Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the c

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the c

From:	Jag Raman
Subject:	Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess
Date:	Tue, 23 Apr 2019 17:26:33 -0400
User-agent:	Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1



On 3/26/2019 6:20 PM, Philippe Mathieu-Daudé wrote:

Please share the SELinux policy files, containerization scripts, etc.
There is probably a home for them in qemu.git, libvirt.git, or elsewhere
upstream.

We need to find a way to make the sandboxing improvements available to
users besides yourself and easily reusable for developers who wish to
convert additional device models.


Also for testing this series.


Hi,

We are wondering how to deliver the example SELinux policies. I have
posted on Fedora's SELinux mailing list to get info. on how to upstream
SElinux policy.

We are developing SELinux Type Enforcements and MCS labels to sandbox
the emulation process. Details regarding example Type Enforcement is
available below.

We are also working on changes to libvirt, to launch the remote process
and apply MCS labels. Libvirt changes will be posted separately in the
future.

The Type Enforcements for SElinux is available in the pastebin location
below (also copied at the end of this email):
https://pastebin.com/t1bpS6MY

An RPM package which installs this policy as a SELinux module, and
configures the file contexts for the executables, is available for
download in the link below:
http://wikisend.com/download/156700/mpqemu-selinux-example-1.0-1.fc29.noarch.rpm

The README for RPM could be obtained by running the following commands:
# rpm2cpio ./packagecloud-test-1.1-1.x86_64.rpm | cpio -idmv
# cat opt/mpqemu-selinux-example/doc/README

Thanks!
--
Jag


----------
mpqemu.te:
----------

module mpqemu 1.0;


require {
        class process transition;
        class file { execute read };
        class file entrypoint;
        class dir search;
        class file { getattr open read };
        class file { getattr map open read };
        class file { execute map read };
        class lnk_file read;
        class chr_file { lock open read write };
        class file { getattr ioctl lock open read write };
        class process fork;
        class fd use;
        class unix_stream_socket { read write };
        class file open;
        class process { noatsecure rlimitinh siginh };
        class file write;
        class dir { getattr search };
        class file { open read };
        class process getattr;
        type qemu_t;
        type qemu_exec_t;
        type virtd_t;
        type ld_so_cache_t;
        type ld_so_t;
        type lib_t;
        type null_device_t;
        type virt_image_t;
        type shell_exec_t;
        type init_t;
        attribute domain;
        attribute entry_type;
        attribute exec_type;
        attribute application_exec_type;
        attribute file_type, non_security_file_type, non_auth_file_type;
        attribute virt_domain;
        attribute virt_image_type;
        
};


type qemu_lsi53c895a_exec_t;
type qemu_lsi53c895a_img_t;
type qemu_lsi53c895a_t;

typeattribute qemu_lsi53c895a_t virt_domain;

typeattribute qemu_lsi53c895a_exec_t file_type, non_security_file_type,non_auth_file_type;

typeattribute qemu_lsi53c895a_exec_t exec_type;
typeattribute qemu_lsi53c895a_exec_t application_exec_type;
typeattribute qemu_lsi53c895a_exec_t entry_type;

typeattribute qemu_lsi53c895a_img_t file_type, non_security_file_type,non_auth_file_type;

typeattribute qemu_lsi53c895a_img_t virt_image_type;
type_transition qemu_t qemu_lsi53c895a_exec_t : process qemu_lsi53c895a_t;
type_transition virtd_t qemu_exec_t : process qemu_t;

#============= init_t ==============
allow init_t qemu_lsi53c895a_t:dir search;
allow init_t qemu_lsi53c895a_t:file { getattr open read };

#============= qemu_lsi53c895a_t ==============
allow qemu_lsi53c895a_t ld_so_cache_t : file { getattr map open read };
allow qemu_lsi53c895a_t ld_so_t : file { execute map read };
allow qemu_lsi53c895a_t lib_t : lnk_file read;
allow qemu_lsi53c895a_t null_device_t : chr_file { lock open read write };
allow qemu_lsi53c895a_t qemu_lsi53c895a_exec_t : file { execute map read };

allow qemu_lsi53c895a_t qemu_lsi53c895a_img_t : file { getattr ioctllock open read write };

allow qemu_lsi53c895a_t self : process fork;
allow qemu_lsi53c895a_t qemu_t : fd use;
allow qemu_lsi53c895a_t qemu_t : unix_stream_socket { read write };
allow qemu_lsi53c895a_t qemu_lsi53c895a_exec_t : file entrypoint;

#============= qemu_t ==============
allow qemu_t qemu_lsi53c895a_exec_t : file open;
allow qemu_t qemu_lsi53c895a_t : process { noatsecure rlimitinh siginh };
allow qemu_t virt_image_t : file write;
allow qemu_t qemu_lsi53c895a_t : process transition;
allow qemu_t qemu_lsi53c895a_exec_t : file { execute read };

#============= virtd_t ==============
allow virtd_t shell_exec_t : file entrypoint;

Stefan

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess, Jag Raman <=
- Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess, Stefan Hajnoczi, 2019/04/25

Prev by Date: [Qemu-devel] [PATCH 2/3] machine: Use SupportStatusInfo for deprecation info
Next by Date: Re: [Qemu-devel] [PATCH 0/3] Export machine type deprecation info through QMP
Previous by thread: [Qemu-devel] [PATCH 0/3] Export machine type deprecation info through QMP
Next by thread: Re: [Qemu-devel] [multiprocess RFC PATCH 36/37] multi-process: add the concept description to docs/devel/qemu-multiprocess
Index(es):
- Date
- Thread