On Fri, Aug 06, 2021 at 06:47:58PM +0100, Daniel P. Berrangé wrote: > From: Nikola Knazekova <nknaz...@redhat.com> > > SELinux policy was created for: > > Hypervisor drivers: > - virtqemud (QEMU/KVM) > - virtlxcd (LXC) > - virtvboxd (VirtualBox) > > Secondary drivers: > - virtstoraged (host storage mgmt) > - virtnetworkd (virtual network mgmt) > - virtinterface (network interface mgmt) > - virtnodedevd (physical device mgmt) > - virtsecretd (security credential mgmt) > - virtnwfilterd (ip[6]tables/ebtables mgmt) > - virtproxyd (proxy daemon) > > SELinux policy for virtvxz and virtxend has not been created yet, > because I wasn't able to reproduce AVC messages. These drivers > run in unconfined_domain until the AVC messages are reproduced > internally and policy for these drivers is made. > > Signed-off-by: Nikola Knazekova <nknaz...@redhat.com> > --- > src/security/selinux/virt.fc | 111 ++ > src/security/selinux/virt.if | 1984 ++++++++++++++++++++++++++++++++ > src/security/selinux/virt.te | 2078 ++++++++++++++++++++++++++++++++++ > 3 files changed, 4173 insertions(+) > create mode 100644 src/security/selinux/virt.fc > create mode 100644 src/security/selinux/virt.if > create mode 100644 src/security/selinux/virt.te > > diff --git a/src/security/selinux/virt.fc b/src/security/selinux/virt.fc > new file mode 100644 > index 0000000000..554e1094d9 > --- /dev/null > +++ b/src/security/selinux/virt.fc > @@ -0,0 +1,111 @@ > +HOME_DIR/\.libvirt(/.*)? > gen_context(system_u:object_r:virt_home_t,s0) > +HOME_DIR/\.libvirt/qemu(/.*)? > gen_context(system_u:object_r:svirt_home_t,s0) > +HOME_DIR/\.cache/libvirt(/.*)? > gen_context(system_u:object_r:virt_home_t,s0) > +HOME_DIR/\.cache/libvirt/qemu(/.*)? > gen_context(system_u:object_r:svirt_home_t,s0) > +HOME_DIR/\.config/libvirt(/.*)? > gen_context(system_u:object_r:virt_home_t,s0) > +HOME_DIR/\.config/libvirt/qemu(/.*)? > gen_context(system_u:object_r:svirt_home_t,s0) > +HOME_DIR/VirtualMachines(/.*)? > gen_context(system_u:object_r:virt_home_t,s0) > +HOME_DIR/VirtualMachines/isos(/.*)? > gen_context(system_u:object_r:virt_content_t,s0)
These two doesn't look like libvirt selinux bits, more like virt-manager or some other tool. > +HOME_DIR/\.local/share/libvirt/images(/.*)? > gen_context(system_u:object_r:svirt_home_t,s0) > +HOME_DIR/\.local/share/libvirt/boot(/.*)? > gen_context(system_u:object_r:svirt_home_t,s0) > + > +/etc/libvirt -d > gen_context(system_u:object_r:virt_etc_t,s0) > +/etc/libvirt/virtlogd\.conf -- > gen_context(system_u:object_r:virtlogd_etc_t,s0) > +/etc/libvirt/[^/]* -- > gen_context(system_u:object_r:virt_etc_t,s0) > +/etc/libvirt/[^/]* -d > gen_context(system_u:object_r:virt_etc_rw_t,s0) > +/etc/libvirt/.*/.* > gen_context(system_u:object_r:virt_etc_rw_t,s0) > +/etc/rc\.d/init\.d/libvirtd -- > gen_context(system_u:object_r:virtd_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/virtlogd -- > gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0) > + > +/usr/libexec/libvirt_lxc -- > gen_context(system_u:object_r:virtd_lxc_exec_t,s0) > + > +/usr/sbin/libvirtd -- > gen_context(system_u:object_r:virtd_exec_t,s0) > +/usr/sbin/virtlockd -- > gen_context(system_u:object_r:virtlogd_exec_t,s0) > +/usr/sbin/virtlogd -- > gen_context(system_u:object_r:virtlogd_exec_t,s0) > +/usr/bin/virsh -- > gen_context(system_u:object_r:virsh_exec_t,s0) > + > +/usr/sbin/virtinterfaced -- > gen_context(system_u:object_r:virtinterfaced_exec_t,s0) > +/usr/sbin/virtlxcd -- > gen_context(system_u:object_r:virtd_lxc_exec_t,s0) > +/usr/sbin/virtnetworkd -- > gen_context(system_u:object_r:virtnetworkd_exec_t,s0) > +/usr/sbin/virtnodedevd -- > gen_context(system_u:object_r:virtnodedevd_exec_t,s0) > +/usr/sbin/virtnwfilterd -- > gen_context(system_u:object_r:virtnwfilterd_exec_t,s0) > +/usr/sbin/virtproxyd -- > gen_context(system_u:object_r:virtproxyd_exec_t,s0) > +/usr/sbin/virtqemud -- > gen_context(system_u:object_r:virtqemud_exec_t,s0) > +/usr/sbin/virtsecretd -- > gen_context(system_u:object_r:virtsecretd_exec_t,s0) > +/usr/sbin/virtstoraged -- > gen_context(system_u:object_r:virtstoraged_exec_t,s0) > +/usr/sbin/virtvboxd -- > gen_context(system_u:object_r:virtvboxd_exec_t,s0) > +/usr/sbin/virtvzd -- > gen_context(system_u:object_r:virtvzd_exec_t,s0) > +/usr/sbin/virtxend -- > gen_context(system_u:object_r:virtxend_exec_t,s0) > + > +/var/cache/libvirt(/.*)? > gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) > + > +/var/lib/libvirt(/.*)? > gen_context(system_u:object_r:virt_var_lib_t,s0) > +/var/lib/libvirt/boot(/.*)? > gen_context(system_u:object_r:virt_content_t,s0) > +/var/lib/libvirt/images(/.*)? > gen_context(system_u:object_r:virt_image_t,s0) > +/var/lib/libvirt/isos(/.*)? > gen_context(system_u:object_r:virt_content_t,s0) > +/var/lib/libvirt/lockd(/.*)? > gen_context(system_u:object_r:virt_var_lockd_t,s0) > +/var/lib/libvirt/qemu(/.*)? > gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) > + > +/var/log/log(/.*)? > gen_context(system_u:object_r:virt_log_t,s0) Based on commit from selinux-policy 63ead48cf8 this seems vdsm related. I don't think that we use this directory in libvirt. > +/var/log/libvirt(/.*)? > gen_context(system_u:object_r:virt_log_t,s0) > +/var/run/libvirtd\.pid -- > gen_context(system_u:object_r:virt_var_run_t,s0) > +# Avoid calling m4's "interface" by using en empty string > +/var/run/libvirt/interfac(e)(/.*)? > gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) > +/var/run/libvirt/nodedev(/.*)? > gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) > +/var/run/libvirt/nwfilter(/.*)? > gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) > +/var/run/libvirt/secrets(/.*)? > gen_context(system_u:object_r:virtsecretd_var_run_t,s0) > +/var/run/libvirt/storage(/.*)? > gen_context(system_u:object_r:virtstoraged_var_run_t,s0) > + > +/var/run/virtlogd\.pid -- > gen_context(system_u:object_r:virtlogd_var_run_t,s0) > +/var/run/virtlxcd\.pid -- > gen_context(system_u:object_r:virt_lxc_var_run_t,s0) > +/var/run/virtqemud\.pid -- > gen_context(system_u:object_r:virtqemud_var_run_t,s0) > +/var/run/virtvboxd\.pid -- > gen_context(system_u:object_r:virtvboxd_var_run_t,s0) > +/var/run/virtproxyd\.pid -- > gen_context(system_u:object_r:virtproxyd_var_run_t,s0) > +/var/run/virtinterfaced\.pid -- > gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) > +/var/run/virtnetworkd\.pid -- > gen_context(system_u:object_r:virtnetworkd_var_run_t,s0) > +/var/run/virtnodedevd\.pid -- > gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) > +/var/run/virtnwfilterd\.pid -- > gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) > +/var/run/virtnwfilterd-binding\.pid -- > gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) > +/var/run/virtsecretd\.pid -- > gen_context(system_u:object_r:virtsecretd_var_run_t,s0) > +/var/run/virtstoraged\.pid -- > gen_context(system_u:object_r:virtstoraged_var_run_t,s0) [...] I was not able to figure out on which selinux policy is this one based on as the upstream for rawhide from <https://github.com/fedora-selinux/selinux-policy.git> is a bit different. There are some cosmetics changes but I see two major differences: - the upstream policy doesn't have split-daemon bits compared to this one, I checked it and it looks reasonable but I'm not that familiar with selinux policy - the upstream policy has important `system.token` issue fix that we've seen recently introduced by upstream commit <1f761d0bbd> Pavel
signature.asc
Description: PGP signature