Re: [libvirt PATCH 00/13] selinux: introduce sVirt policy and build

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Aug 06, 2021 at 06:47:57PM +0100, Daniel P. Berrangé wrote:
> This is an extension of
> 
>   https://listman.redhat.com/archives/libvir-list/2021-July/msg00167.html
> 
> The original patches from that series are unchanged apart from the
> commit message, and tweak to the min fedora version in the RPM.
> 
> I then include various refactors/cleanups.
> 
> On Fedora 34 I notice the following:
> 
> ../src/security/selinux/virt.te:579: Warning: fs_rw_anon_inodefs_files(virtd_t) has been deprecated. All calls can be safely removed.
> ../src/security/selinux/virt.te:580: Warning: fs_list_inotifyfs(virtd_t) has been deprecated. All calls can be safely removed.
> ../src/security/selinux/virt.te:985: Warning: fs_rw_anon_inodefs_files(virt_domain) has been deprecated. All calls can be safely removed.
> ../src/security/selinux/virt.te:1520: Warning: fs_list_inotifyfs(svirt_sandbox_domain) has been deprecated. All calls can be safely removed.
> 
> assuming those warnings are correct, we can delete a few things
> from the policy, but that's not done here.
> 
> Daniel P. Berrangé (10):
>   selinux: remove redundant use of 'set_variable' function
>   selinux: move selinux policy build helper to scripts directory
>   selinux: don't hardcode paths to selinux tools
>   selinux: don't hardcode policy include files directory
>   rpm: move logic for setting selinux policy variables
>   rpm: rename selinux variables to improve clarity
>   selinux: introduce meson option for selinux policy install
>   selinux: remove duplicate sources list for policy
>   scripts: use variables for cli args in selinux helper
>   scripts: factor repeated path joins from selinux helper
> 
> Nikola Knazekova (1):
>   security: add SELinux policy for virt
> 
> Vit Mojzis (2):
>   selinux: introduce build, install, packaging for selinux policy
>   Install selinux-policy-devel in test environment

Overall looks reasonable, there are some small issues and we should
clarify where the policy comes from and add the missing system.token
bits.

Pavel

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux