From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=DYdGBdpL;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTPS id 75EB25A0626
	for <passt-dev@passt.top>; Thu, 20 Feb 2025 17:28:41 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1740068920;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=D6rCj5sH7v6psoVVNWt5oFD45A6xAxSCF/o/otPQ3zo=;
	b=DYdGBdpLz4t2ZP0+BGJKvPGR/bkzD3h6lPH1oVn6j2AhsOLZohqtNaTwRVKqjdp0gQFHdX
	iy7AI9fig5JkQ25Dy+VOIIVpWJamF8hT9VuWNmHGUdPzdr6rpfup1XoeJXhiGUBTcCsgye
	ngnuW+iv/+2wWO2ToZdhLXxRXD2RcDA=
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com
 [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-528-6RzffuuiMYKrR0ii5ixwjA-1; Thu, 20 Feb 2025 11:28:39 -0500
X-MC-Unique: 6RzffuuiMYKrR0ii5ixwjA-1
X-Mimecast-MFC-AGG-ID: 6RzffuuiMYKrR0ii5ixwjA_1740068918
Received: by mail-wr1-f70.google.com with SMTP id ffacd0b85a97d-38f628ff78eso569893f8f.1
        for <passt-dev@passt.top>; Thu, 20 Feb 2025 08:28:39 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740068917; x=1740673717;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=D6rCj5sH7v6psoVVNWt5oFD45A6xAxSCF/o/otPQ3zo=;
        b=NtnYZ+hVQDTNwjSPKap0yuY6B9cQz3R4nbSfTsSgKR2uPYfOgTT+NFFQulLpFNKICD
         Lqq1stq4dcpnhpSScr7l7r66Tf+dz07Hg8A7KMG9dGHI/qlf9d00XcCz87/15lhhihJd
         6Z7d5J6Dt9sw3oBG9hH6OV4xx0kZXcyxBRDke3fTQxL94kib+CQAIl5SkfwRZGGWEw0p
         9BPoY3i8nZ/3/6wFYHACFmpH9NtM0YMPBmzsUljCzYpRDxJkSXFWCepnu9bRRZUavcz5
         xu0Wtx3/lXMxCBfS1f9RV9MOvGRm7qj9KZb+Lll/Aw6rRKN1K1bbmAsY58Z/U9PSY3N1
         HMMw==
X-Gm-Message-State: AOJu0YxRawAPIAPNwzvo1mWI1A8LkVlJgcHEMF8WsAXiBhAS2bG25x7b
	GLVFUeq3/BHnaLJaDIomPgINDjPp5sU8Uvc1YTDW9TbtfUr7Cot3qjo3RU3yGMQBR/5vA9dnILF
	RyJY0E44v1Z/5aovBEjx7DLqWEOR9H1Kqqp+8R2mcq1MNEzMzKEtJ6XGoBjRWYBtVQy9DC4JR4/
	nesVtnZuw7x+Q3oLwiBdCL7tJ5fD4SbvaV
X-Gm-Gg: ASbGncvHV+0klmj8lz+sjdH8TWqUBr7F0wUDHVefHjgx+UWmm/5DTJ/VdhUJmXlgnew
	4IMBXjBaw8R/XfQiszlHnexGeowx+AZTxgJl7D1UEllevD+5YLili4i1p+aKt0XXiR58NIvF3BN
	bsaTMpIV7MFYpPuo6qtsykjlr1tvF5Le1m+EdJ2bK4f7XKlnmSQe2gv4j6LP9YHDurxPu7Kc5rh
	KjeLJlHHmgkEJBzF0/XdJAusFkvBLhKxDHdkGwfNTWGLm/jZWQuaKJodid0nVuah54QlX7bqM9D
	k1zA69bo1uk2ONVyf3rLlq1hWR5RBPMuJg==
X-Received: by 2002:a5d:6c6f:0:b0:38d:df15:2770 with SMTP id ffacd0b85a97d-38f613fa36emr3578257f8f.0.1740068917667;
        Thu, 20 Feb 2025 08:28:37 -0800 (PST)
X-Google-Smtp-Source: AGHT+IE4jR4pdPYbv7Botge4vsMhRzlFroiBZ1uYaeLduKrG7B5jqLdG58HYgilwVXQWI8ORlrT+WA==
X-Received: by 2002:a5d:6c6f:0:b0:38d:df15:2770 with SMTP id ffacd0b85a97d-38f613fa36emr3578180f8f.0.1740068916366;
        Thu, 20 Feb 2025 08:28:36 -0800 (PST)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [176.103.220.4])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-38f259f7987sm20702724f8f.87.2025.02.20.08.28.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 20 Feb 2025 08:28:36 -0800 (PST)
Date: Thu, 20 Feb 2025 17:28:33 +0100
From: Stefano Brivio <sbrivio@redhat.com>
To: Andrea Bolognani <abologna@redhat.com>
Subject: Re: [PATCH] contrib/selinux: Enable mapping guest memory for
 libvirt guests
Message-ID: <20250220172833.3b05c2c5@elisabeth>
In-Reply-To: <20250214143705.0ca05b19@elisabeth>
References: <20250213221642.4085986-1-sbrivio@redhat.com>
	<CABJz62OnC+SOKRqjYvQCc_wTRBTxawtwgi5C7YtWr2Mjg_pmTg@mail.gmail.com>
	<20250214143705.0ca05b19@elisabeth>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: udD-dr3EtINHEs7PzNLAHbxn9lRkk9Ws1ugiatYtjq8_1740068918
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: UAC324X3UU5MXJAGJRX6NTHM7ZHFA7EU
X-Message-ID-Hash: UAC324X3UU5MXJAGJRX6NTHM7ZHFA7EU
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Laine Stump <laine@redhat.com>, Laurent Vivier <lvivier@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20250220172833.3b05c2c5@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/UAC324X3UU5MXJAGJRX6NTHM7ZHFA7EU/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Fri, 14 Feb 2025 14:37:05 +0100
Stefano Brivio <sbrivio@redhat.com> wrote:

> On Fri, 14 Feb 2025 05:30:44 -0800
> Andrea Bolognani <abologna@redhat.com> wrote:
> 
> > On Thu, Feb 13, 2025 at 11:16:42PM +0100, Stefano Brivio wrote:  
> > > This doesn't actually belong to passt's own policy: we should export
> > > an interface and libvirt's policy should use it, because passt's
> > > policy shouldn't be aware of svirt_image_t at all.
> > >
> > > However, libvirt doesn't maintain its own policy, which makes policy
> > > updates rather involved. Add this workaround to ensure --vhost-user
> > > is working in combination with libvirt, as it might take ages before
> > > we can get the proper rule in libvirt's policy.    
> > 
> > Is the need to update libvirt's policy for these passt changes being
> > tracked anywhere?  
> 
> No. :)
> 
> > Because if not it will not take ages, it will simply never happen.  
> 
> It will happen. :)
> 
> > Especially if a workaround in passt's policy effectively sweeps the
> > issue under the rug.  
> 
> I'll take up the rug next week. :)

Tracked at https://github.com/fedora-selinux/selinux-policy/issues/2579.

-- 
Stefano