| Message ID | 20260327115257.2625298-1-amanna@qti.qualcomm.com |
|---|---|
| State | New |
| Headers | show |
| Series | refpolicy: backport fix from upstream (PR #1095) | expand |
Hi Joe and Yi Requesting to review the patch. Thanks Abhi -----Original Message----- From: Abhilasha Manna (Temp) <amanna@qti.qualcomm.com> Sent: Friday, March 27, 2026 5:23 PM To: yocto-patches@lists.yoctoproject.org Cc: Abhilasha Manna (Temp) <amanna@qti.qualcomm.com> Subject: [PATCH] refpolicy: backport fix from upstream (PR #1095) Backport upstream SELinux refpolicy change from: https://github.com/SELinuxProject/refpolicy/pull/1095/changes/e393fdc3c3943b27d9808311e92c14af68345f29 This change is required to keep meta-selinux in sync with upstream refpolicy and to fix issues observed when building or running SELinux-enabled images. No functional changes beyond the upstream fix. Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com> --- .../refpolicy/refpolicy-targeted_git.bb | 1 + ...irt-hook-scripts-with-dedicated-exec.patch | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0078-virt-label-libvirt-hook-scripts-with-dedicated-exec.patch diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb index de81d46..beda1c5 100644 --- a/recipes-security/refpolicy/refpolicy-targeted_git.bb +++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb @@ -14,4 +14,5 @@ include refpolicy_${PV}.inc SRC_URI += " \ file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \ + + file://0078-virt-label-libvirt-hook-scripts-with-dedicated-exec.patch + \ " diff --git a/recipes-security/refpolicy/refpolicy/0078-virt-label-libvirt-hook-scripts-with-dedicated-exec.patch b/recipes-security/refpolicy/refpolicy/0078-virt-label-libvirt-hook-scripts-with-dedicated-exec.patch new file mode 100644 index 0000000..79209fc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0078-virt-label-libvirt-hook- +++ scripts-with-dedicated-exec.patch @@ -0,0 +1,74 @@ +From 2edbd77f1f6aa720a9ed48f27f9dca43b8935261 Mon Sep 17 00:00:00 2001 +From: Abhilasha Manna <amanna@qti.qualcomm.com> +Date: Wed, 18 Mar 2026 10:53:58 +0530 +Subject: [PATCH] virt: label libvirt hook scripts with dedicated exec +type + +Hook scripts under /etc/libvirt/hooks/ are executable files invoked by +libvirtd on lifecycle events. Their current label virt_etc_rw_t does +not permit execute, causing AVC denials. + +Introduce virt_script_exec_t for hook scripts, add the +virt_exec_script() interface, and update file_contexts to label +/etc/libvirt/hooks(/.*)? accordingly. + +Upstream-Status: Backport +[https://github.com/SELinuxProject/refpolicy/pull/1095/changes/e393fdc3 +c3943b27d9808311e92c14af68345f29] + +Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com> +--- + policy/modules/services/virt.fc | 2 ++ +policy/modules/services/virt.if | 18 ++++++++++++++++++ +policy/modules/services/virt.te | 5 +++++ + 3 files changed, 25 insertions(+) + +diff --git a/policy/modules/services/virt.fc +b/policy/modules/services/virt.fc index 1441a50dc..eb72de5be 100644 +--- a/policy/modules/services/virt.fc ++++ b/policy/modules/services/virt.fc +@@ -72,3 +72,5 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t + /run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) + /run/vdsm(/.*)? gen_context(system_u:object_r:virt_runtime_t,s0) + /run/virtlockd\.pid -- gen_context(system_u:object_r:virtlockd_run_t,s0) ++ ++/etc/libvirt/hooks(/.*)? -- system_u:object_r:virt_script_exec_t:s0 +diff --git a/policy/modules/services/virt.if +b/policy/modules/services/virt.if index 9b28d670e..272034f0d 100644 +--- a/policy/modules/services/virt.if ++++ b/policy/modules/services/virt.if +@@ -1274,3 +1274,21 @@ interface(`virt_admin',` + dev_list_all_dev_nodes($1) + allow $1 virt_ptynode:chr_file rw_term_perms; + ') ++ ++######################################## ++## <summary> ++## Execute virt hook scripts. ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed to execute virt hook scripts. ++## </summary> ++## </param> ++# ++interface(`virt_exec_script',` ++ gen_require(` ++ type virt_script_exec_t; ++ ') ++ files_search_etc($1) ++ allow $1 virt_script_exec_t:file exec_file_perms; ++') +diff --git a/policy/modules/services/virt.te +b/policy/modules/services/virt.te index b0bd0a8d4..50028f615 100644 +--- a/policy/modules/services/virt.te ++++ b/policy/modules/services/virt.te +@@ -1257,3 +1257,8 @@ sysnet_dns_name_resolve(virtlogd_t) + + virt_manage_log(virtlogd_t) + virt_read_config(virtlogd_t) ++ ++type virt_script_exec_t; ++files_type(virt_script_exec_t) ++ ++virt_exec_script(virtd_t) +-- +2.43.0 + -- 2.43.0
diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb index de81d46..beda1c5 100644 --- a/recipes-security/refpolicy/refpolicy-targeted_git.bb +++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb @@ -14,4 +14,5 @@ include refpolicy_${PV}.inc SRC_URI += " \ file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \ + file://0078-virt-label-libvirt-hook-scripts-with-dedicated-exec.patch \ " diff --git a/recipes-security/refpolicy/refpolicy/0078-virt-label-libvirt-hook-scripts-with-dedicated-exec.patch b/recipes-security/refpolicy/refpolicy/0078-virt-label-libvirt-hook-scripts-with-dedicated-exec.patch new file mode 100644 index 0000000..79209fc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0078-virt-label-libvirt-hook-scripts-with-dedicated-exec.patch @@ -0,0 +1,74 @@ +From 2edbd77f1f6aa720a9ed48f27f9dca43b8935261 Mon Sep 17 00:00:00 2001 +From: Abhilasha Manna <amanna@qti.qualcomm.com> +Date: Wed, 18 Mar 2026 10:53:58 +0530 +Subject: [PATCH] virt: label libvirt hook scripts with dedicated exec type + +Hook scripts under /etc/libvirt/hooks/ are executable files +invoked by libvirtd on lifecycle events. Their current label +virt_etc_rw_t does not permit execute, causing AVC denials. + +Introduce virt_script_exec_t for hook scripts, add the +virt_exec_script() interface, and update file_contexts to +label /etc/libvirt/hooks(/.*)? accordingly. + +Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1095/changes/e393fdc3c3943b27d9808311e92c14af68345f29] + +Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com> +--- + policy/modules/services/virt.fc | 2 ++ + policy/modules/services/virt.if | 18 ++++++++++++++++++ + policy/modules/services/virt.te | 5 +++++ + 3 files changed, 25 insertions(+) + +diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc +index 1441a50dc..eb72de5be 100644 +--- a/policy/modules/services/virt.fc ++++ b/policy/modules/services/virt.fc +@@ -72,3 +72,5 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t + /run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) + /run/vdsm(/.*)? gen_context(system_u:object_r:virt_runtime_t,s0) + /run/virtlockd\.pid -- gen_context(system_u:object_r:virtlockd_run_t,s0) ++ ++/etc/libvirt/hooks(/.*)? -- system_u:object_r:virt_script_exec_t:s0 +diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if +index 9b28d670e..272034f0d 100644 +--- a/policy/modules/services/virt.if ++++ b/policy/modules/services/virt.if +@@ -1274,3 +1274,21 @@ interface(`virt_admin',` + dev_list_all_dev_nodes($1) + allow $1 virt_ptynode:chr_file rw_term_perms; + ') ++ ++######################################## ++## <summary> ++## Execute virt hook scripts. ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed to execute virt hook scripts. ++## </summary> ++## </param> ++# ++interface(`virt_exec_script',` ++ gen_require(` ++ type virt_script_exec_t; ++ ') ++ files_search_etc($1) ++ allow $1 virt_script_exec_t:file exec_file_perms; ++') +diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te +index b0bd0a8d4..50028f615 100644 +--- a/policy/modules/services/virt.te ++++ b/policy/modules/services/virt.te +@@ -1257,3 +1257,8 @@ sysnet_dns_name_resolve(virtlogd_t) + + virt_manage_log(virtlogd_t) + virt_read_config(virtlogd_t) ++ ++type virt_script_exec_t; ++files_type(virt_script_exec_t) ++ ++virt_exec_script(virtd_t) +-- +2.43.0 +
Backport upstream SELinux refpolicy change from: https://github.com/SELinuxProject/refpolicy/pull/1095/changes/e393fdc3c3943b27d9808311e92c14af68345f29 This change is required to keep meta-selinux in sync with upstream refpolicy and to fix issues observed when building or running SELinux-enabled images. No functional changes beyond the upstream fix. Signed-off-by: Abhilasha Manna <amanna@qti.qualcomm.com> --- .../refpolicy/refpolicy-targeted_git.bb | 1 + ...irt-hook-scripts-with-dedicated-exec.patch | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0078-virt-label-libvirt-hook-scripts-with-dedicated-exec.patch