On Fri, Mar 03, 2023 at 09:06:38AM -0800, Andrea Bolognani wrote: > On Fri, Mar 03, 2023 at 03:47:23PM +0000, Daniel P. Berrangé wrote: > > On Fri, Mar 03, 2023 at 07:23:41AM -0800, Andrea Bolognani wrote: > > > I'm in no way a SELinux expert, but the idea of figuring out the > > > runtime label for the process based on information found on the > > > filesystem makes me uncomfortable. The idea of using some sort of > > > text transformation to get from one to the other, even more so. > > > > Using the label on the filesystem is precisely the right way to > > do this with SELinux. It is what the kernel does every time a > > binary is invokved, unless the caller has overriden the target > > type. > > > > > Since we know that we're launching passt and not some other random > > > helper, why can't we simply use passt_t directly here? It feels like > > > that would be less prone to issues caused by accidental (or > > > intentional) misconfigurations. > > > > That ties libvirt's code to a specific policy impl which is > > not a desirable thing. Same reason we don't hardcode svirt_t > > as a type for QEMU, but instead query it dynamically from > > the installed policy. > > Do I understand correctly that this happens in > virSecuritySELinuxQEMUInitialize(), by parsing the contents of the > file located via a call to selinux_virtual_domain_context_path()? Yes. > Poking around at the other files present in the same directory I see > various formats being used, including... XML? It looks like SELinux > implements facilities for exposing arbitrary information about the > active policy at well-known locations, with (I assume) the explicit > purpose of enabling this kind of interaction. > > So wouldn't that be the way to go for passt, and other helpers too? > Have SELinux expose a virtual_helpers_context file, that we can parse > to figure out the appropriate labels to use for passt and friends? No, I don't think so. The helpers file is a bit of a special case that was needed because there were multiple contexts we needed to cope with for running QEMU. I don't see any reason not to follow what the kernel already does by relying on the labelled file context. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
