Re: [PATCH] contrib/selinux: Enable mapping guest memory for libvirt guests

On Fri, 14 Feb 2025 14:37:05 +0100 Stefano Brivio wrote:

On Fri, 14 Feb 2025 05:30:44 -0800 Andrea Bolognani wrote:

...

On Thu, Feb 13, 2025 at 11:16:42PM +0100, Stefano Brivio wrote:

...

This doesn't actually belong to passt's own policy: we should export an interface and libvirt's policy should use it, because passt's policy shouldn't be aware of svirt_image_t at all.

However, libvirt doesn't maintain its own policy, which makes policy updates rather involved. Add this workaround to ensure --vhost-user is working in combination with libvirt, as it might take ages before we can get the proper rule in libvirt's policy.

Is the need to update libvirt's policy for these passt changes being tracked anywhere?

No. :)

...

Because if not it will not take ages, it will simply never happen.

It will happen. :)

...

Especially if a workaround in passt's policy effectively sweeps the issue under the rug.

I'll take up the rug next week. :)

Tracked at https://github.com/fedora-selinux/selinux-policy/issues/2579. -- Stefano