PR#8: Libvirt SELinux - rpms/libvirt

rpms / libvirt

#8 Libvirt SELinux

Closed 3 years ago by berrange. Opened 3 years ago by nknazeko.

https://github.com/5umm3r15/libvirt-selinux/ selinux into master

Introduce SELinux policy for libvirt drivers

5umm3r15 • 3 years ago

c9501b2

libvirt.spec

file modified

+64 -1

		`@@ -3,6 +3,9 @@`
		`# This spec file assumes you are building on a Fedora or RHEL version`
		`# that's still supported by the vendor. It may work on other distros`
		`# or versions, but no effort will be made to ensure that going forward.`
		`+ %global with_selinux 1`
		`+ %global selinuxtype targeted`
		`+ %global modulename virt`
		`%define min_rhel 7`
		`%define min_fedora 31`

		`@@ -222,7 +225,9 @@`
		`%define mainturl stable_updates/`
		`%endif`
		`Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz`
		`-`
		`+ Source2: %{modulename}.te`
		`+ Source3: %{modulename}.if`
		`+ Source4: %{modulename}.fc`
		`Requires: libvirt-daemon = %{version}-%{release}`
		`Requires: libvirt-daemon-config-network = %{version}-%{release}`
		`Requires: libvirt-daemon-config-nwfilter = %{version}-%{release}`
		`@@ -251,6 +256,12 @@`
		`Requires: libvirt-client = %{version}-%{release}`
		`Requires: libvirt-libs = %{version}-%{release}`

		`+ %if 0%{?with_selinux}`
		`+ # This ensures that the *-selinux package and all it’s dependencies are not pulled`
		`+ # into containers and other systems that do not use SELinux`
		`+ Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})`
		`+ %endif`
		`+`
		`# All build-time requirements. Run-time requirements are`
		`# listed against each sub-RPM`
		`BuildRequires: gettext-devel`
		`@@ -975,6 +986,20 @@`
		`%description nss`
		`Libvirt plugin for NSS for translating domain names into IP addresses.`

		`+ %if 0%{?with_selinux}`
		`+ # SELinux subpackage`
		`+ %package selinux`
		`+ Summary: Libvirt SELinux policy`
		`+`
		`+ Requires: selinux-policy-%{selinuxtype}`
		`+ Requires(post): selinux-policy-%{selinuxtype}`
		`+ BuildRequires: selinux-policy-devel`
		`+ BuildArch: noarch`
		`+ %{?selinux_requires}`
		`+`
		`+ %description selinux`
		`+ SELinux policy module for libvirt.`
		`+ %endif`

		`%prep`

		`@@ -1200,6 +1225,17 @@`
		`%{?arg_login_shell}`

		`%meson_build`
		`+ %if 0%{?with_selinux}`
		`+ # SELinux policy (originally from selinux-policy-contrib)`
		`+ # this policy module will override the production module`
		`+ mkdir selinux`
		`+ cp -p %{SOURCE2} selinux/`
		`+ cp -p %{SOURCE3} selinux/`
		`+ cp -p %{SOURCE4} selinux/`
		`+`
		`+ make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp`
		`+ bzip2 -9 %{modulename}.pp`
		`+ %endif`

		`%install`
		`rm -fr %{buildroot}`
		`@@ -1284,6 +1320,10 @@`
		`%endif`
		`%endif`

		`+ %if 0%{?with_selinux}`
		`+ install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2`
		`+ %endif`
		`+`
		`%check`
		`VIR_TEST_DEBUG=1 %meson_test --no-suite syntax-check`

		`@@ -1486,6 +1526,24 @@`
		`exit 0`
		`%endif`

		`+ %if 0%{?with_selinux}`
		`+ # SELinux contexts are saved so that only affected files can be`
		`+ # relabeled after the policy module installation`
		`+ %pre selinux`
		`+ %selinux_relabel_pre -s %{selinuxtype}`
		`+`
		`+ %post selinux`
		`+ %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2`
		`+`
		`+ %postun selinux`
		`+ if [ $1 -eq 0 ]; then`
		`+ %selinux_modules_uninstall -s %{selinuxtype} %{modulename}`
		`+ fi`
		`+`
		`+ %posttrans selinux`
		`+ %selinux_relabel_post -s %{selinuxtype}`
		`+ %endif`
		`+`
		`%files`

		`%files docs`
		`@@ -1941,6 +1999,11 @@`
		`%{_datadir}/libvirt/api/libvirt-qemu-api.xml`
		`%{_datadir}/libvirt/api/libvirt-lxc-api.xml`

		`+ %if 0%{?with_selinux}`
		`+ %files selinux`
		`+ %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*`
		`+ %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}`
		`+ %endif`

		`%changelog`
		`* Fri Dec 04 2020 Cole Robinson <aintdiscole@gmail.com> - 6.10.0-2.1`

virt.fc

file added

+113

		`@@ -0,0 +1,113 @@`
		`+ HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)`
		`+ HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)`
		`+ HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)`
		`+ HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)`
		`+ HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)`
		`+ HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)`
		`+ HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)`
		`+ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)`
		`+ HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)`
		`+ HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)`
		`+`
		`+ /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)`
		`+ /etc/libvirt/virtlogd\.conf -- gen_context(system_u:object_r:virtlogd_etc_t,s0)`
		`+ /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)`
		`+ /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)`
		`+ /etc/libvirt/./. gen_context(system_u:object_r:virt_etc_rw_t,s0)`
		`+ /etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)`
		`+ /etc/rc\.d/init\.d/virtlogd -- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0)`
		`+`
		`+ /usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)`
		`+`
		`+ /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)`
		`+ /usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)`
		`+ /usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)`
		`+ /usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)`
		`+`
		`+ /usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtinterfaced_exec_t,s0)`
		`+ /usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)`
		`+ /usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtnetworkd_exec_t,s0)`
		`+ /usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtnodedevd_exec_t,s0)`
		`+ /usr/sbin/virtnwfilterd -- gen_context(system_u:object_r:virtnwfilterd_exec_t,s0)`
		`+ /usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtproxyd_exec_t,s0)`
		`+ /usr/sbin/virtqemud -- gen_context(system_u:object_r:virtqemud_exec_t,s0)`
		`+ /usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtsecretd_exec_t,s0)`
		`+ /usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtstoraged_exec_t,s0)`
		`+ /usr/sbin/virtvboxd -- gen_context(system_u:object_r:virtvboxd_exec_t,s0)`
		`+ /usr/sbin/virtvzd -- gen_context(system_u:object_r:virtvzd_exec_t,s0)`
		`+ /usr/sbin/virtxend -- gen_context(system_u:object_r:virtxend_exec_t,s0)`
		`+`
		`+ /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)`
		`+ /var/cache/libvirt-tck(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)`
		`+`
		`+ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)`
		`+ /var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)`
		`+ /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)`
		`+ /var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)`
		`+ /var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0)`
		`+ /var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)`
		`+`
		`+ /var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)`
		`+ /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)`
		`+ /var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)`
		`+ # Avoid calling m4's "interface" by using en empty string`
		`+ /var/run/libvirt/interfac(e)(/.*)? gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)`
		`+ /var/run/libvirt/nodedev(/.*)? gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)`
		`+ /var/run/libvirt/nwfilter(/.*)? gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)`
		`+ /var/run/libvirt/secrets(/.*)? gen_context(system_u:object_r:virtsecretd_var_run_t,s0)`
		`+ /var/run/libvirt/storage(/.*)? gen_context(system_u:object_r:virtstoraged_var_run_t,s0)`
		`+`
		`+ /var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0)`
		`+ /var/run/virtlxcd\.pid -- gen_context(system_u:object_r:virt_lxc_var_run_t,s0)`
		`+ /var/run/virtqemud\.pid -- gen_context(system_u:object_r:virtqemud_var_run_t,s0)`
		`+ /var/run/virtvboxd\.pid -- gen_context(system_u:object_r:virtvboxd_var_run_t,s0)`
		`+ /var/run/virtproxyd\.pid -- gen_context(system_u:object_r:virtproxyd_var_run_t,s0)`
		`+ /var/run/virtinterfaced\.pid -- gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)`
		`+ /var/run/virtnetworkd\.pid -- gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)`
		`+ /var/run/virtnodedevd\.pid -- gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)`
		`+ /var/run/virtnwfilterd\.pid -- gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)`
		`+ /var/run/virtnwfilterd-binding\.pid -- gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)`
		`+ /var/run/virtsecretd\.pid -- gen_context(system_u:object_r:virtsecretd_var_run_t,s0)`
		`+ /var/run/virtstoraged\.pid -- gen_context(system_u:object_r:virtstoraged_var_run_t,s0)`
		`+`
		`+ /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)`
		`+ /var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)`
		`+ /var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)`
		`+ /var/run/libvirt/libvirt-sock -s gen_context(system_u:object_r:virt_var_run_t,s0)`
		`+ /var/run/libvirt/virtlogd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0)`
		`+ /var/run/libvirt/virtinterfaced-admin-sock -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)`
		`+ /var/run/libvirt/virtinterfaced-sock -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)`
		`+ /var/run/libvirt/virtinterfaced-sock-ro -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)`
		`+ /var/run/libvirt/virtlxcd-admin-sock -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0)`
		`+ /var/run/libvirt/virtlxcd-sock -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0)`
		`+ /var/run/libvirt/virtlxcd-sock-ro -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0)`
		`+ /var/run/libvirt/virtnetworkd-admin-sock -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)`
		`+ /var/run/libvirt/virtnetworkd-sock -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)`
		`+ /var/run/libvirt/virtnetworkd-sock-ro -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)`
		`+ /var/run/libvirt/virtnodedevd-admin-sock -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)`
		`+ /var/run/libvirt/virtnodedevd-sock -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)`
		`+ /var/run/libvirt/virtnodedevd-sock-ro -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)`
		`+ /var/run/libvirt/virtnwfilterd-admin-sock -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)`
		`+ /var/run/libvirt/virtnwfilterd-sock -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)`
		`+ /var/run/libvirt/virtnwfilterd-sock-ro -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)`
		`+ /var/run/libvirt/virtproxyd-admin-sock -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0)`
		`+ /var/run/libvirt/virtproxyd-sock -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0)`
		`+ /var/run/libvirt/virtproxyd-sock-ro -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0)`
		`+ /var/run/libvirt/virtqemud-admin-sock -s gen_context(system_u:object_r:virtqemud_var_run_t,s0)`
		`+ /var/run/libvirt/virtqemud-sock -s gen_context(system_u:object_r:virtqemud_var_run_t,s0)`
		`+ /var/run/libvirt/virtqemud-sock-ro -s gen_context(system_u:object_r:virtqemud_var_run_t,s0)`
		`+ /var/run/libvirt/virtsecretd-admin-sock -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0)`
		`+ /var/run/libvirt/virtsecretd-sock -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0)`
		`+ /var/run/libvirt/virtsecretd-sock-ro -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0)`
		`+ /var/run/libvirt/virtstoraged-admin-sock -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0)`
		`+ /var/run/libvirt/virtstoraged-sock -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0)`
		`+ /var/run/libvirt/virtstoraged-sock-ro -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0)`
		`+ /var/run/libvirt/virtvboxd-admin-sock -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0)`
		`+ /var/run/libvirt/virtvboxd-sock -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0)`
		`+ /var/run/libvirt/virtvboxd-sock-ro -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0)`
		`+`
		`+ /usr/lib/systemd/system/virtlogd. gen_context(system_u:object_r:virtlogd_unit_file_t,s0)`
		`+`
		`+ /usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)`
		`+ /usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)`
		`+ /usr/lib/systemd/system/.xen.\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)`

virt.if

file added

+1984

The added file is too large to be shown here, see it at: virt.if

virt.te

file added

+2086

The added file is too large to be shown here, see it at: virt.te

no initial comment

nknazeko commented 3 years ago

New SELinux policy for Libvirt drivers:
Hypervisor drivers:
- virtqemud (QEMU/KVM)
- virtlxcd (LXC)
- virtvboxd (VirtualBox)

Secondary drivers:
- virtstoraged (host storage mgmt)
- virtnetworkd (virtual network mgmt)
- virtinterface (network interface mgmt)
- virtnodedevd (physical device mgmt)
- virtsecretd (security credential mgmt)
- virtnwfilterd (ip[6]tables/ebtables mgmt)
- virtproxyd (proxy daemon)

SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made.

Copr build of SELinux policy with new virt policy:
https://copr.fedorainfracloud.org/coprs/nknazeko/selinux-policy/

Pull Request to SELinux policy with new virt policy is available on github:
https://github.com/fedora-selinux/selinux-policy/pull/492

Copr build of Libvirt with SELinux subpackage: https://copr.fedorainfracloud.org/coprs/nknazeko/libvirt-selinux/

SELinux policy was also created for Libvirt Testsuite and used for testing virt policy.
The repository is available on github: https://github.com/5umm3r15/perl-Sys-Virt-TCK-selinux/tree/selinux
Copr build of Libvirt-TCK with SELinux subpackage: https://copr.fedorainfracloud.org/coprs/nknazeko/libvirt-tck-selinux/

Libvirt test suite gives AVC messages related to this bug:
BZ1858260 - SELinux prevents svirt_t read|write on lvm_control_t during VM creation

Please do not merge before testing this policy.

Edited 3 years ago by nknazeko

berrange commented 3 years ago

Thanks for this, however, we have a strictly upstream-first policy for libvirt, so can't take this kind of thing as a Fedora patch. Please can you send it upstream as a patch to the real libvirt git repo.