CNV-20962: SELinux updates, part 1

Author: ousleyp

modules/virt-extended-selinux-policies-for-virt-launcher.adoc

@@ -6,18 +6,32 @@
 [id="virt-extended-selinux-policies-for-virt-launcher_{context}"]
 = Extended SELinux policies for virt-launcher pods
 
-The `container_t` SELinux policy for virt-launcher pods is extended with the following rules:
+The `container_t` SELinux policy for `virt-launcher` pods is extended to enable essential functions of {VirtProductName}.
 
-* `allow process self (tun_socket (relabelfrom relabelto attach_queue))`
-* `allow process sysfs_t (file (write))`
-* `allow process hugetlbfs_t (dir (add_name create write remove_name rmdir setattr))`
-* `allow process hugetlbfs_t (file (create unlink))`
+* The following policy is required for network multi-queue, which enables network performance to scale as the number of available vCPUs increases:
 
-These rules enable the following virtualization features:
+** `allow process self (tun_socket (relabelfrom relabelto attach_queue))` 
 
-* Relabel and attach queues to its own TUN sockets, which is required to support network multi-queue. Multi-queue enables network performance to scale as the number of available vCPUs increases.
+* The following policy allows `virt-launcher` to read files under the `/proc` directory, including `/proc/cpuinfo` and `/proc/uptime`:
 
-* Allows virt-launcher pods to write information to sysfs (`/sys`) files, which is required to enable Single Root I/O Virtualization (SR-IOV).
+** `allow process proc_type (file (getattr open read))`
 
-* Read/write `hugetlbfs` entries, which is required to support huge pages. Huge pages are a method of managing large amounts of memory by increasing the memory page size.
+* The following policy allows `libvirtd` to relay network-related debug messages.
 
+** `allow process self (netlink_audit_socket (nlmsg_relay))`
++
+[NOTE]
+====
+Without this policy, any attempt to relay network debug messages is blocked. This might fill the node's audit logs with SELinux denials.
+====
+
+* The following policies allow `libvirtd` to access `hugetblfs`, which is required to support huge pages:
+
+** `allow process hugetlbfs_t (dir (add_name create write remove_name rmdir setattr))` 
+** `allow process hugetlbfs_t (file (create unlink))`
+
+* The following policies allow `virtiofs` to mount filesystems and access NFS:
+
+** `allow process nfs_t (dir (mounton))`
+** `allow process proc_t (dir (mounton))`
+** `allow process proc_t (filesystem (mount unmount))`

virt/virt-additional-security-privileges-controller-and-launcher.adoc

@@ -23,4 +23,5 @@ include::modules/virt-additional-scc-for-kubevirt-controller.adoc[leveloffset=+1
 * xref:../authentication/managing-security-context-constraints.adoc#security-context-constraints-about_configuring-internal-oauth[Managing security context constraints]
 * xref:../authentication/using-rbac.adoc#using-rbac[Using RBAC to define and apply permissions]
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/monitoring_and_managing_system_status_and_performance/index#optimizing-virtual-machine-network-performance_optimizing-virtual-machine-performance-in-rhel[Optimizing virtual machine network performance] in the {op-system-base-full} documentation
+* xref:../virt/virtual_machines/advanced_vm_management/virt-using-huge-pages-with-vms.adoc#virt-using-huge-pages-with-vms[Using huge pages with virtual machines]
 * link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/monitoring_and_managing_system_status_and_performance/index#configuring-huge-pages_monitoring-and-managing-system-status-and-performance[Configuring huge pages] in the {op-system-base} documentation