[libvirt PATCH 00/13] selinux: introduce sVirt policy and build

Daniel P. Berrangé posted 13 patches 2 years, 7 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20210806174810.3730064-1-berrange@redhat.com
ci/containers/centos-8.Dockerfile             |    1 +
ci/containers/centos-stream-8.Dockerfile      |    1 +
ci/containers/fedora-33.Dockerfile            |    1 +
ci/containers/fedora-34.Dockerfile            |    1 +
.../fedora-rawhide-cross-mingw32.Dockerfile   |    1 +
.../fedora-rawhide-cross-mingw64.Dockerfile   |    1 +
ci/containers/fedora-rawhide.Dockerfile       |    1 +
libvirt.spec.in                               |  100 +
meson.build                                   |    1 +
meson_options.txt                             |    2 +
scripts/meson.build                           |    1 +
scripts/selinux-compile-policy.py             |  156 ++
src/security/meson.build                      |    2 +
src/security/selinux/mcs/meson.build          |   17 +
src/security/selinux/meson.build              |   45 +
src/security/selinux/mls/meson.build          |   17 +
src/security/selinux/virt.fc                  |  111 +
src/security/selinux/virt.if                  | 1984 ++++++++++++++++
src/security/selinux/virt.te                  | 2078 +++++++++++++++++
19 files changed, 4521 insertions(+)
create mode 100755 scripts/selinux-compile-policy.py
create mode 100644 src/security/selinux/mcs/meson.build
create mode 100644 src/security/selinux/meson.build
create mode 100644 src/security/selinux/mls/meson.build
create mode 100644 src/security/selinux/virt.fc
create mode 100644 src/security/selinux/virt.if
create mode 100644 src/security/selinux/virt.te
[libvirt PATCH 00/13] selinux: introduce sVirt policy and build
Posted by Daniel P. Berrangé 2 years, 7 months ago
This is an extension of

  https://listman.redhat.com/archives/libvir-list/2021-July/msg00167.html

The original patches from that series are unchanged apart from the
commit message, and tweak to the min fedora version in the RPM.

I then include various refactors/cleanups.

On Fedora 34 I notice the following:

../src/security/selinux/virt.te:579: Warning: fs_rw_anon_inodefs_files(virtd_t) has been deprecated. All calls can be safely removed.
../src/security/selinux/virt.te:580: Warning: fs_list_inotifyfs(virtd_t) has been deprecated. All calls can be safely removed.
../src/security/selinux/virt.te:985: Warning: fs_rw_anon_inodefs_files(virt_domain) has been deprecated. All calls can be safely removed.
../src/security/selinux/virt.te:1520: Warning: fs_list_inotifyfs(svirt_sandbox_domain) has been deprecated. All calls can be safely removed.

assuming those warnings are correct, we can delete a few things
from the policy, but that's not done here.

Daniel P. Berrangé (10):
  selinux: remove redundant use of 'set_variable' function
  selinux: move selinux policy build helper to scripts directory
  selinux: don't hardcode paths to selinux tools
  selinux: don't hardcode policy include files directory
  rpm: move logic for setting selinux policy variables
  rpm: rename selinux variables to improve clarity
  selinux: introduce meson option for selinux policy install
  selinux: remove duplicate sources list for policy
  scripts: use variables for cli args in selinux helper
  scripts: factor repeated path joins from selinux helper

Nikola Knazekova (1):
  security: add SELinux policy for virt

Vit Mojzis (2):
  selinux: introduce build, install, packaging for selinux policy
  Install selinux-policy-devel in test environment

 ci/containers/centos-8.Dockerfile             |    1 +
 ci/containers/centos-stream-8.Dockerfile      |    1 +
 ci/containers/fedora-33.Dockerfile            |    1 +
 ci/containers/fedora-34.Dockerfile            |    1 +
 .../fedora-rawhide-cross-mingw32.Dockerfile   |    1 +
 .../fedora-rawhide-cross-mingw64.Dockerfile   |    1 +
 ci/containers/fedora-rawhide.Dockerfile       |    1 +
 libvirt.spec.in                               |  100 +
 meson.build                                   |    1 +
 meson_options.txt                             |    2 +
 scripts/meson.build                           |    1 +
 scripts/selinux-compile-policy.py             |  156 ++
 src/security/meson.build                      |    2 +
 src/security/selinux/mcs/meson.build          |   17 +
 src/security/selinux/meson.build              |   45 +
 src/security/selinux/mls/meson.build          |   17 +
 src/security/selinux/virt.fc                  |  111 +
 src/security/selinux/virt.if                  | 1984 ++++++++++++++++
 src/security/selinux/virt.te                  | 2078 +++++++++++++++++
 19 files changed, 4521 insertions(+)
 create mode 100755 scripts/selinux-compile-policy.py
 create mode 100644 src/security/selinux/mcs/meson.build
 create mode 100644 src/security/selinux/meson.build
 create mode 100644 src/security/selinux/mls/meson.build
 create mode 100644 src/security/selinux/virt.fc
 create mode 100644 src/security/selinux/virt.if
 create mode 100644 src/security/selinux/virt.te

-- 
2.31.1


Re: [libvirt PATCH 00/13] selinux: introduce sVirt policy and build
Posted by Pavel Hrdina 2 years, 7 months ago
On Fri, Aug 06, 2021 at 06:47:57PM +0100, Daniel P. Berrangé wrote:
> This is an extension of
> 
>   https://listman.redhat.com/archives/libvir-list/2021-July/msg00167.html
> 
> The original patches from that series are unchanged apart from the
> commit message, and tweak to the min fedora version in the RPM.
> 
> I then include various refactors/cleanups.
> 
> On Fedora 34 I notice the following:
> 
> ../src/security/selinux/virt.te:579: Warning: fs_rw_anon_inodefs_files(virtd_t) has been deprecated. All calls can be safely removed.
> ../src/security/selinux/virt.te:580: Warning: fs_list_inotifyfs(virtd_t) has been deprecated. All calls can be safely removed.
> ../src/security/selinux/virt.te:985: Warning: fs_rw_anon_inodefs_files(virt_domain) has been deprecated. All calls can be safely removed.
> ../src/security/selinux/virt.te:1520: Warning: fs_list_inotifyfs(svirt_sandbox_domain) has been deprecated. All calls can be safely removed.
> 
> assuming those warnings are correct, we can delete a few things
> from the policy, but that's not done here.
> 
> Daniel P. Berrangé (10):
>   selinux: remove redundant use of 'set_variable' function
>   selinux: move selinux policy build helper to scripts directory
>   selinux: don't hardcode paths to selinux tools
>   selinux: don't hardcode policy include files directory
>   rpm: move logic for setting selinux policy variables
>   rpm: rename selinux variables to improve clarity
>   selinux: introduce meson option for selinux policy install
>   selinux: remove duplicate sources list for policy
>   scripts: use variables for cli args in selinux helper
>   scripts: factor repeated path joins from selinux helper
> 
> Nikola Knazekova (1):
>   security: add SELinux policy for virt
> 
> Vit Mojzis (2):
>   selinux: introduce build, install, packaging for selinux policy
>   Install selinux-policy-devel in test environment

Overall looks reasonable, there are some small issues and we should
clarify where the policy comes from and add the missing system.token
bits.

Pavel