te > > > @@ -0,0 +1,2086 @@ > > > +policy_module(virt, 1.5.0) > > Is there some include file syntax we can use with this so > > that we can split it up. I'm not asking you to split it, > > but I'll later want to make it have one file for each daemon > > and a few files for the common pieces, to make this easier > > to manage. > I'm not aware of any include syntax other than .if files. In theory you > could use multiple interface files, each containing an interface covering a > single daemon. All of those interfaces would then be "called" from virt.te. > > Other than that you'd need to have multiple policy modules in order to use > multiple .te files. Or probably easiest if we just pre-process the files ourselves to combine them Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
Re: [PATCH v2] Add SELinux policy for virt
On Wed, Apr 28, 2021 at 10:54:58AM +0200, Vit Mojzis wrote:
>
> On 4/26/21 7:03 PM, Daniel P. Berrangé wrote:
> > On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
> > > Sorry for the long delay. This is our first request to ship a policy for
> > > multiple selinux stores (targeted, mls and minimum).
> > >
> > > Changes:
> > > * Replace all selinux-policy-%{policytype} dependencies with
> > > selinux-policy-base
> > > * Add Ghost files representing installed policy modules in all policy
> > > stores
> > > * Rewrite policy compilation script in python
> > > * Compile the policy module twice (1 version for targeted/minimum - with
> > >enable_mcs, and 1 for mls - with enable_mls)
> > > * Manage policy (un)installation using triggers based on which policy
> > >type is available
> > >
> > > The new policy was only tested in "targeted" mode so far and we'll need
> > > to make
> > > sure it works properly in "mls". As for "minimum", we know it will not
> > > work properly (as is the case of the current policy) by default (some
> > > other "contrib" policy modules need to be enabled).
> > > I'd argue there is no point trying to get it to work in "minimum",
> > > mostly because it (minimum) will be retired soon.
> > Running a build with this seris causes a tonne of warning messages
> > on the console:
> >
> > [1310/1319] Generating virt.pp with a custom command
> > /usr/share/selinux/devel/include/services/container.if:13: Error: duplicate
> > definition of container_runtime_domtrans(). Original definition on 13.
> > /usr/share/selinux/devel/include/services/container.if:40: Error: duplicate
> > definition of container_runtime_run(). Original definition on 40.
> > /usr/share/selinux/devel/include/services/container.if:61: Error: duplicate
> > definition of container_runtime_exec(). Original definition on 61.
> > /usr/share/selinux/devel/include/services/container.if:80: Error: duplicate
> > definition of container_read_state(). Original definition on 80.
> > /usr/share/selinux/devel/include/services/container.if:98: Error: duplicate
> > definition of container_search_lib(). Original definition on 98.
> > /usr/share/selinux/devel/include/services/container.if:117: Error:
> > duplicate definition of container_exec_lib(). Original definition on 117.
> > /usr/share/selinux/devel/include/services/container.if:136: Error:
> > duplicate definition of container_read_lib_files(). Original definition on
> > 136.
> > /usr/share/selinux/devel/include/services/container.if:155: Error:
> > duplicate definition of container_read_share_files(). Original definition
> > on 155.
> > /usr/share/selinux/devel/include/services/container.if:176: Error:
> > duplicate definition of container_runtime_read_tmpfs_files(). Original
> > definition on 176.
> > /usr/share/selinux/devel/include/services/container.if:197: Error:
> > duplicate definition of container_manage_share_files(). Original definition
> > on 197.
> > /usr/share/selinux/devel/include/services/container.if:218: Error:
> > duplicate definition of container_manage_share_dirs(). Original definition
> > on 218.
> > /usr/share/selinux/devel/include/services/container.if:238: Error:
> > duplicate definition of container_exec_share_files(). Original definition
> > on 238.
> > /usr/share/selinux/devel/include/services/container.if:256: Error:
> > duplicate definition of container_manage_config_files(). Original
> > definition on 256.
> > /usr/share/selinux/devel/include/services/container.if:275: Error:
> > duplicate definition of container_manage_lib_files(). Original definition
> > on 275.
> > /usr/share/selinux/devel/include/services/container.if:295: Error:
> > duplicate definition of container_manage_files(). Original definition on
> > 295.
> > /usr/share/selinux/devel/include/services/container.if:314: Error:
> > duplicate definition of container_manage_dirs(). Original definition on 314.
> > /usr/share/selinux/devel/include/services/container.if:332: Error:
> > duplicate definition of container_manage_lib_dirs(). Original definition on
> > 332.
> > /usr/share/selinux/devel/include/services/container.if:368: Error:
> > duplicate definition of container_lib_filetrans(). Original definition on
> > 368.
> > /usr/share/selinux/devel/include/services/container.if:386: Error:
> > duplicate definition of container_read_pid_files(). Original definition on
> > 386.
> > /usr/share/selinux/devel/include/services/container.if:405: Error:
> > duplicate definition of container_systemctl(). Original definition on 405.
> > /usr/share/selinux/devel/include/services/container.if:430: Error:
> > duplicate definition of container_rw_sem(). Original definition on 430.
> > /usr/share/selinux/devel/include/services/container.if:449: Error:
> > duplicate definition of container_append_file(). Original definition on 449.
> > /usr/share/selinux/devel/include/services/container.if:467: Error:
> > duplicate definition of container_use_ptys(). Origi
Re: [PATCH v2] Add SELinux policy for virt
On 4/26/21 7:03 PM, Daniel P. Berrangé wrote:
On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
Sorry for the long delay. This is our first request to ship a policy for
multiple selinux stores (targeted, mls and minimum).
Changes:
* Replace all selinux-policy-%{policytype} dependencies with selinux-policy-base
* Add Ghost files representing installed policy modules in all policy stores
* Rewrite policy compilation script in python
* Compile the policy module twice (1 version for targeted/minimum - with
enable_mcs, and 1 for mls - with enable_mls)
* Manage policy (un)installation using triggers based on which policy
type is available
The new policy was only tested in "targeted" mode so far and we'll need to make
sure it works properly in "mls". As for "minimum", we know it will not
work properly (as is the case of the current policy) by default (some
other "contrib" policy modules need to be enabled).
I'd argue there is no point trying to get it to work in "minimum",
mostly because it (minimum) will be retired soon.
Running a build with this seris causes a tonne of warning messages
on the console:
[1310/1319] Generating virt.pp with a custom command
/usr/share/selinux/devel/include/services/container.if:13: Error: duplicate
definition of container_runtime_domtrans(). Original definition on 13.
/usr/share/selinux/devel/include/services/container.if:40: Error: duplicate
definition of container_runtime_run(). Original definition on 40.
/usr/share/selinux/devel/include/services/container.if:61: Error: duplicate
definition of container_runtime_exec(). Original definition on 61.
/usr/share/selinux/devel/include/services/container.if:80: Error: duplicate
definition of container_read_state(). Original definition on 80.
/usr/share/selinux/devel/include/services/container.if:98: Error: duplicate
definition of container_search_lib(). Original definition on 98.
/usr/share/selinux/devel/include/services/container.if:117: Error: duplicate
definition of container_exec_lib(). Original definition on 117.
/usr/share/selinux/devel/include/services/container.if:136: Error: duplicate
definition of container_read_lib_files(). Original definition on 136.
/usr/share/selinux/devel/include/services/container.if:155: Error: duplicate
definition of container_read_share_files(). Original definition on 155.
/usr/share/selinux/devel/include/services/container.if:176: Error: duplicate
definition of container_runtime_read_tmpfs_files(). Original definition on 176.
/usr/share/selinux/devel/include/services/container.if:197: Error: duplicate
definition of container_manage_share_files(). Original definition on 197.
/usr/share/selinux/devel/include/services/container.if:218: Error: duplicate
definition of container_manage_share_dirs(). Original definition on 218.
/usr/share/selinux/devel/include/services/container.if:238: Error: duplicate
definition of container_exec_share_files(). Original definition on 238.
/usr/share/selinux/devel/include/services/container.if:256: Error: duplicate
definition of container_manage_config_files(). Original definition on 256.
/usr/share/selinux/devel/include/services/container.if:275: Error: duplicate
definition of container_manage_lib_files(). Original definition on 275.
/usr/share/selinux/devel/include/services/container.if:295: Error: duplicate
definition of container_manage_files(). Original definition on 295.
/usr/share/selinux/devel/include/services/container.if:314: Error: duplicate
definition of container_manage_dirs(). Original definition on 314.
/usr/share/selinux/devel/include/services/container.if:332: Error: duplicate
definition of container_manage_lib_dirs(). Original definition on 332.
/usr/share/selinux/devel/include/services/container.if:368: Error: duplicate
definition of container_lib_filetrans(). Original definition on 368.
/usr/share/selinux/devel/include/services/container.if:386: Error: duplicate
definition of container_read_pid_files(). Original definition on 386.
/usr/share/selinux/devel/include/services/container.if:405: Error: duplicate
definition of container_systemctl(). Original definition on 405.
/usr/share/selinux/devel/include/services/container.if:430: Error: duplicate
definition of container_rw_sem(). Original definition on 430.
/usr/share/selinux/devel/include/services/container.if:449: Error: duplicate
definition of container_append_file(). Original definition on 449.
/usr/share/selinux/devel/include/services/container.if:467: Error: duplicate
definition of container_use_ptys(). Original definition on 467.
/usr/share/selinux/devel/include/services/container.if:485: Error: duplicate
definition of container_filetrans_named_content(). Original definition on 485.
/usr/share/selinux/devel/include/services/container.if:549: Error: duplicate
definition of container_stream_connect(). Original definition on 549.
/usr/share/selinux/devel/include/services/container.if:570: Error: duplicate
definition of container_spc_stream_connect().
Re: [PATCH v2 1/4] Add SELinux policy for virt
On 4/26/21 7:39 PM, Daniel P. Berrangé wrote:
On Wed, Apr 07, 2021 at 07:08:34AM -0700, Vit Mojzis wrote:
From: Nikola Knazekova
SELinux policy was created for:
Hypervisor drivers:
- virtqemud (QEMU/KVM)
- virtlxcd (LXC)
- virtvboxd (VirtualBox)
Secondary drivers:
- virtstoraged (host storage mgmt)
- virtnetworkd (virtual network mgmt)
- virtinterface (network interface mgmt)
- virtnodedevd (physical device mgmt)
- virtsecretd (security credential mgmt)
- virtnwfilterd (ip[6]tables/ebtables mgmt)
- virtproxyd (proxy daemon)
SELinux policy for virtvxz and virtxend has not been created yet, because I
wasn't able to reproduce AVC messages. These drivers run in unconfined_domain
until the AVC messages are reproduced internally and policy for these drivers
is made.
Signed-off-by: Nikola Knazekova
---
libvirt.spec.in | 64 ++
selinux/virt.fc | 111 +++
selinux/virt.if | 1984
selinux/virt.te | 2086 +++
4 files changed, 4245 insertions(+)
create mode 100644 selinux/virt.fc
create mode 100644 selinux/virt.if
create mode 100644 selinux/virt.te
I was expecting to see the /etc/selinux/targeted/contexts/ files
that belong to the virt policy included as well.
Those are compiled from the whole policy and would not be created
without the corresponding selinux-policy-* package.
Also, do we need to make the virt.if file be part of one of
the RPMs ? flatpak-selinux includes its .if file.
Yes, good point. We had some issues shipping custom interface files on
rhel 8, but those have been resolved (and yours doesn't contain ifndefs,
which was the culprit).
diff --git a/libvirt.spec.in b/libvirt.spec.in
index f9af330186..9cbdb2c513 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -3,6 +3,13 @@
# This spec file assumes you are building on a Fedora or RHEL version
# that's still supported by the vendor. It may work on other distros
# or versions, but no effort will be made to ensure that going forward.
+
+%if 0%{?fedora} > 33 || 0%{?rhel} > 8
+ %global with_selinux 1
+ %global selinuxtype targeted
+ %global modulename virt
+%endif
+
%define min_rhel 7
%define min_fedora 31
@@ -256,6 +263,12 @@ Requires: libvirt-daemon-driver-nodedev = %{version}-%{release}
Requires: libvirt-client = %{version}-%{release}
Requires: libvirt-libs = %{version}-%{release}
+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not
pulled
+# into containers and other systems that do not use SELinux
+Requires: (%{name}-selinux if selinux-policy-base)
+%endif
This is in the main "libvirt" package which is just an empty shim.
I think we'll need it in the "libvirt-daemon" package instead to
start off with.
Thanks, moved.
+%if 0%{?with_selinux}
+# SELinux subpackage
+%package selinux
s/selinux/daemon-selinux/ since its only used by the daemons.
Updated.
+Summary: Libvirt SELinux policy
+Requires: selinux-policy-base
+Requires(post): selinux-policy-base
+BuildRequires: selinux-policy-devel
+BuildArch: noarch
+%{?selinux_requires}
+
+%description selinux
+SELinux policy module for libvirt.
+%endif
diff --git a/selinux/virt.te b/selinux/virt.te
new file mode 100644
index 00..59dedb8754
--- /dev/null
+++ b/selinux/virt.te
@@ -0,0 +1,2086 @@
+policy_module(virt, 1.5.0)
Is there some include file syntax we can use with this so
that we can split it up. I'm not asking you to split it,
but I'll later want to make it have one file for each daemon
and a few files for the common pieces, to make this easier
to manage.
I'm not aware of any include syntax other than .if files. In theory you
could use multiple interface files, each containing an interface
covering a single daemon. All of those interfaces would then be "called"
from virt.te.
Other than that you'd need to have multiple policy modules in order to
use multiple .te files.
Regards,
Daniel
[PATCH v3 1/3] Add SELinux policy for virt
From: Nikola Knazekova SELinux policy was created for: Hypervisor drivers: - virtqemud (QEMU/KVM) - virtlxcd (LXC) - virtvboxd (VirtualBox) Secondary drivers: - virtstoraged (host storage mgmt) - virtnetworkd (virtual network mgmt) - virtinterface (network interface mgmt) - virtnodedevd (physical device mgmt) - virtsecretd (security credential mgmt) - virtnwfilterd (ip[6]tables/ebtables mgmt) - virtproxyd (proxy daemon) SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made. Signed-off-by: Nikola Knazekova --- src/security/selinux/virt.fc | 111 ++ src/security/selinux/virt.if | 1984 src/security/selinux/virt.te | 2086 ++ 3 files changed, 4181 insertions(+) create mode 100644 src/security/selinux/virt.fc create mode 100644 src/security/selinux/virt.if create mode 100644 src/security/selinux/virt.te diff --git a/src/security/selinux/virt.fc b/src/security/selinux/virt.fc new file mode 100644 index 00..b7a2375ca1 --- /dev/null +++ b/src/security/selinux/virt.fc @@ -0,0 +1,111 @@ +HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) + +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/virtlogd\.conf-- gen_context(system_u:object_r:virtlogd_etc_t,s0) +/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/rc\.d/init\.d/libvirtd-- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/virtlogd-- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0) + +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) + +/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) + +/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtinterfaced_exec_t,s0) +/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtnetworkd_exec_t,s0) +/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtnodedevd_exec_t,s0) +/usr/sbin/virtnwfilterd-- gen_context(system_u:object_r:virtnwfilterd_exec_t,s0) +/usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtproxyd_exec_t,s0) +/usr/sbin/virtqemud-- gen_context(system_u:object_r:virtqemud_exec_t,s0) +/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtsecretd_exec_t,s0) +/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtstoraged_exec_t,s0) +/usr/sbin/virtvboxd-- gen_context(system_u:object_r:virtvboxd_exec_t,s0) +/usr/sbin/virtvzd -- gen_context(system_u:object_r:virtvzd_exec_t,s0) +/usr/sbin/virtxend -- gen_context(system_u:object_r:virtxend_exec_t,s0) + +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) + +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_contex
Re: [PATCH v2 1/4] Add SELinux policy for virt
On Wed, Apr 07, 2021 at 07:08:34AM -0700, Vit Mojzis wrote:
> From: Nikola Knazekova
>
> SELinux policy was created for:
>
> Hypervisor drivers:
> - virtqemud (QEMU/KVM)
> - virtlxcd (LXC)
> - virtvboxd (VirtualBox)
>
> Secondary drivers:
> - virtstoraged (host storage mgmt)
> - virtnetworkd (virtual network mgmt)
> - virtinterface (network interface mgmt)
> - virtnodedevd (physical device mgmt)
> - virtsecretd (security credential mgmt)
> - virtnwfilterd (ip[6]tables/ebtables mgmt)
> - virtproxyd (proxy daemon)
>
> SELinux policy for virtvxz and virtxend has not been created yet, because I
> wasn't able to reproduce AVC messages. These drivers run in unconfined_domain
> until the AVC messages are reproduced internally and policy for these drivers
> is made.
>
> Signed-off-by: Nikola Knazekova
> ---
> libvirt.spec.in | 64 ++
> selinux/virt.fc | 111 +++
> selinux/virt.if | 1984
> selinux/virt.te | 2086 +++
> 4 files changed, 4245 insertions(+)
> create mode 100644 selinux/virt.fc
> create mode 100644 selinux/virt.if
> create mode 100644 selinux/virt.te
I was expecting to see the /etc/selinux/targeted/contexts/ files
that belong to the virt policy included as well.
Also, do we need to make the virt.if file be part of one of
the RPMs ? flatpak-selinux includes its .if file.
>
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index f9af330186..9cbdb2c513 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -3,6 +3,13 @@
> # This spec file assumes you are building on a Fedora or RHEL version
> # that's still supported by the vendor. It may work on other distros
> # or versions, but no effort will be made to ensure that going forward.
> +
> +%if 0%{?fedora} > 33 || 0%{?rhel} > 8
> + %global with_selinux 1
> + %global selinuxtype targeted
> + %global modulename virt
> +%endif
> +
> %define min_rhel 7
> %define min_fedora 31
>
> @@ -256,6 +263,12 @@ Requires: libvirt-daemon-driver-nodedev =
> %{version}-%{release}
> Requires: libvirt-client = %{version}-%{release}
> Requires: libvirt-libs = %{version}-%{release}
>
> +%if 0%{?with_selinux}
> +# This ensures that the *-selinux package and all it’s dependencies are not
> pulled
> +# into containers and other systems that do not use SELinux
> +Requires: (%{name}-selinux if selinux-policy-base)
> +%endif
This is in the main "libvirt" package which is just an empty shim.
I think we'll need it in the "libvirt-daemon" package instead to
start off with.
> +%if 0%{?with_selinux}
> +# SELinux subpackage
> +%package selinux
s/selinux/daemon-selinux/ since its only used by the daemons.
> +Summary: Libvirt SELinux policy
> +Requires: selinux-policy-base
> +Requires(post): selinux-policy-base
> +BuildRequires: selinux-policy-devel
> +BuildArch: noarch
> +%{?selinux_requires}
> +
> +%description selinux
> +SELinux policy module for libvirt.
> +%endif
> diff --git a/selinux/virt.te b/selinux/virt.te
> new file mode 100644
> index 00..59dedb8754
> --- /dev/null
> +++ b/selinux/virt.te
> @@ -0,0 +1,2086 @@
> +policy_module(virt, 1.5.0)
Is there some include file syntax we can use with this so
that we can split it up. I'm not asking you to split it,
but I'll later want to make it have one file for each daemon
and a few files for the common pieces, to make this easier
to manage.
Regards,
Daniel
--
|: https://berrange.com -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
Re: [PATCH v2] Add SELinux policy for virt
On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
> Sorry for the long delay. This is our first request to ship a policy for
> multiple selinux stores (targeted, mls and minimum).
>
> Changes:
> * Replace all selinux-policy-%{policytype} dependencies with
> selinux-policy-base
> * Add Ghost files representing installed policy modules in all policy stores
> * Rewrite policy compilation script in python
> * Compile the policy module twice (1 version for targeted/minimum - with
> enable_mcs, and 1 for mls - with enable_mls)
> * Manage policy (un)installation using triggers based on which policy
> type is available
>
> The new policy was only tested in "targeted" mode so far and we'll need to
> make
> sure it works properly in "mls". As for "minimum", we know it will not
> work properly (as is the case of the current policy) by default (some
> other "contrib" policy modules need to be enabled).
> I'd argue there is no point trying to get it to work in "minimum",
> mostly because it (minimum) will be retired soon.
I'm wondering how SELinux is supposed to integrate with containers when
using a modular policy.
Right now you can install RPMs in a container, and use selinux enforcement
on that container because the host OS policy provides all the rules in the
monolithic blob.
If we take this policy into libvirt, then when you install libvirt in a
container, there will be no selinux policy available.
Users can't install libvirt-selinux inside the container, as it needs to be
built against the main policy in the host.
User likely won't install libvirt-selinux outside the container as that
defeats the purpose of using containers for their deployment mechanism.
Container based deployment of libvirt is important for both OpenStack
and KubeVirt.
Regards,
Daniel
--
|: https://berrange.com -o-https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o-https://fstop138.berrange.com :|
|: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
Re: [PATCH v2 1/4] Add SELinux policy for virt
On Wed, Apr 07, 2021 at 07:08:34AM -0700, Vit Mojzis wrote: > From: Nikola Knazekova > > SELinux policy was created for: > > Hypervisor drivers: > - virtqemud (QEMU/KVM) > - virtlxcd (LXC) > - virtvboxd (VirtualBox) > > Secondary drivers: > - virtstoraged (host storage mgmt) > - virtnetworkd (virtual network mgmt) > - virtinterface (network interface mgmt) > - virtnodedevd (physical device mgmt) > - virtsecretd (security credential mgmt) > - virtnwfilterd (ip[6]tables/ebtables mgmt) > - virtproxyd (proxy daemon) > > SELinux policy for virtvxz and virtxend has not been created yet, because I > wasn't able to reproduce AVC messages. These drivers run in unconfined_domain > until the AVC messages are reproduced internally and policy for these drivers > is made. > > Signed-off-by: Nikola Knazekova > --- > libvirt.spec.in | 64 ++ I'd suggest just removing these parts of the patch, since we're changing it again twice in later patches. Just add the RPM spec changes attime you add the meson build rules. This patch can just be the policy file import > selinux/virt.fc | 111 +++ > selinux/virt.if | 1984 > selinux/virt.te | 2086 +++ Put these into $GIT/src/security/selinux, since that's alongside where we store the apparmor policy. Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :|
Re: [PATCH v2] Add SELinux policy for virt
On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
> Sorry for the long delay. This is our first request to ship a policy for
> multiple selinux stores (targeted, mls and minimum).
>
> Changes:
> * Replace all selinux-policy-%{policytype} dependencies with
> selinux-policy-base
> * Add Ghost files representing installed policy modules in all policy stores
> * Rewrite policy compilation script in python
> * Compile the policy module twice (1 version for targeted/minimum - with
> enable_mcs, and 1 for mls - with enable_mls)
> * Manage policy (un)installation using triggers based on which policy
> type is available
>
> The new policy was only tested in "targeted" mode so far and we'll need to
> make
> sure it works properly in "mls". As for "minimum", we know it will not
> work properly (as is the case of the current policy) by default (some
> other "contrib" policy modules need to be enabled).
> I'd argue there is no point trying to get it to work in "minimum",
> mostly because it (minimum) will be retired soon.
Running a build with this seris causes a tonne of warning messages
on the console:
[1310/1319] Generating virt.pp with a custom command
/usr/share/selinux/devel/include/services/container.if:13: Error: duplicate
definition of container_runtime_domtrans(). Original definition on 13.
/usr/share/selinux/devel/include/services/container.if:40: Error: duplicate
definition of container_runtime_run(). Original definition on 40.
/usr/share/selinux/devel/include/services/container.if:61: Error: duplicate
definition of container_runtime_exec(). Original definition on 61.
/usr/share/selinux/devel/include/services/container.if:80: Error: duplicate
definition of container_read_state(). Original definition on 80.
/usr/share/selinux/devel/include/services/container.if:98: Error: duplicate
definition of container_search_lib(). Original definition on 98.
/usr/share/selinux/devel/include/services/container.if:117: Error: duplicate
definition of container_exec_lib(). Original definition on 117.
/usr/share/selinux/devel/include/services/container.if:136: Error: duplicate
definition of container_read_lib_files(). Original definition on 136.
/usr/share/selinux/devel/include/services/container.if:155: Error: duplicate
definition of container_read_share_files(). Original definition on 155.
/usr/share/selinux/devel/include/services/container.if:176: Error: duplicate
definition of container_runtime_read_tmpfs_files(). Original definition on 176.
/usr/share/selinux/devel/include/services/container.if:197: Error: duplicate
definition of container_manage_share_files(). Original definition on 197.
/usr/share/selinux/devel/include/services/container.if:218: Error: duplicate
definition of container_manage_share_dirs(). Original definition on 218.
/usr/share/selinux/devel/include/services/container.if:238: Error: duplicate
definition of container_exec_share_files(). Original definition on 238.
/usr/share/selinux/devel/include/services/container.if:256: Error: duplicate
definition of container_manage_config_files(). Original definition on 256.
/usr/share/selinux/devel/include/services/container.if:275: Error: duplicate
definition of container_manage_lib_files(). Original definition on 275.
/usr/share/selinux/devel/include/services/container.if:295: Error: duplicate
definition of container_manage_files(). Original definition on 295.
/usr/share/selinux/devel/include/services/container.if:314: Error: duplicate
definition of container_manage_dirs(). Original definition on 314.
/usr/share/selinux/devel/include/services/container.if:332: Error: duplicate
definition of container_manage_lib_dirs(). Original definition on 332.
/usr/share/selinux/devel/include/services/container.if:368: Error: duplicate
definition of container_lib_filetrans(). Original definition on 368.
/usr/share/selinux/devel/include/services/container.if:386: Error: duplicate
definition of container_read_pid_files(). Original definition on 386.
/usr/share/selinux/devel/include/services/container.if:405: Error: duplicate
definition of container_systemctl(). Original definition on 405.
/usr/share/selinux/devel/include/services/container.if:430: Error: duplicate
definition of container_rw_sem(). Original definition on 430.
/usr/share/selinux/devel/include/services/container.if:449: Error: duplicate
definition of container_append_file(). Original definition on 449.
/usr/share/selinux/devel/include/services/container.if:467: Error: duplicate
definition of container_use_ptys(). Original definition on 467.
/usr/share/selinux/devel/include/services/container.if:485: Error: duplicate
definition of container_filetrans_named_content(). Original definition on 485.
/usr/share/selinux/devel/include/services/container.if:549: Error: duplicate
definition of container_stream_connect(). Original definition on 549.
/usr/share/selinux/devel/include/services/container.if:570: Error: duplicate
definition of container_spc_stream_connect(). Original
[PATCH v2 1/4] Add SELinux policy for virt
From: Nikola Knazekova
SELinux policy was created for:
Hypervisor drivers:
- virtqemud (QEMU/KVM)
- virtlxcd (LXC)
- virtvboxd (VirtualBox)
Secondary drivers:
- virtstoraged (host storage mgmt)
- virtnetworkd (virtual network mgmt)
- virtinterface (network interface mgmt)
- virtnodedevd (physical device mgmt)
- virtsecretd (security credential mgmt)
- virtnwfilterd (ip[6]tables/ebtables mgmt)
- virtproxyd (proxy daemon)
SELinux policy for virtvxz and virtxend has not been created yet, because I
wasn't able to reproduce AVC messages. These drivers run in unconfined_domain
until the AVC messages are reproduced internally and policy for these drivers
is made.
Signed-off-by: Nikola Knazekova
---
libvirt.spec.in | 64 ++
selinux/virt.fc | 111 +++
selinux/virt.if | 1984
selinux/virt.te | 2086 +++
4 files changed, 4245 insertions(+)
create mode 100644 selinux/virt.fc
create mode 100644 selinux/virt.if
create mode 100644 selinux/virt.te
diff --git a/libvirt.spec.in b/libvirt.spec.in
index f9af330186..9cbdb2c513 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -3,6 +3,13 @@
# This spec file assumes you are building on a Fedora or RHEL version
# that's still supported by the vendor. It may work on other distros
# or versions, but no effort will be made to ensure that going forward.
+
+%if 0%{?fedora} > 33 || 0%{?rhel} > 8
+ %global with_selinux 1
+ %global selinuxtype targeted
+ %global modulename virt
+%endif
+
%define min_rhel 7
%define min_fedora 31
@@ -256,6 +263,12 @@ Requires: libvirt-daemon-driver-nodedev =
%{version}-%{release}
Requires: libvirt-client = %{version}-%{release}
Requires: libvirt-libs = %{version}-%{release}
+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not
pulled
+# into containers and other systems that do not use SELinux
+Requires: (%{name}-selinux if selinux-policy-base)
+%endif
+
# All build-time requirements. Run-time requirements are
# listed against each sub-RPM
%if 0%{?rhel} == 7
@@ -982,6 +995,19 @@ Requires: libvirt-daemon-driver-network =
%{version}-%{release}
%description nss
Libvirt plugin for NSS for translating domain names into IP addresses.
+%if 0%{?with_selinux}
+# SELinux subpackage
+%package selinux
+Summary: Libvirt SELinux policy
+Requires: selinux-policy-base
+Requires(post): selinux-policy-base
+BuildRequires: selinux-policy-devel
+BuildArch: noarch
+%{?selinux_requires}
+
+%description selinux
+SELinux policy module for libvirt.
+%endif
%prep
@@ -1213,6 +1239,14 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y'
%{_specdir}/%{name}.spec)
%{?arg_login_shell}
%meson_build
+%if 0%{?with_selinux}
+# SELinux policy (originally from selinux-policy-contrib)
+# this policy module will override the production module
+cd selinux
+
+make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
+bzip2 -9 %{modulename}.pp
+%endif
%install
rm -fr %{buildroot}
@@ -1297,6 +1331,10 @@ mv
$RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
%endif
%endif
+%if 0%{?with_selinux}
+install -D -m 0644 selinux/%{modulename}.pp.bz2
%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+%endif
+
%check
# Building on slow archs, like emulated s390x in Fedora copr, requires
# raising the test timeout
@@ -1505,6 +1543,24 @@ getent group virtlogin >/dev/null || groupadd -r
virtlogin
exit 0
%endif
+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype}
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+%endif
+
%files
%files docs
@@ -1971,5 +2027,13 @@ exit 0
%{_datadir}/libvirt/api/libvirt-qemu-api.xml
%{_datadir}/libvirt/api/libvirt-lxc-api.xml
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{modulename}.pp.*
+%ghost %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename}
+%ghost %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename}
+%ghost %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename}
+%endif
+
%changelog
diff --git a/selinux/virt.fc b/selinux/virt.fc
new file mode 100644
index 00..b7a2375ca1
--- /dev/null
+++ b/selinux/virt.fc
@@ -0,0 +1,111 @@
+HOME_DIR/\.libvirt(/.*)?
gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.libvirt/qemu(/.*)?
gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.cache/libvirt(/.*)?
gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/libvirt/qemu(/.*)?
gen_c
[PATCH v2] Add SELinux policy for virt
Sorry for the long delay. This is our first request to ship a policy for
multiple selinux stores (targeted, mls and minimum).
Changes:
* Replace all selinux-policy-%{policytype} dependencies with selinux-policy-base
* Add Ghost files representing installed policy modules in all policy stores
* Rewrite policy compilation script in python
* Compile the policy module twice (1 version for targeted/minimum - with
enable_mcs, and 1 for mls - with enable_mls)
* Manage policy (un)installation using triggers based on which policy
type is available
The new policy was only tested in "targeted" mode so far and we'll need to make
sure it works properly in "mls". As for "minimum", we know it will not
work properly (as is the case of the current policy) by default (some
other "contrib" policy modules need to be enabled).
I'd argue there is no point trying to get it to work in "minimum",
mostly because it (minimum) will be retired soon.
[PATCH 1/3] Add SELinux policy for virt
SELinux policy was created for:
Hypervisor drivers:
- virtqemud (QEMU/KVM)
- virtlxcd (LXC)
- virtvboxd (VirtualBox)
Secondary drivers:
- virtstoraged (host storage mgmt)
- virtnetworkd (virtual network mgmt)
- virtinterface (network interface mgmt)
- virtnodedevd (physical device mgmt)
- virtsecretd (security credential mgmt)
- virtnwfilterd (ip[6]tables/ebtables mgmt)
- virtproxyd (proxy daemon)
SELinux policy for virtvxz and virtxend has not been created yet, because I
wasn't able to reproduce AVC messages. These drivers run in unconfined_domain
until the AVC messages are reproduced internally and policy for these drivers
is made.
Signed-off-by: Nikola Knazekova
---
libvirt.spec.in | 62 ++
selinux/virt.fc | 111 +++
selinux/virt.if | 1984
selinux/virt.te | 2086 +++
4 files changed, 4243 insertions(+)
create mode 100644 selinux/virt.fc
create mode 100644 selinux/virt.if
create mode 100644 selinux/virt.te
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 8d8b900fbb..db08d91043 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -3,6 +3,13 @@
# This spec file assumes you are building on a Fedora or RHEL version
# that's still supported by the vendor. It may work on other distros
# or versions, but no effort will be made to ensure that going forward.
+
+%if 0%{?fedora} > 33 || 0%{?rhel} > 8
+ %global with_selinux 1
+ %global selinuxtype targeted
+ %global modulename virt
+%endif
+
%define min_rhel 7
%define min_fedora 31
@@ -256,6 +263,12 @@ Requires: libvirt-daemon-driver-nodedev =
%{version}-%{release}
Requires: libvirt-client = %{version}-%{release}
Requires: libvirt-libs = %{version}-%{release}
+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not
pulled
+# into containers and other systems that do not use SELinux
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
# All build-time requirements. Run-time requirements are
# listed against each sub-RPM
%if 0%{?rhel} == 7
@@ -983,6 +996,19 @@ Requires: libvirt-daemon-driver-network =
%{version}-%{release}
%description nss
Libvirt plugin for NSS for translating domain names into IP addresses.
+%if 0%{?with_selinux}
+# SELinux subpackage
+%package selinux
+Summary: Libvirt SELinux policy
+Requires: selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-%{selinuxtype}
+BuildRequires: selinux-policy-devel
+BuildArch: noarch
+%{?selinux_requires}
+
+%description selinux
+SELinux policy module for libvirt.
+%endif
%prep
@@ -1214,6 +1240,14 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y'
%{_specdir}/%{name}.spec)
%{?arg_login_shell}
%meson_build
+%if 0%{?with_selinux}
+# SELinux policy (originally from selinux-policy-contrib)
+# this policy module will override the production module
+cd selinux
+
+make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
+bzip2 -9 %{modulename}.pp
+%endif
%install
rm -fr %{buildroot}
@@ -1298,6 +1332,10 @@ mv
$RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
%endif
%endif
+%if 0%{?with_selinux}
+install -D -m 0644 selinux/%{modulename}.pp.bz2
%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+%endif
+
%check
# Building on slow archs, like emulated s390x in Fedora copr, requires
# raising the test timeout
@@ -1506,6 +1544,24 @@ getent group virtlogin >/dev/null || groupadd -r
virtlogin
exit 0
%endif
+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype}
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+%endif
+
%files
%files docs
@@ -1972,5 +2028,11 @@ exit 0
%{_datadir}/libvirt/api/libvirt-qemu-api.xml
%{_datadir}/libvirt/api/libvirt-lxc-api.xml
+%if 0%{?with_selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
+%ghost
%{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%endif
+
%changelog
diff --git a/selinux/virt.fc b/selinux/virt.fc
new file mode 100644
index 00..b7a2375ca1
--- /dev/null
+++ b/selinux/virt.fc
@@ -0,0 +1,111 @@
+HOME_DIR/\.libvirt(/.*)?
gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.libvirt/qemu(/.*)?
gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.cache/libvirt(/.*)?
gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/libvirt/qemu(/.*)?
gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.config/libvirt(/.*)?
gen_context(system_u:object_r:virt_hom
Add SELinux policy for Virt
Hi, I created SELinux policy for Libvirt drivers, as part of Decentralized SELinux Policy (DSP) project. DSP guidelines is available: https://fedoraproject.org/wiki/SELinux/IndependentPolicy Discussion about the first version of SELinux policy for Libvirt is available on gitlab: https://gitlab.com/libvirt/libvirt/-/merge_requests/65 SELinux policy was created for: Hypervisor drivers: - virtqemud (QEMU/KVM) - virtlxcd (LXC) - virtvboxd (VirtualBox) Secondary drivers: - virtstoraged (host storage mgmt) - virtnetworkd (virtual network mgmt) - virtinterface (network interface mgmt) - virtnodedevd (physical device mgmt) - virtsecretd (security credential mgmt) - virtnwfilterd (ip[6]tables/ebtables mgmt) - virtproxyd (proxy daemon) SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made. Can you please look at it? Thanks Nikola
