From: Luis Chamberlain <mcgrof@kernel.org>
To: Jeff Layton <jlayton@kernel.org>
Cc: kdevops@lists.linux.dev
Subject: WIP: initial work to set selinux contexts
Date: Sun, 22 Oct 2023 22:12:41 -0700 [thread overview]
Message-ID: <ZTYAyYiVdUZXUBas@bombadil.infradead.org> (raw)
If you are on Fedora the default setting is for you to use
have libvirt_session enabled by default. Eventually we should
strive to move all users to enable libvirt_session, but to do
so we must evaluate what is needed and what gains we can
get from it. One of the gains should be to have to do less
work on an initial kdevops deployment. We can currently quanitify
the initial amount of work done with the work on kdevops by enabling
CONFIG_KDEVOPS_FIRST_RUN=y.
For Fedora one of the nagging things is to Disable SELinux, and
for Debian disabling apparmor. Fixing the SELinux stuff should allow
us to also remove some eyesore sudo commands for the libvirt_session
users as well.
This adds the SElinux contexts required for basic bringup. What we need
next is to figure out where to stuff similar tasks but for the extra
drives we create manually for the guests, and also what is the right
context? Any ideas?
For Debian, it would seem Fred has hinted we need something like:
cat /etc/apparmor.d/local/abstractions/libvirt-qemu
capability bpf,
/var/lib/libvirt/images/**/*.raw rwk,
/home/user/stuff/kdevops/** rwk,
So here is to hoping with some collaboration with folks we can end up
not only removing the annoying requirement to disable SELinux but also
Apparmor and then if we do this then make the libvirt_session the new
default.
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
.../roles/gen_nodes/templates/Vagrantfile.j2 | 2 ++
.../roles/libvirt_user/defaults/main.yml | 3 +++
.../tasks/enable-user/redhat/main.yml | 22 ++++++++++++++-----
3 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/playbooks/roles/gen_nodes/templates/Vagrantfile.j2 b/playbooks/roles/gen_nodes/templates/Vagrantfile.j2
index 7ed59ff7..cf27a567 100644
--- a/playbooks/roles/gen_nodes/templates/Vagrantfile.j2
+++ b/playbooks/roles/gen_nodes/templates/Vagrantfile.j2
@@ -425,6 +425,7 @@ Vagrant.configure("2") do |config|
{% endif %}
port += 1
end
+{% if not libvirt_session %}
if provider == "libvirt"
cmd = "sudo chgrp -R #{qemu_group} #{node_custom_data_path}"
ok = system("#{cmd}")
@@ -439,6 +440,7 @@ Vagrant.configure("2") do |config|
exit
end
end # end of provider check for libvirt
+{% endif %}
end # end of check for extra disks for libvirt
{% if bootlinux_9p %}
diff --git a/playbooks/roles/libvirt_user/defaults/main.yml b/playbooks/roles/libvirt_user/defaults/main.yml
index 575504f7..0d340d3d 100644
--- a/playbooks/roles/libvirt_user/defaults/main.yml
+++ b/playbooks/roles/libvirt_user/defaults/main.yml
@@ -5,3 +5,6 @@ only_verify_user: False
skip_install: False
skip_configuration: False
+
+bootlinux_9p: False
+bootlinux_9p_host_path: "/dev/null"
diff --git a/playbooks/roles/libvirt_user/tasks/enable-user/redhat/main.yml b/playbooks/roles/libvirt_user/tasks/enable-user/redhat/main.yml
index 1d6355f0..04c35609 100644
--- a/playbooks/roles/libvirt_user/tasks/enable-user/redhat/main.yml
+++ b/playbooks/roles/libvirt_user/tasks/enable-user/redhat/main.yml
@@ -39,12 +39,24 @@
- 'only_verify_user|bool'
- 'getenforce_file_stat_result.stat.exists'
-- name: Inform if the user must disable SELinux
- register: selinux_enabled
- debug:
- msg: "SELinux is enabled which may cause problems without the proper svirt_t context settings, disable SELinux or patch this thing to set the contexts properly"
- failed_when: '"Enforcing" in selinux_check.stdout'
+- name: Set SELinux context for the storage pool for libvirt
+ become: yes
+ become_method: sudo
+ community.general.sefcontext:
+ target: "{{ storage_pool_path }}/(/.*)?"
+ setype: svirt_home_t
+ when:
+ - 'only_verify_user|bool'
+ - 'selinux_check is defined and "Enforcing" in selinux_check.stdout'
+
+- name: Set SELinux context for to enable 9p using your git tree for Linux
+ become: yes
+ become_method: sudo
+ community.general.sefcontext:
+ target: "{{ bootlinux_9p_host_path }}/(/.*)?"
+ setype: virt_content_t
when:
+ - 'bootlinux_9p|bool'
- 'only_verify_user|bool'
- 'selinux_check is defined and "Enforcing" in selinux_check.stdout'
--
2.41.0
next reply other threads:[~2023-10-23 5:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-23 5:12 Luis Chamberlain [this message]
2023-10-28 17:59 ` WIP: initial work to set selinux contexts Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZTYAyYiVdUZXUBas@bombadil.infradead.org \
--to=mcgrof@kernel.org \
--cc=jlayton@kernel.org \
--cc=kdevops@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).