From 5bf471a025fdeee4f5576092341bc427ca9d7dec Mon Sep 17 00:00:00 2001 From: Pan Ousley Date: Thu, 12 Jan 2023 11:52:00 -0500 Subject: [PATCH] CNV-20962: SELinux updates, part 1 --- ...ed-selinux-policies-for-virt-launcher.adoc | 32 +++++++++++++------ ...ty-privileges-controller-and-launcher.adoc | 1 + 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/modules/virt-extended-selinux-policies-for-virt-launcher.adoc b/modules/virt-extended-selinux-policies-for-virt-launcher.adoc index b6ac7a9387..a9e485db5e 100644 --- a/modules/virt-extended-selinux-policies-for-virt-launcher.adoc +++ b/modules/virt-extended-selinux-policies-for-virt-launcher.adoc @@ -6,18 +6,32 @@ [id="virt-extended-selinux-policies-for-virt-launcher_{context}"] = Extended SELinux policies for virt-launcher pods -The `container_t` SELinux policy for virt-launcher pods is extended with the following rules: +The `container_t` SELinux policy for `virt-launcher` pods is extended to enable essential functions of {VirtProductName}. -* `allow process self (tun_socket (relabelfrom relabelto attach_queue))` -* `allow process sysfs_t (file (write))` -* `allow process hugetlbfs_t (dir (add_name create write remove_name rmdir setattr))` -* `allow process hugetlbfs_t (file (create unlink))` +* The following policy is required for network multi-queue, which enables network performance to scale as the number of available vCPUs increases: -These rules enable the following virtualization features: +** `allow process self (tun_socket (relabelfrom relabelto attach_queue))` -* Relabel and attach queues to its own TUN sockets, which is required to support network multi-queue. Multi-queue enables network performance to scale as the number of available vCPUs increases. +* The following policy allows `virt-launcher` to read files under the `/proc` directory, including `/proc/cpuinfo` and `/proc/uptime`: -* Allows virt-launcher pods to write information to sysfs (`/sys`) files, which is required to enable Single Root I/O Virtualization (SR-IOV). +** `allow process proc_type (file (getattr open read))` -* Read/write `hugetlbfs` entries, which is required to support huge pages. Huge pages are a method of managing large amounts of memory by increasing the memory page size. +* The following policy allows `libvirtd` to relay network-related debug messages. +** `allow process self (netlink_audit_socket (nlmsg_relay))` ++ +[NOTE] +==== +Without this policy, any attempt to relay network debug messages is blocked. This might fill the node's audit logs with SELinux denials. +==== + +* The following policies allow `libvirtd` to access `hugetblfs`, which is required to support huge pages: + +** `allow process hugetlbfs_t (dir (add_name create write remove_name rmdir setattr))` +** `allow process hugetlbfs_t (file (create unlink))` + +* The following policies allow `virtiofs` to mount filesystems and access NFS: + +** `allow process nfs_t (dir (mounton))` +** `allow process proc_t (dir (mounton))` +** `allow process proc_t (filesystem (mount unmount))` \ No newline at end of file diff --git a/virt/virt-additional-security-privileges-controller-and-launcher.adoc b/virt/virt-additional-security-privileges-controller-and-launcher.adoc index 01b8a1e52d..61102a67b7 100644 --- a/virt/virt-additional-security-privileges-controller-and-launcher.adoc +++ b/virt/virt-additional-security-privileges-controller-and-launcher.adoc @@ -23,4 +23,5 @@ include::modules/virt-additional-scc-for-kubevirt-controller.adoc[leveloffset=+1 * xref:../authentication/managing-security-context-constraints.adoc#security-context-constraints-about_configuring-internal-oauth[Managing security context constraints] * xref:../authentication/using-rbac.adoc#using-rbac[Using RBAC to define and apply permissions] * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/monitoring_and_managing_system_status_and_performance/index#optimizing-virtual-machine-network-performance_optimizing-virtual-machine-performance-in-rhel[Optimizing virtual machine network performance] in the {op-system-base-full} documentation +* xref:../virt/virtual_machines/advanced_vm_management/virt-using-huge-pages-with-vms.adoc#virt-using-huge-pages-with-vms[Using huge pages with virtual machines] * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/monitoring_and_managing_system_status_and_performance/index#configuring-huge-pages_monitoring-and-managing-system-status-and-performance[Configuring huge pages] in the {op-system-base} documentation \ No newline at end of file