On Wed, Apr 28, 2021 at 10:54:58AM +0200, Vit Mojzis wrote:
>
> On 4/26/21 7:03 PM, Daniel P. Berrangé wrote:
> > On Wed, Apr 07, 2021 at 06:14:58AM -0700, Vit Mojzis wrote:
> > > Sorry for the long delay. This is our first request to ship a policy for
> > > multiple selinux stores (targeted, mls and minimum).
> > >
> > > Changes:
> > > * Replace all selinux-policy-%{policytype} dependencies with
> > > selinux-policy-base
> > > * Add Ghost files representing installed policy modules in all policy
> > > stores
> > > * Rewrite policy compilation script in python
> > > * Compile the policy module twice (1 version for targeted/minimum - with
> > > enable_mcs, and 1 for mls - with enable_mls)
> > > * Manage policy (un)installation using triggers based on which policy
> > > type is available
> > >
> > > The new policy was only tested in "targeted" mode so far and we'll need
> > > to make
> > > sure it works properly in "mls". As for "minimum", we know it will not
> > > work properly (as is the case of the current policy) by default (some
> > > other "contrib" policy modules need to be enabled).
> > > I'd argue there is no point trying to get it to work in "minimum",
> > > mostly because it (minimum) will be retired soon.
> > Running a build with this seris causes a tonne of warning messages
> > on the console:
> >
> > [1310/1319] Generating virt.pp with a custom command
> > /usr/share/selinux/devel/include/services/container.if:13: Error: duplicate
> > definition of container_runtime_domtrans(). Original definition on 13.
> > /usr/share/selinux/devel/include/services/container.if:40: Error: duplicate
> > definition of container_runtime_run(). Original definition on 40.
> > /usr/share/selinux/devel/include/services/container.if:61: Error: duplicate
> > definition of container_runtime_exec(). Original definition on 61.
> > /usr/share/selinux/devel/include/services/container.if:80: Error: duplicate
> > definition of container_read_state(). Original definition on 80.
> > /usr/share/selinux/devel/include/services/container.if:98: Error: duplicate
> > definition of container_search_lib(). Original definition on 98.
> > /usr/share/selinux/devel/include/services/container.if:117: Error:
> > duplicate definition of container_exec_lib(). Original definition on 117.
> > /usr/share/selinux/devel/include/services/container.if:136: Error:
> > duplicate definition of container_read_lib_files(). Original definition on
> > 136.
> > /usr/share/selinux/devel/include/services/container.if:155: Error:
> > duplicate definition of container_read_share_files(). Original definition
> > on 155.
> > /usr/share/selinux/devel/include/services/container.if:176: Error:
> > duplicate definition of container_runtime_read_tmpfs_files(). Original
> > definition on 176.
> > /usr/share/selinux/devel/include/services/container.if:197: Error:
> > duplicate definition of container_manage_share_files(). Original definition
> > on 197.
> > /usr/share/selinux/devel/include/services/container.if:218: Error:
> > duplicate definition of container_manage_share_dirs(). Original definition
> > on 218.
> > /usr/share/selinux/devel/include/services/container.if:238: Error:
> > duplicate definition of container_exec_share_files(). Original definition
> > on 238.
> > /usr/share/selinux/devel/include/services/container.if:256: Error:
> > duplicate definition of container_manage_config_files(). Original
> > definition on 256.
> > /usr/share/selinux/devel/include/services/container.if:275: Error:
> > duplicate definition of container_manage_lib_files(). Original definition
> > on 275.
> > /usr/share/selinux/devel/include/services/container.if:295: Error:
> > duplicate definition of container_manage_files(). Original definition on
> > 295.
> > /usr/share/selinux/devel/include/services/container.if:314: Error:
> > duplicate definition of container_manage_dirs(). Original definition on 314.
> > /usr/share/selinux/devel/include/services/container.if:332: Error:
> > duplicate definition of container_manage_lib_dirs(). Original definition on
> > 332.
> > /usr/share/selinux/devel/include/services/container.if:368: Error:
> > duplicate definition of container_lib_filetrans(). Original definition on
> > 368.
> > /usr/share/selinux/devel/include/services/container.if:386: Error:
> > duplicate definition of container_read_pid_files(). Original definition on
> > 386.
> > /usr/share/selinux/devel/include/services/container.if:405: Error:
> > duplicate definition of container_systemctl(). Original definition on 405.
> > /usr/share/selinux/devel/include/services/container.if:430: Error:
> > duplicate definition of container_rw_sem(). Original definition on 430.
> > /usr/share/selinux/devel/include/services/container.if:449: Error:
> > duplicate definition of container_append_file(). Original definition on 449.
> > /usr/share/selinux/devel/include/services/container.if:467: Error:
> > duplicate definition of container_use_ptys(). Original definition on 467.
> > /usr/share/selinux/devel/include/services/container.if:485: Error:
> > duplicate definition of container_filetrans_named_content(). Original
> > definition on 485.
> > /usr/share/selinux/devel/include/services/container.if:549: Error:
> > duplicate definition of container_stream_connect(). Original definition on
> > 549.
> > /usr/share/selinux/devel/include/services/container.if:570: Error:
> > duplicate definition of container_spc_stream_connect(). Original definition
> > on 570.
> > /usr/share/selinux/devel/include/services/container.if:591: Error:
> > duplicate definition of container_admin(). Original definition on 591.
> > /usr/share/selinux/devel/include/services/container.if:638: Error:
> > duplicate definition of container_auth_domtrans(). Original definition on
> > 638.
> > /usr/share/selinux/devel/include/services/container.if:657: Error:
> > duplicate definition of container_auth_exec(). Original definition on 657.
> > /usr/share/selinux/devel/include/services/container.if:676: Error:
> > duplicate definition of container_auth_stream_connect(). Original
> > definition on 676.
> > /usr/share/selinux/devel/include/services/container.if:695: Error:
> > duplicate definition of container_runtime_typebounds(). Original definition
> > on 695.
> > /usr/share/selinux/devel/include/services/container.if:714: Error:
> > duplicate definition of container_runtime_entrypoint(). Original definition
> > on 714.
> > /usr/share/selinux/devel/include/services/container.if:721: Error:
> > duplicate definition of docker_exec_lib(). Original definition on 721.
> > /usr/share/selinux/devel/include/services/container.if:725: Error:
> > duplicate definition of docker_read_share_files(). Original definition on
> > 725.
> > /usr/share/selinux/devel/include/services/container.if:729: Error:
> > duplicate definition of docker_exec_share_files(). Original definition on
> > 729.
> > /usr/share/selinux/devel/include/services/container.if:733: Error:
> > duplicate definition of docker_manage_lib_files(). Original definition on
> > 733.
> > /usr/share/selinux/devel/include/services/container.if:738: Error:
> > duplicate definition of docker_manage_lib_dirs(). Original definition on
> > 738.
> > /usr/share/selinux/devel/include/services/container.if:742: Error:
> > duplicate definition of docker_lib_filetrans(). Original definition on 742.
> > /usr/share/selinux/devel/include/services/container.if:746: Error:
> > duplicate definition of docker_read_pid_files(). Original definition on 746.
> > /usr/share/selinux/devel/include/services/container.if:750: Error:
> > duplicate definition of docker_systemctl(). Original definition on 750.
> > /usr/share/selinux/devel/include/services/container.if:754: Error:
> > duplicate definition of docker_use_ptys(). Original definition on 754.
> > /usr/share/selinux/devel/include/services/container.if:758: Error:
> > duplicate definition of docker_stream_connect(). Original definition on 758.
> > /usr/share/selinux/devel/include/services/container.if:762: Error:
> > duplicate definition of docker_spc_stream_connect(). Original definition on
> > 762.
> > /usr/share/selinux/devel/include/services/container.if:776: Error:
> > duplicate definition of container_spc_read_state(). Original definition on
> > 776.
> > /usr/share/selinux/devel/include/services/container.if:795: Error:
> > duplicate definition of container_runtime_domain_template(). Original
> > definition on 795.
> > /usr/share/selinux/devel/include/services/container.if:833: Error:
> > duplicate definition of container_domain_template(). Original definition on
> > 833.
> > /usr/share/selinux/devel/include/services/container.if:861: Error:
> > duplicate definition of container_spc_rw_pipes(). Original definition on
> > 861.
> > ../selinux/virt.if:13: Error: duplicate definition of virt_stub_lxc().
> > Original definition on 13.
> > ../selinux/virt.if:29: Error: duplicate definition of
> > virt_stub_svirt_sandbox_domain(). Original definition on 29.
> > ../selinux/virt.if:45: Error: duplicate definition of
> > virt_stub_container_image(). Original definition on 45.
> > ../selinux/virt.if:51: Error: duplicate definition of
> > virt_stub_svirt_sandbox_file(). Original definition on 51.
> > ../selinux/virt.if:69: Error: duplicate definition of
> > virt_domain_template(). Original definition on 69.
> > ../selinux/virt.if:206: Error: duplicate definition of virt_image().
> > Original definition on 112.
> > ../selinux/virt.if:228: Error: duplicate definition of virt_getattr_exec().
> > Original definition on 134.
> > ../selinux/virt.if:248: Error: duplicate definition of virt_domtrans().
> > Original definition on 152.
> > ../selinux/virt.if:266: Error: duplicate definition of virt_exec().
> > Original definition on 170.
> > ../selinux/virt.if:286: Error: duplicate definition of
> > virt_stream_connect(). Original definition on 205.
> > ../selinux/virt.if:328: Error: duplicate definition of
> > virt_stream_connect_svirt(). Original definition on 224.
> > ../selinux/virt.if:348: Error: duplicate definition of
> > virt_rw_stream_sockets_svirt(). Original definition on 244.
> > ../selinux/virt.if:366: Error: duplicate definition of
> > virt_attach_tun_iface(). Original definition on 262.
> > ../selinux/virt.if:387: Error: duplicate definition of
> > virt_attach_sandbox_tun_iface(). Original definition on 281.
> > ../selinux/virt.if:406: Error: duplicate definition of virt_read_config().
> > Original definition on 300.
> > ../selinux/virt.if:427: Error: duplicate definition of
> > virt_manage_config(). Original definition on 321.
> > ../selinux/virt.if:448: Error: duplicate definition of
> > virt_getattr_content(). Original definition on 342.
> > ../selinux/virt.if:466: Error: duplicate definition of virt_read_content().
> > Original definition on 360.
> > ../selinux/virt.if:504: Error: duplicate definition of
> > virt_write_content(). Original definition on 398.
> > ../selinux/virt.if:522: Error: duplicate definition of
> > virt_read_pid_symlinks(). Original definition on 416.
> > ../selinux/virt.if:543: Error: duplicate definition of
> > virt_read_pid_files(). Original definition on 435.
> > ../selinux/virt.if:566: Error: duplicate definition of
> > virt_manage_pid_dirs(). Original definition on 455.
> > ../selinux/virt.if:590: Error: duplicate definition of
> > virt_manage_pid_files(). Original definition on 477.
> > ../selinux/virt.if:630: Error: duplicate definition of
> > virt_pid_filetrans(). Original definition on 515.
> > ../selinux/virt.if:650: Error: duplicate definition of virt_search_lib().
> > Original definition on 533.
> > ../selinux/virt.if:669: Error: duplicate definition of
> > virt_read_lib_files(). Original definition on 552.
> > ../selinux/virt.if:690: Error: duplicate definition of
> > virt_dontaudit_read_lib_files(). Original definition on 573.
> > ../selinux/virt.if:709: Error: duplicate definition of
> > virt_manage_lib_files(). Original definition on 592.
> > ../selinux/virt.if:729: Error: duplicate definition of virt_read_log().
> > Original definition on 612.
> > ../selinux/virt.if:749: Error: duplicate definition of virt_append_log().
> > Original definition on 632.
> > ../selinux/virt.if:768: Error: duplicate definition of virt_manage_log().
> > Original definition on 651.
> > ../selinux/virt.if:788: Error: duplicate definition of
> > virt_getattr_images(). Original definition on 671.
> > ../selinux/virt.if:807: Error: duplicate definition of
> > virt_search_images(). Original definition on 690.
> > ../selinux/virt.if:826: Error: duplicate definition of virt_read_images().
> > Original definition on 709.
> > ../selinux/virt.if:863: Error: duplicate definition of
> > virt_read_blk_images(). Original definition on 746.
> > ../selinux/virt.if:881: Error: duplicate definition of virt_rw_chr_files().
> > Original definition on 764.
> > ../selinux/virt.if:900: Error: duplicate definition of virt_manage_cache().
> > Original definition on 783.
> > ../selinux/virt.if:921: Error: duplicate definition of
> > virt_manage_images(). Original definition on 804.
> > ../selinux/virt.if:946: Error: duplicate definition of
> > virt_manage_default_image_type(). Original definition on 829.
> > ../selinux/virt.if:986: Error: duplicate definition of virt_systemctl().
> > Original definition on 851.
> > ../selinux/virt.if:1010: Error: duplicate definition of virt_ptrace().
> > Original definition on 875.
> > ../selinux/virt.if:1028: Error: duplicate definition of
> > virt_exec_sandbox_files(). Original definition on 893.
> > ../selinux/virt.if:1047: Error: duplicate definition of
> > virt_sandbox_entrypoint(). Original definition on 912.
> > ../selinux/virt.if:1064: Error: duplicate definition of
> > virt_list_sandbox_dirs(). Original definition on 929.
> > ../selinux/virt.if:1082: Error: duplicate definition of
> > virt_read_sandbox_files(). Original definition on 947.
> > ../selinux/virt.if:1102: Error: duplicate definition of
> > virt_manage_sandbox_files(). Original definition on 967.
> > ../selinux/virt.if:1125: Error: duplicate definition of
> > virt_getattr_sandbox_filesystem(). Original definition on 990.
> > ../selinux/virt.if:1143: Error: duplicate definition of
> > virt_relabel_sandbox_filesystem(). Original definition on 1008.
> > ../selinux/virt.if:1161: Error: duplicate definition of
> > virt_mounton_sandbox_file(). Original definition on 1026.
> > ../selinux/virt.if:1179: Error: duplicate definition of
> > virt_stream_connect_sandbox(). Original definition on 1044.
> > ../selinux/virt.if:1207: Error: duplicate definition of
> > virt_transition_svirt(). Original definition on 1072.
> > ../selinux/virt.if:1241: Error: duplicate definition of
> > virt_dontaudit_write_pipes(). Original definition on 1106.
> > ../selinux/virt.if:1260: Error: duplicate definition of virt_kill_svirt().
> > Original definition on 1125.
> > ../selinux/virt.if:1278: Error: duplicate definition of virt_kill().
> > Original definition on 1143.
> > ../selinux/virt.if:1298: Error: duplicate definition of virt_signal().
> > Original definition on 1161.
> > ../selinux/virt.if:1318: Error: duplicate definition of virt_signull().
> > Original definition on 1179.
> > ../selinux/virt.if:1338: Error: duplicate definition of
> > virt_signal_svirt(). Original definition on 1197.
> > ../selinux/virt.if:1356: Error: duplicate definition of
> > virt_signal_sandbox(). Original definition on 1215.
> > ../selinux/virt.if:1374: Error: duplicate definition of
> > virt_manage_home_files(). Original definition on 1233.
> > ../selinux/virt.if:1394: Error: duplicate definition of
> > virt_read_tmpfs_files(). Original definition on 1253.
> > ../selinux/virt.if:1413: Error: duplicate definition of
> > virt_manage_tmpfs_files(). Original definition on 1272.
> > ../selinux/virt.if:1432: Error: duplicate definition of
> > virt_filetrans_home_content(). Original definition on 1291.
> > ../selinux/virt.if:1462: Error: duplicate definition of
> > virt_dontaudit_read_chr_dev(). Original definition on 1321.
> > ../selinux/virt.if:1518: Error: duplicate definition of
> > virt_sandbox_domain_template(). Original definition on 1340.
> > ../selinux/virt.if:1550: Error: duplicate definition of
> > virt_sandbox_domain(). Original definition on 1372.
> > ../selinux/virt.if:1568: Error: duplicate definition of
> > virt_sandbox_net_domain(). Original definition on 1390.
> > ../selinux/virt.if:1605: Error: duplicate definition of virt_exec_qemu().
> > Original definition on 1409.
> > ../selinux/virt.if:1623: Error: duplicate definition of
> > virt_filetrans_named_content(). Original definition on 1427.
> > ../selinux/virt.if:1651: Error: duplicate definition of
> > virt_transition_svirt_sandbox(). Original definition on 1455.
> > ../selinux/virt.if:1676: Error: duplicate definition of
> > virt_sandbox_read_state(). Original definition on 1480.
> > ../selinux/virt.if:1694: Error: duplicate definition of
> > virt_rw_svirt_dev(). Original definition on 1498.
> > ../selinux/virt.if:1712: Error: duplicate definition of
> > virt_rw_svirt_image(). Original definition on 1516.
> > ../selinux/virt.if:1730: Error: duplicate definition of virt_rlimitinh().
> > Original definition on 1534.
> > ../selinux/virt.if:1748: Error: duplicate definition of virt_noatsecure().
> > Original definition on 1552.
> > ../selinux/virt.if:1773: Error: duplicate definition of virt_admin().
> > Original definition on 1577.
> > ../selinux/virt.if:1820: Error: duplicate definition of
> > virt_default_capabilities(). Original definition on 1622.
> > ../selinux/virt.if:1839: Error: duplicate definition of virt_dbus_chat().
> > Original definition on 1642.
> > ../selinux/virt.if:1879: Error: duplicate definition of
> > virt_sandbox_domtrans(). Original definition on 1678.
> > ../selinux/virt.if:1897: Error: duplicate definition of
> > virt_dontaudit_read_state(). Original definition on 1696.
> > ../selinux/virt.if:1917: Error: duplicate definition of virt_dgram_send().
> > Original definition on 1716.
> > ../selinux/virt.if:1956: Error: duplicate definition of
> > virt_svirt_manage_tmp(). Original definition on 1735.
>
> Those are expected as long as there is still virt.if interface file shipped
> by selinux-policy-* packages (we'll probably change the tone to Warning
> instead of Error in the future). Unfortunately they add up (you can see
> container-selinux messages as well).
>
> I can hide them in the compilation script if you prefer that.
Yes, we definitely need to hide these if they're going to happen every
time any developers builds libvirt. We need to /not/ hide any other
real error messages though.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
