From: Nikola Knazekova <nknazeko(a)redhat.com>
SELinux policy was created for:
Hypervisor drivers:
- virtqemud (QEMU/KVM)
- virtlxcd (LXC)
- virtvboxd (VirtualBox)
Secondary drivers:
- virtstoraged (host storage mgmt)
- virtnetworkd (virtual network mgmt)
- virtinterface (network interface mgmt)
- virtnodedevd (physical device mgmt)
- virtsecretd (security credential mgmt)
- virtnwfilterd (ip[6]tables/ebtables mgmt)
- virtproxyd (proxy daemon)
SELinux policy for virtvxz and virtxend has not been created yet,
because I wasn't able to reproduce AVC messages. These drivers
run in unconfined_domain until the AVC messages are reproduced
internally and policy for these drivers is made.
Signed-off-by: Nikola Knazekova <nknazeko(a)redhat.com>
---
src/security/selinux/virt.fc | 111 ++
src/security/selinux/virt.if | 1984 ++++++++++++++++++++++++++++++++
src/security/selinux/virt.te | 2078 ++++++++++++++++++++++++++++++++++
3 files changed, 4173 insertions(+)
create mode 100644 src/security/selinux/virt.fc
create mode 100644 src/security/selinux/virt.if
create mode 100644 src/security/selinux/virt.te
diff --git a/src/security/selinux/virt.fc b/src/security/selinux/virt.fc
new file mode 100644
index 0000000000..554e1094d9
--- /dev/null
+++ b/src/security/selinux/virt.fc
@@ -0,0 +1,111 @@
+HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
+
+/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt/virtlogd\.conf -- gen_context(system_u:object_r:virtlogd_etc_t,s0)
+/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/virtlogd -- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0)
+
+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+
+/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+
+/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtinterfaced_exec_t,s0)
+/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtnetworkd_exec_t,s0)
+/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtnodedevd_exec_t,s0)
+/usr/sbin/virtnwfilterd -- gen_context(system_u:object_r:virtnwfilterd_exec_t,s0)
+/usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtproxyd_exec_t,s0)
+/usr/sbin/virtqemud -- gen_context(system_u:object_r:virtqemud_exec_t,s0)
+/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtsecretd_exec_t,s0)
+/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtstoraged_exec_t,s0)
+/usr/sbin/virtvboxd -- gen_context(system_u:object_r:virtvboxd_exec_t,s0)
+/usr/sbin/virtvzd -- gen_context(system_u:object_r:virtvzd_exec_t,s0)
+/usr/sbin/virtxend -- gen_context(system_u:object_r:virtxend_exec_t,s0)
+
+/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
+
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0)
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
+# Avoid calling m4's "interface" by using en empty string
+/var/run/libvirt/interfac(e)(/.*)? gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
+/var/run/libvirt/nodedev(/.*)? gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
+/var/run/libvirt/nwfilter(/.*)? gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
+/var/run/libvirt/secrets(/.*)? gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
+/var/run/libvirt/storage(/.*)? gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
+
+/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0)
+/var/run/virtlxcd\.pid -- gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/virtqemud\.pid -- gen_context(system_u:object_r:virtqemud_var_run_t,s0)
+/var/run/virtvboxd\.pid -- gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
+/var/run/virtproxyd\.pid -- gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
+/var/run/virtinterfaced\.pid -- gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
+/var/run/virtnetworkd\.pid -- gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
+/var/run/virtnodedevd\.pid -- gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
+/var/run/virtnwfilterd\.pid -- gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
+/var/run/virtnwfilterd-binding\.pid -- gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
+/var/run/virtsecretd\.pid -- gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
+/var/run/virtstoraged\.pid -- gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
+
+/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/libvirt/libvirt-sock -s gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt/virtlogd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0)
+/var/run/libvirt/virtinterfaced-admin-sock -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
+/var/run/libvirt/virtinterfaced-sock -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
+/var/run/libvirt/virtinterfaced-sock-ro -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
+/var/run/libvirt/virtlxcd-admin-sock -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/libvirt/virtlxcd-sock -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/libvirt/virtlxcd-sock-ro -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/libvirt/virtnetworkd-admin-sock -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
+/var/run/libvirt/virtnetworkd-sock -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
+/var/run/libvirt/virtnetworkd-sock-ro -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
+/var/run/libvirt/virtnodedevd-admin-sock -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
+/var/run/libvirt/virtnodedevd-sock -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
+/var/run/libvirt/virtnodedevd-sock-ro -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
+/var/run/libvirt/virtnwfilterd-admin-sock -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
+/var/run/libvirt/virtnwfilterd-sock -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
+/var/run/libvirt/virtnwfilterd-sock-ro -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
+/var/run/libvirt/virtproxyd-admin-sock -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
+/var/run/libvirt/virtproxyd-sock -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
+/var/run/libvirt/virtproxyd-sock-ro -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
+/var/run/libvirt/virtqemud-admin-sock -s gen_context(system_u:object_r:virtqemud_var_run_t,s0)
+/var/run/libvirt/virtqemud-sock -s gen_context(system_u:object_r:virtqemud_var_run_t,s0)
+/var/run/libvirt/virtqemud-sock-ro -s gen_context(system_u:object_r:virtqemud_var_run_t,s0)
+/var/run/libvirt/virtsecretd-admin-sock -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
+/var/run/libvirt/virtsecretd-sock -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
+/var/run/libvirt/virtsecretd-sock-ro -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
+/var/run/libvirt/virtstoraged-admin-sock -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
+/var/run/libvirt/virtstoraged-sock -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
+/var/run/libvirt/virtstoraged-sock-ro -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
+/var/run/libvirt/virtvboxd-admin-sock -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
+/var/run/libvirt/virtvboxd-sock -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
+/var/run/libvirt/virtvboxd-sock-ro -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
+
+/usr/lib/systemd/system/*virtlogd.* gen_context(system_u:object_r:virtlogd_unit_file_t,s0)
+
+/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
+/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
diff --git a/src/security/selinux/virt.if b/src/security/selinux/virt.if
new file mode 100644
index 0000000000..7e92675750
--- /dev/null
+++ b/src/security/selinux/virt.if
@@ -0,0 +1,1984 @@
+## <summary>Libvirt virtualization API</summary>
+
+########################################
+## <summary>
+## virtd_lxc_t stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_stub_lxc',`
+ gen_require(`
+ type virtd_lxc_t;
+ ')
+')
+
+########################################
+## <summary>
+## svirt_sandbox_domain attribute stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_stub_svirt_sandbox_domain',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
+ ')
+')
+
+########################################
+## <summary>
+## container_file_t stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_stub_container_image',`
+ gen_require(`
+ type container_file_t;
+ ')
+')
+
+interface(`virt_stub_svirt_sandbox_file',`
+ gen_require(`
+ type container_file_t;
+ type container_ro_file_t;
+ ')
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## qemu process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`virt_domain_template',`
+ gen_require(`
+ attribute virt_image_type, virt_domain;
+ attribute virt_tmpfs_type;
+ attribute virt_ptynode;
+ type qemu_exec_t;
+ type virtlogd_t;
+ ')
+
+ type $1_t, virt_domain;
+ application_domain($1_t, qemu_exec_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
+ mcs_constrained($1_t)
+ role system_r types $1_t;
+
+ type $1_devpts_t, virt_ptynode;
+ term_pty($1_devpts_t)
+
+ kernel_read_system_state($1_t)
+
+ auth_read_passwd($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty($1_t, $1_devpts_t)
+
+ # Allow domain to write to pipes connected to virtlogd
+ allow $1_t virtlogd_t:fd use;
+ allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## virt driver domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`virt_driver_template',`
+ gen_require(`
+ attribute virt_driver_domain;
+ attribute virt_driver_executable;
+ attribute virt_driver_var_run;
+ type virtd_t;
+ type virtqemud_t;
+ type virt_etc_t;
+ type virt_etc_rw_t;
+ type virt_var_run_t;
+ ')
+
+ type $1_t, virt_driver_domain;
+
+ type $1_exec_t, virt_driver_executable;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ type $1_var_run_t, virt_driver_var_run;
+ files_pid_file($1_var_run_t)
+
+ ##################################
+ #
+ # Local policy
+ #
+
+ allow $1_t self:netlink_audit_socket create;
+ allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow $1_t self:netlink_route_socket create_netlink_socket_perms;
+ allow $1_t self:rawip_socket create_socket_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+
+ allow virt_driver_domain virtd_t:unix_stream_socket rw_stream_socket_perms;
+ allow virt_driver_domain virtqemud_t:unix_stream_socket connectto;
+
+ manage_dirs_pattern($1_t, virt_var_run_t, virt_var_run_t)
+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern($1_t, virt_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file } )
+ filetrans_pattern($1_t, virt_var_run_t, $1_var_run_t, { file sock_file } )
+
+ read_files_pattern($1_t, virt_etc_t, virt_etc_t)
+ manage_dirs_pattern($1_t, virt_etc_rw_t, virt_etc_rw_t)
+ manage_files_pattern($1_t, virt_etc_rw_t, virt_etc_rw_t)
+ filetrans_pattern($1_t, virt_etc_t, virt_etc_rw_t, dir)
+
+ read_files_pattern(virt_driver_domain, virtqemud_t, virtqemud_t)
+
+ kernel_dgram_send($1_t)
+
+ auth_read_passwd($1_t)
+
+ dbus_read_pid_files($1_t)
+ dbus_stream_connect_system_dbusd($1_t)
+
+ dev_read_sysfs($1_t)
+
+ files_read_non_security_files($1_t)
+ init_read_utmp($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ miscfiles_read_generic_certs($1_t)
+
+ virt_manage_cache($1_t)
+ virt_manage_pid_files($1_t)
+ virt_stream_connect($1_t)
+
+ optional_policy(`
+ dbus_system_bus_client($1_t)
+ ')
+
+ optional_policy(`
+ dnsmasq_filetrans_named_content_fromdir($1_t, $1_var_run_t)
+ ')
+
+ optional_policy(`
+ systemd_dbus_chat_logind($1_t)
+ systemd_machined_stream_connect($1_t)
+ systemd_write_inhibit_pipes($1_t)
+ ')
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a virt image
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a virtual image
+## </summary>
+## </param>
+#
+interface(`virt_image',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ typeattribute $1 virt_image_type;
+ files_type($1)
+
+ # virt images can be assigned to blk devices
+ dev_node($1)
+')
+
+#######################################
+## <summary>
+## Getattr on virt executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_getattr_exec',`
+ gen_require(`
+ attribute virt_driver_executable;
+ type virtd_exec_t;
+ ')
+
+ allow $1 virtd_exec_t:file getattr;
+ allow $1 virt_driver_executable:file getattr;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run virt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_domtrans',`
+ gen_require(`
+ type virtd_t, virtd_exec_t;
+ ')
+
+ domtrans_pattern($1, virtd_exec_t, virtd_t)
+')
+
+########################################
+## <summary>
+## Execute virtd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_exec',`
+ gen_require(`
+ attribute virt_driver_executable;
+ type virtd_exec_t;
+ ')
+
+ can_exec($1, virtd_exec_t)
+ can_exec($1, virt_driver_executable)
+')
+
+#######################################
+## <summary>
+## Connect to virt over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_stream_connect',`
+ gen_require(`
+ attribute virt_driver_domain;
+ attribute virt_driver_var_run;
+ type virtd_t, virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
+ stream_connect_pattern($1, virt_driver_var_run, virt_driver_var_run,
virt_driver_domain)
+')
+
+########################################
+## <summary>
+## Read and write to virt_domain unix
+## stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_rw_stream_sockets_virt_domain',`
+ gen_require(`
+ attribute virt_domain;
+ ')
+
+ allow $1 virt_domain:unix_stream_socket { read write };
+')
+
+
+#######################################
+## <summary>
+## Connect to svirt process over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_stream_connect_svirt',`
+ gen_require(`
+ type svirt_t;
+ type svirt_image_t;
+ ')
+
+ stream_connect_pattern($1, svirt_image_t, svirt_image_t, svirt_t)
+')
+
+########################################
+## <summary>
+## Read and write to apmd unix
+## stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_rw_stream_sockets_svirt',`
+ gen_require(`
+ type svirt_t;
+ ')
+
+ allow $1 svirt_t:unix_stream_socket { getopt read setopt write };
+')
+
+########################################
+## <summary>
+## Allow domain to attach to virt TUN devices
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_attach_tun_iface',`
+ gen_require(`
+ attribute virt_driver_domain;
+ type virtd_t;
+ ')
+
+ allow $1 virtd_t:tun_socket relabelfrom;
+ allow $1 virt_driver_domain:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
+## Allow domain to attach to virt sandbox TUN devices
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_attach_sandbox_tun_iface',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
+ ')
+
+ allow $1 svirt_sandbox_domain:tun_socket relabelfrom;
+ allow $1 self:tun_socket relabelto;
+')
+
+########################################
+## <summary>
+## Read virt config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_config',`
+ gen_require(`
+ type virt_etc_t, virt_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, virt_etc_t, virt_etc_t)
+ read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+')
+
+########################################
+## <summary>
+## manage virt config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_config',`
+ gen_require(`
+ type virt_etc_t, virt_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, virt_etc_t, virt_etc_t)
+ manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_getattr_content',`
+ gen_require(`
+ type virt_content_t;
+ ')
+
+ allow $1 virt_content_t:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_content',`
+ gen_require(`
+ type virt_content_t;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_content_t:dir list_dir_perms;
+ allow $1 virt_content_t:blk_file map;
+ allow $1 virt_content_t:file map;
+ list_dirs_pattern($1, virt_content_t, virt_content_t)
+ read_files_pattern($1, virt_content_t, virt_content_t)
+ read_lnk_files_pattern($1, virt_content_t, virt_content_t)
+ read_blk_files_pattern($1, virt_content_t, virt_content_t)
+ read_chr_files_pattern($1, virt_content_t, virt_content_t)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow domain to write virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_write_content',`
+ gen_require(`
+ type virt_content_t;
+ ')
+
+ allow $1 virt_content_t:file write_file_perms;
+')
+
+########################################
+## <summary>
+## Read virt PID symlinks files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_pid_symlinks',`
+ gen_require(`
+ attribute virt_driver_var_run;
+ type virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ read_lnk_files_pattern($1, virt_driver_var_run, virt_driver_var_run)
+')
+
+########################################
+## <summary>
+## Read virt PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_pid_files',`
+ gen_require(`
+ attribute virt_driver_var_run;
+ type virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ read_files_pattern($1, virt_driver_var_run, virt_driver_var_run)
+ read_lnk_files_pattern($1, virt_driver_var_run, virt_driver_var_run)
+')
+
+########################################
+## <summary>
+## Manage virt pid directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_pid_dirs',`
+ gen_require(`
+ attribute virt_driver_var_run;
+ type virt_var_run_t;
+ type virt_lxc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
+ manage_dirs_pattern($1, virt_driver_var_run, virt_driver_var_run)
+ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
+ virt_filetrans_named_content($1)
+')
+
+########################################
+## <summary>
+## Manage virt pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_pid_files',`
+ gen_require(`
+ attribute virt_driver_var_run;
+ type virt_var_run_t;
+ type virt_lxc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+ manage_files_pattern($1, virt_driver_var_run, virt_driver_var_run)
+ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
+')
+
+########################################
+## <summary>
+## Create objects in the pid directory
+## with a private type with a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file">
+## <summary>
+## Type to which the created node will be transitioned.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Object class(es) (single or set including {}) for which this
+## the transition will occur.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`virt_pid_filetrans',`
+ gen_require(`
+ attribute virt_driver_var_run;
+ type virt_var_run_t;
+ ')
+
+ filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+ filetrans_pattern($1, virt_driver_var_run, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Search virt lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_search_lib',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ allow $1 virt_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read virt lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ list_dirs_pattern($1, virt_var_lib_t, virt_var_lib_t)
+ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Dontaudit inherited read virt lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`virt_dontaudit_read_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## virt lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read virt's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_read_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## virt log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_append_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage virt log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ manage_dirs_pattern($1, virt_log_t, virt_log_t)
+ manage_files_pattern($1, virt_log_t, virt_log_t)
+ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to getattr virt image direcories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_getattr_images',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to search virt image direcories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_search_images',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to read virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_images',`
+ gen_require(`
+ type virt_var_lib_t;
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ list_dirs_pattern($1, virt_image_type, virt_image_type)
+ read_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+ read_chr_files_pattern($1, virt_image_type, virt_image_type)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+ fs_read_nfs_files($1)
+ fs_read_nfs_symlinks($1)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+')
+
+########################################
+## <summary>
+## Allow domain to read virt blk image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_blk_images',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
+')
+
+########################################
+## <summary>
+## Allow domain to read/write virt image chr files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_rw_chr_files',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## svirt cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_cache',`
+ gen_require(`
+ type virt_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+ manage_files_pattern($1, virt_cache_t, virt_cache_t)
+ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_images',`
+ gen_require(`
+ type virt_var_lib_t;
+ attribute virt_image_type;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_type:dir list_dir_perms;
+ manage_dirs_pattern($1, virt_image_type, virt_image_type)
+ manage_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ rw_blk_files_pattern($1, virt_image_type, virt_image_type)
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+')
+
+#######################################
+## <summary>
+## Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_default_image_type',`
+ gen_require(`
+ type virt_var_lib_t;
+ type virt_image_t;
+ ')
+
+ virt_search_lib($1)
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
+ manage_files_pattern($1, virt_image_t, virt_image_t)
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
+')
+
+#######################################
+## <summary>
+## Get virtd services status
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virtd_service_status',`
+ gen_require(`
+ type virtd_unit_file_t;
+ ')
+
+ allow $1 virtd_unit_file_t:service status;
+')
+
+########################################
+## <summary>
+## Execute virt server in the virt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_systemctl',`
+ gen_require(`
+ type virtd_unit_file_t;
+ type virtd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 virtd_unit_file_t:file read_file_perms;
+ allow $1 virtd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, virtd_t)
+')
+
+########################################
+## <summary>
+## Ptrace the svirt domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_ptrace',`
+ gen_require(`
+ attribute virt_domain;
+ ')
+
+ allow $1 virt_domain:process ptrace;
+')
+
+#######################################
+## <summary>
+## Execute Sandbox Files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_exec_sandbox_files',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ can_exec($1, svirt_file_type)
+')
+
+########################################
+## <summary>
+## Allow any svirt_file_type to be an entrypoint of this domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_sandbox_entrypoint',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+ allow $1 svirt_file_type:file entrypoint;
+')
+
+#######################################
+## <summary>
+## List Sandbox Dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_list_sandbox_dirs',`
+ gen_require(`
+ type svirt_sandbox_file_t;
+ ')
+
+ list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
+')
+
+#######################################
+## <summary>
+## Read Sandbox Files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_sandbox_files',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ list_dirs_pattern($1, svirt_file_type, svirt_file_type)
+ read_files_pattern($1, svirt_file_type, svirt_file_type)
+ read_lnk_files_pattern($1, svirt_file_type, svirt_file_type)
+')
+
+#######################################
+## <summary>
+## Manage Sandbox Files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_sandbox_files',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ manage_dirs_pattern($1, svirt_file_type, svirt_file_type)
+ manage_files_pattern($1, svirt_file_type, svirt_file_type)
+ manage_fifo_files_pattern($1, svirt_file_type, svirt_file_type)
+ manage_chr_files_pattern($1, svirt_file_type, svirt_file_type)
+ manage_lnk_files_pattern($1, svirt_file_type, svirt_file_type)
+ allow $1 svirt_file_type:dir_file_class_set { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
+## Getattr Sandbox File systems
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_getattr_sandbox_filesystem',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ allow $1 svirt_file_type:filesystem getattr;
+')
+
+#######################################
+## <summary>
+## Relabel Sandbox File systems
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_relabel_sandbox_filesystem',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ allow $1 svirt_file_type:filesystem { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
+## Mounton Sandbox Files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_mounton_sandbox_file',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ allow $1 svirt_file_type:dir_file_class_set mounton;
+')
+
+#######################################
+## <summary>
+## Connect to virt over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_stream_connect_sandbox',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
+ attribute svirt_file_type;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, svirt_file_type, svirt_file_type, svirt_sandbox_domain)
+ ps_process_pattern(svirt_sandbox_domain, $1)
+')
+
+########################################
+## <summary>
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_transition_svirt',`
+ gen_require(`
+ attribute virt_domain;
+ type virt_bridgehelper_t;
+ type svirt_image_t;
+ type svirt_socket_t;
+ ')
+
+ allow $1 virt_domain:process transition;
+ role $2 types virt_domain;
+ role $2 types virt_bridgehelper_t;
+ role $2 types svirt_socket_t;
+
+ allow $1 virt_domain:process { sigkill signal signull sigstop };
+ allow $1 svirt_image_t:file { relabelfrom relabelto };
+ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
+ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
+ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
+
+ optional_policy(`
+ ptchown_run(virt_domain, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write virt daemon unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`virt_dontaudit_write_pipes',`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ dontaudit $1 virtd_t:fd use;
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Send a sigkill to virtual machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_kill_svirt',`
+ gen_require(`
+ attribute virt_domain;
+ ')
+
+ allow $1 virt_domain:process sigkill;
+')
+
+########################################
+## <summary>
+## Send a sigkill to virtd daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_kill',`
+ gen_require(`
+ attribute virt_driver_domain;
+ type virtd_t;
+ ')
+
+ allow $1 virtd_t:process sigkill;
+ allow $1 virt_driver_domain:process sigkill;
+')
+
+########################################
+## <summary>
+## Send a signal to virtd daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_signal',`
+ gen_require(`
+ attribute virt_driver_domain;
+ type virtd_t;
+ ')
+
+ allow $1 virtd_t:process signal;
+ allow $1 virt_driver_domain:process signal;
+')
+
+########################################
+## <summary>
+## Send null signal to virtd daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_signull',`
+ gen_require(`
+ attribute virt_driver_domain;
+ type virtd_t;
+ ')
+
+ allow $1 virtd_t:process signull;
+ allow $1 virt_driver_domain:process signull;
+')
+
+########################################
+## <summary>
+## Send a signal to virtual machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_signal_svirt',`
+ gen_require(`
+ attribute virt_domain;
+ ')
+
+ allow $1 virt_domain:process signal;
+')
+
+########################################
+## <summary>
+## Send a signal to sandbox domains
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_signal_sandbox',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
+ ')
+
+ allow $1 svirt_sandbox_domain:process signal;
+')
+
+########################################
+## <summary>
+## Manage virt home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_home_files',`
+ gen_require(`
+ type virt_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, virt_home_t, virt_home_t)
+')
+
+########################################
+## <summary>
+## allow domain to read
+## virt tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`virt_read_tmpfs_files',`
+ gen_require(`
+ attribute virt_tmpfs_type;
+ ')
+
+ allow $1 virt_tmpfs_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## allow domain to manage
+## virt tmpfs files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`virt_manage_tmpfs_files',`
+ gen_require(`
+ attribute virt_tmpfs_type;
+ ')
+
+ allow $1 virt_tmpfs_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create .virt directory in the user home directory
+## with an correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_filetrans_home_content',`
+ gen_require(`
+ type virt_home_t;
+ type svirt_home_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
+
+ optional_policy(`
+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
+ gnome_data_filetrans($1, svirt_home_t, dir, "boot")
+ ')
+')
+
+########################################
+## <summary>
+## Dontaudit attempts to Read virt_image_type devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_dontaudit_read_chr_dev',`
+ gen_require(`
+ attribute virt_image_type;
+ ')
+
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a virt file type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a virt file type
+## </summary>
+## </param>
+#
+interface(`virt_file_types',`
+ gen_require(`
+ attribute virt_file_type;
+ ')
+
+ typeattribute $1 virt_file_type;
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a svirt file type
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a svirt file type
+## </summary>
+## </param>
+#
+interface(`svirt_file_types',`
+ gen_require(`
+ attribute svirt_file_type;
+ ')
+
+ typeattribute $1 svirt_file_type;
+')
+
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## virt_lxc process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`virt_sandbox_domain_template',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
+ ')
+
+ type $1_t, svirt_sandbox_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
+ mls_rangetrans_target($1_t)
+ mcs_constrained($1_t)
+ role system_r types $1_t;
+
+ logging_send_syslog_msg($1_t)
+
+ kernel_read_system_state($1_t)
+ kernel_read_all_proc($1_t)
+
+ # optional_policy(`
+ # container_runtime_typebounds($1_t)
+ # ')
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a lxc domain
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a lxc domain
+## </summary>
+## </param>
+#
+template(`virt_sandbox_domain',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
+ ')
+
+ typeattribute $1 svirt_sandbox_domain;
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a lxc network domain
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a lxc network domain
+## </summary>
+## </param>
+#
+template(`virt_sandbox_net_domain',`
+ gen_require(`
+ attribute sandbox_net_domain;
+ ')
+
+ virt_sandbox_domain($1)
+ typeattribute $1 sandbox_net_domain;
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a virt system domain
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a virt system domain
+## </summary>
+## </param>
+#
+interface(`virt_system_domain_type',`
+ gen_require(`
+ attribute virt_system_domain;
+ ')
+
+ typeattribute $1 virt_system_domain;
+')
+
+########################################
+## <summary>
+## Execute a qemu_exec_t in the callers domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_exec_qemu',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ can_exec($1, qemu_exec_t)
+')
+
+########################################
+## <summary>
+## Transition to virt named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_filetrans_named_content',`
+ gen_require(`
+ type virt_lxc_var_run_t;
+ type virt_var_run_t;
+ ')
+
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
+')
+
+########################################
+## <summary>
+## Execute qemu in the svirt domain, and
+## allow the specified role the svirt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the sandbox domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_transition_svirt_sandbox',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
+ ')
+
+ allow $1 svirt_sandbox_domain:process { signal_perms transition };
+ role $2 types svirt_sandbox_domain;
+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
+
+ allow svirt_sandbox_domain $1:fd use;
+
+ allow svirt_sandbox_domain $1:process sigchld;
+ ps_process_pattern($1, svirt_sandbox_domain)
+')
+
+########################################
+## <summary>
+## Read the process state of virt sandbox containers
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_sandbox_read_state',`
+ gen_require(`
+ attribute svirt_sandbox_domain;
+ ')
+
+ ps_process_pattern($1, svirt_sandbox_domain)
+')
+
+########################################
+## <summary>
+## Read and write to svirt_image devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_rw_svirt_dev',`
+ gen_require(`
+ type svirt_image_t;
+ ')
+
+ allow $1 svirt_image_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write to svirt_image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_rw_svirt_image',`
+ gen_require(`
+ type svirt_image_t;
+ ')
+
+ allow $1 svirt_image_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write to svirt_image devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_rlimitinh',`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ allow $1 virtd_t:process { rlimitinh };
+')
+
+########################################
+## <summary>
+## Read and write to svirt_image devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_noatsecure',`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ allow $1 virtd_t:process { noatsecure rlimitinh };
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an virt environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_admin',`
+ gen_require(`
+ attribute virt_domain;
+ attribute virt_system_domain;
+ attribute svirt_file_type;
+ attribute virt_file_type;
+ type virtd_initrc_exec_t;
+ type virtd_unit_file_t;
+ ')
+
+ allow $1 virt_system_domain:process signal_perms;
+ allow $1 virt_domain:process signal_perms;
+ ps_process_pattern($1, virt_system_domain)
+ ps_process_pattern($1, virt_domain)
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 virt_system_domain:process ptrace;
+ allow $1 virt_domain:process ptrace;
+ ')
+
+ init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 virtd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ allow $1 virt_domain:process signal_perms;
+
+ admin_pattern($1, virt_file_type)
+ admin_pattern($1, svirt_file_type)
+
+ virt_systemctl($1)
+ allow $1 virtd_unit_file_t:service all_service_perms;
+
+ virt_stream_connect_sandbox($1)
+ virt_stream_connect_svirt($1)
+ virt_stream_connect($1)
+')
+
+#######################################
+## <summary>
+## Getattr on virt executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_default_capabilities',`
+ gen_require(`
+ attribute sandbox_caps_domain;
+ ')
+
+ typeattribute $1 sandbox_caps_domain;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## virt over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_dbus_chat',`
+ gen_require(`
+ attribute virt_driver_domain;
+ type virtd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 virtd_t:dbus send_msg;
+ allow virtd_t $1:dbus send_msg;
+ allow $1 virt_driver_domain:dbus send_msg;
+ allow virt_driver_domain $1:dbus send_msg;
+ ps_process_pattern(virtd_t, $1)
+ ps_process_pattern(virt_driver_domain, $1)
+')
+
+########################################
+## <summary>
+## Execute a file in a sandbox directory
+## in the specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a file in a sandbox directory
+## in the specified domain. This allows
+## the specified domain to execute any file
+## on these filesystems in the specified
+## domain.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## The type of the new process.
+## </summary>
+## </param>
+#
+interface(`virt_sandbox_domtrans',`
+ gen_require(`
+ type container_file_t;
+ ')
+
+ domtrans_pattern($1,container_file_t, $2)
+')
+
+########################################
+## <summary>
+## Dontaudit read the process state (/proc/pid) of libvirt
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_dontaudit_read_state',`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ dontaudit $1 virtd_t:dir search_dir_perms;
+ dontaudit $1 virtd_t:file read_file_perms;
+ dontaudit $1 virtd_t:lnk_file read_lnk_file_perms;
+')
+
+#######################################
+## <summary>
+## Send to libvirt with a unix dgram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_dgram_send',`
+ gen_require(`
+ type virtd_t, virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
+')
+
+########################################
+## <summary>
+## Manage svirt home files,dirs and sockfiles.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_svirt_manage_home',`
+ gen_require(`
+ type svirt_home_t;
+ ')
+
+ manage_files_pattern($1, svirt_home_t, svirt_home_t)
+ manage_dirs_pattern($1, svirt_home_t, svirt_home_t)
+ manage_sock_files_pattern($1, svirt_home_t, svirt_home_t)
+')
+
+########################################
+## <summary>
+## Manage svirt tmp files,dirs and sockfiles.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_svirt_manage_tmp',`
+ gen_require(`
+ type svirt_tmp_t;
+ ')
+
+ manage_files_pattern($1, svirt_tmp_t, svirt_tmp_t)
+ manage_dirs_pattern($1, svirt_tmp_t, svirt_tmp_t)
+ manage_sock_files_pattern($1, svirt_tmp_t, svirt_tmp_t)
+')
+
+########################################
+## <summary>
+## Read qemu PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_qemu_pid_files',`
+ gen_require(`
+ type qemu_var_run_t;
+ ')
+
+ files_search_pids($1)
+ list_dirs_pattern($1, qemu_var_run_t, qemu_var_run_t)
+ read_files_pattern($1, qemu_var_run_t, qemu_var_run_t)
+')
diff --git a/src/security/selinux/virt.te b/src/security/selinux/virt.te
new file mode 100644
index 0000000000..953778a6e4
--- /dev/null
+++ b/src/security/selinux/virt.te
@@ -0,0 +1,2078 @@
+policy_module(virt, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow confined virtual guests to use serial/parallel communication ports
+## </p>
+## </desc>
+gen_tunable(virt_use_comm, false)
+
+## <desc>
+## <p>
+## Allow virtual processes to run as userdomains
+## </p>
+## </desc>
+gen_tunable(virt_transition_userdomain, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to use executable memory and executable stack
+## </p>
+## </desc>
+gen_tunable(virt_use_execmem, false)
+
+## <desc>
+## <p>
+## Allow virtqemu driver to use executable memory and executable stack
+## </p>
+## </desc>
+gen_tunable(virtqemud_use_execmem, true)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to read fuse files
+## </p>
+## </desc>
+gen_tunable(virt_use_fusefs, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to use glusterd
+## </p>
+## </desc>
+gen_tunable(virt_use_glusterd, false)
+
+## <desc>
+## <p>
+## Allow sandbox containers to share apache content
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_share_apache_content, false)
+
+## <desc>
+## <p>
+## Allow sandbox containers manage fuse files
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_fusefs, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to manage nfs files
+## </p>
+## </desc>
+gen_tunable(virt_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to manage cifs files
+## </p>
+## </desc>
+gen_tunable(virt_use_samba, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to interact with the sanlock
+## </p>
+## </desc>
+gen_tunable(virt_use_sanlock, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to interact with rawip sockets
+## </p>
+## </desc>
+gen_tunable(virt_use_rawip, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to interact with the xserver
+## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
+
+## <desc>
+## <p>
+## Allow confined virtual guests to use smartcards
+## </p>
+## </desc>
+gen_tunable(virt_use_pcscd, false)
+
+## <desc>
+## <p>
+## Allow sandbox containers to send audit messages
+
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_audit, true)
+
+## <desc>
+## <p>
+## Allow sandbox containers to use netlink system calls
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_netlink, false)
+
+## <desc>
+## <p>
+## Allow sandbox containers to use sys_admin system calls, for example mount
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_sys_admin, false)
+
+## <desc>
+## <p>
+## Allow sandbox containers to use mknod system calls
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_mknod, false)
+
+## <desc>
+## <p>
+## Allow sandbox containers to use all capabilities
+## </p>
+## </desc>
+gen_tunable(virt_sandbox_use_all_caps, true)
+
+## <desc>
+## <p>
+## Allow virtlockd read and lock block devices.
+## </p>
+## </desc>
+gen_tunable(virt_lockd_blk_devs, false)
+
+gen_require(`
+ class passwd rootok;
+ class passwd passwd;
+')
+
+attribute virsh_transition_domain;
+attribute virt_ptynode;
+attribute virt_system_domain;
+attribute virt_domain;
+attribute virt_driver_domain;
+attribute virt_driver_executable;
+attribute virt_driver_var_run;
+attribute virt_image_type;
+attribute virt_tmpfs_type;
+attribute svirt_file_type;
+attribute virt_file_type;
+attribute sandbox_net_domain;
+attribute sandbox_caps_domain;
+
+type svirt_tmp_t, svirt_file_type;
+files_tmp_file(svirt_tmp_t)
+
+type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type;
+files_tmpfs_file(svirt_tmpfs_t)
+
+type svirt_image_t, virt_image_type, svirt_file_type;
+files_type(svirt_image_t)
+dev_node(svirt_image_t)
+dev_associate_sysfs(svirt_image_t)
+
+virt_domain_template(svirt)
+role system_r types svirt_t;
+typealias svirt_t alias qemu_t;
+
+virt_domain_template(svirt_tcg)
+role system_r types svirt_tcg_t;
+
+type qemu_exec_t, virt_file_type;
+
+type virt_cache_t alias svirt_cache_t, virt_file_type;
+files_type(virt_cache_t)
+
+type virt_etc_t, virt_file_type;
+files_config_file(virt_etc_t)
+
+type virt_etc_rw_t, virt_file_type;
+files_type(virt_etc_rw_t)
+
+type virt_home_t, virt_file_type;
+userdom_user_home_content(virt_home_t)
+
+type svirt_home_t, svirt_file_type;
+userdom_user_home_content(svirt_home_t)
+
+# virt Image files
+type virt_image_t, virt_file_type; # customizable
+virt_image(virt_image_t)
+files_mountpoint(virt_image_t)
+
+# virt Image files
+type virt_content_t, virt_file_type; # customizable
+virt_image(virt_content_t)
+userdom_user_home_content(virt_content_t)
+
+type virt_tmp_t, virt_file_type;
+files_tmp_file(virt_tmp_t)
+
+type virt_log_t, virt_file_type;
+logging_log_file(virt_log_t)
+mls_trusted_object(virt_log_t)
+
+type virt_lock_t, virt_file_type;
+files_lock_file(virt_lock_t)
+
+type virt_var_run_t, virt_file_type;
+files_pid_file(virt_var_run_t)
+
+type virt_var_lib_t, virt_file_type;
+files_mountpoint(virt_var_lib_t)
+
+type virt_var_lockd_t, virt_file_type;
+files_type(virt_var_lockd_t)
+
+type virtd_t, virt_system_domain;
+type virtd_exec_t, virt_file_type;
+init_daemon_domain(virtd_t, virtd_exec_t)
+domain_obj_id_change_exemption(virtd_t)
+domain_subj_id_change_exemption(virtd_t)
+
+type virtd_unit_file_t, virt_file_type;
+systemd_unit_file(virtd_unit_file_t)
+
+type virtd_initrc_exec_t, virt_file_type;
+init_script_file(virtd_initrc_exec_t)
+
+type virtd_keytab_t;
+files_type(virtd_keytab_t)
+
+type virtlogd_t, virt_system_domain;
+type virtlogd_exec_t, virt_file_type;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_etc_t, virt_file_type;
+files_config_file(virtlogd_etc_t)
+
+type virtlogd_var_run_t, virt_file_type;
+files_pid_file(virtlogd_var_run_t)
+
+type virtlogd_unit_file_t, virt_file_type;
+systemd_unit_file(virtlogd_unit_file_t)
+
+type virtlogd_initrc_exec_t, virt_file_type;
+init_script_file(virtlogd_initrc_exec_t)
+
+type qemu_var_run_t, virt_file_type;
+typealias qemu_var_run_t alias svirt_var_run_t;
+files_pid_file(qemu_var_run_t)
+mls_trusted_object(qemu_var_run_t)
+
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
+')
+
+# virtinterfaced
+virt_driver_template(virtinterfaced)
+files_type(virtinterfaced_t)
+
+# virtnetworkd
+virt_driver_template(virtnetworkd)
+files_type(virtnetworkd_t)
+
+# virtnodedevd
+virt_driver_template(virtnodedevd)
+files_type(virtnodedevd_t)
+
+# virtnwfilterd
+virt_driver_template(virtnwfilterd)
+files_type(virtnwfilterd_t)
+
+# virtproxyd
+virt_driver_template(virtproxyd)
+files_type(virtproxyd_t)
+
+# virtqemud
+virt_driver_template(virtqemud)
+files_type(virtqemud_t)
+domain_obj_id_change_exemption(virtqemud_t)
+
+type virtqemud_tmp_t;
+files_tmp_file(virtqemud_tmp_t)
+
+# virtsecretd
+virt_driver_template(virtsecretd)
+files_type(virtsecretd_t)
+
+# virtstoraged
+virt_driver_template(virtstoraged)
+files_type(virtstoraged_t)
+
+type virtstoraged_tmp_t;
+files_tmp_file(virtstoraged_tmp_t)
+
+# virtvboxd
+virt_driver_template(virtvboxd)
+files_type(virtvboxd_t)
+
+# virtvzd
+virt_driver_template(virtvzd)
+files_type(virtvzd_t)
+
+# virtxend
+virt_driver_template(virtxend)
+files_type(virtxend_t)
+
+########################################
+#
+# Declarations
+#
+attribute svirt_sandbox_domain;
+
+type virtd_lxc_t, virt_system_domain;
+type virtd_lxc_exec_t, virt_file_type;
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+
+type virt_lxc_var_run_t, virt_file_type;
+files_pid_file(virt_lxc_var_run_t)
+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
+
+# virt lxc container files
+type container_file_t, svirt_file_type;
+typealias container_file_t alias { svirt_sandbox_file_t svirt_lxc_file_t };
+files_mountpoint(container_file_t)
+
+type container_ro_file_t, svirt_file_type;
+files_mountpoint(container_ro_file_t)
+
+########################################
+#
+# svirt local policy
+#
+
+allow svirt_t self:process ptrace;
+
+# it was a part of auth_use_nsswitch
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
+read_files_pattern(svirt_t, virtqemud_t, virtqemud_t)
+
+corenet_udp_sendrecv_generic_if(svirt_t)
+corenet_udp_sendrecv_generic_node(svirt_t)
+corenet_udp_sendrecv_all_ports(svirt_t)
+corenet_udp_bind_generic_node(svirt_t)
+corenet_udp_bind_all_ports(svirt_t)
+corenet_tcp_bind_all_ports(svirt_t)
+corenet_tcp_connect_all_ports(svirt_t)
+
+init_dontaudit_read_state(svirt_t)
+
+virt_dontaudit_read_state(svirt_t)
+
+storage_rw_inherited_fixed_disk_dev(svirt_t)
+
+userdom_read_all_users_state(svirt_t)
+
+#######################################
+#
+# svirt_prot_exec local policy
+#
+
+allow svirt_tcg_t self:process { execmem execstack };
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
+corenet_udp_sendrecv_all_ports(svirt_tcg_t)
+corenet_udp_bind_generic_node(svirt_tcg_t)
+corenet_udp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_bind_all_ports(svirt_tcg_t)
+corenet_tcp_connect_all_ports(svirt_tcg_t)
+
+ps_process_pattern(svirt_tcg_t, virtd_t)
+
+virt_dontaudit_read_state(svirt_tcg_t)
+
+########################################
+#
+# virtd local policy
+#
+
+# fsetid - for chmod'ing its runtime files
+allow virtd_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill mknod
net_admin net_raw setgid setpcap setuid sys_admin sys_nice sys_ptrace };
+#allow virtd_t self:capability2 compromise_kernel;
+allow virtd_t self:process { execmem getcap getsched setcap setexec setfscreate setsched
setsockcreate sigkill signal signull };
+ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit virtd_t self:capability { sys_module };
+')
+
+allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom
relabelto };
+allow virtd_t self:tcp_socket create_stream_socket_perms;
+allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow virtd_t self:rawip_socket create_socket_perms;
+allow virtd_t self:packet_socket create_socket_perms;
+allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow virtd_t self:netlink_route_socket create_netlink_socket_perms;
+allow virtd_t self:netlink_socket create_socket_perms;
+allow virtd_t self:netlink_generic_socket create_socket_perms;
+
+manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
+manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
+files_var_filetrans(virtd_t, virt_cache_t, dir)
+
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
+
+allow virtd_t virtd_keytab_t:file read_file_perms;
+
+allow virtd_t virt_domain:process { getattr getsched setsched sigkill signal signull
transition };
+allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched sigkill signal
signull transition };
+allow virt_domain virtd_t:fd use;
+allow virt_domain virtd_t:unix_stream_socket { accept getattr getopt read write };
+allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain virtd_t:tun_socket attach_queue;
+
+can_exec(virtd_t, qemu_exec_t)
+can_exec(virt_domain, qemu_exec_t)
+
+allow virtd_t qemu_var_run_t:file relabel_file_perms;
+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+relabelfrom_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+relabelfrom_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
+stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
+filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu")
+
+read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+
+manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+
+relabelto_dirs_pattern(virtd_t, virt_image_type, virt_image_type)
+manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
+manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:dir { rmdir setattr };
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
+allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
+allow virtd_t virt_image_type:unix_stream_socket { getattr relabelfrom relabelto };
+allow virtd_t virt_ptynode:chr_file rw_term_perms;
+
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+can_exec(virtd_t, virt_tmp_t)
+
+manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
+manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
+manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
+files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file })
+
+manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
+manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
+logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+
+manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
+allow virtd_t virt_var_lib_t:file { relabelfrom relabelto };
+
+manage_dirs_pattern(virtlogd_t, virt_var_lockd_t, virt_var_lockd_t)
+manage_files_pattern(virtlogd_t, virt_var_lockd_t, virt_var_lockd_t)
+filetrans_pattern(virtlogd_t, virt_var_lib_t, virt_var_lockd_t, dir, "lockd")
+
+manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+files_pid_filetrans(virtd_t, virt_var_run_t, { file dir sock_file })
+
+manage_dirs_pattern(virtd_t, virt_driver_var_run, virt_driver_var_run)
+manage_files_pattern(virtd_t, virt_driver_var_run, virt_driver_var_run)
+manage_sock_files_pattern(virtd_t, virt_driver_var_run, virt_driver_var_run)
+
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+
+# libvirtd is permitted to talk to virtlogd
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
+allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
+
+kernel_read_system_state(virtd_t)
+kernel_read_network_state(virtd_t)
+kernel_rw_net_sysctls(virtd_t)
+kernel_read_kernel_sysctls(virtd_t)
+kernel_request_load_module(virtd_t)
+kernel_search_debugfs(virtd_t)
+kernel_dontaudit_setsched(virtd_t)
+kernel_write_proc_files(virtd_t)
+
+corecmd_exec_bin(virtd_t)
+corecmd_exec_shell(virtd_t)
+
+corenet_all_recvfrom_netlabel(virtd_t)
+corenet_tcp_sendrecv_generic_if(virtd_t)
+corenet_tcp_sendrecv_generic_node(virtd_t)
+corenet_tcp_sendrecv_all_ports(virtd_t)
+corenet_tcp_bind_generic_node(virtd_t)
+corenet_tcp_bind_virt_port(virtd_t)
+corenet_tcp_bind_vnc_port(virtd_t)
+corenet_tcp_connect_vnc_port(virtd_t)
+corenet_tcp_connect_soundd_port(virtd_t)
+corenet_rw_tun_tap_dev(virtd_t)
+corenet_relabel_tun_tap_dev(virtd_t)
+
+dev_rw_vfio_dev(virtd_t)
+dev_rw_sysfs(virtd_t)
+dev_read_urand(virtd_t)
+dev_read_rand(virtd_t)
+dev_rw_kvm(virtd_t)
+dev_getattr_all_chr_files(virtd_t)
+dev_rw_mtrr(virtd_t)
+dev_rw_vhost(virtd_t)
+dev_setattr_generic_usb_dev(virtd_t)
+dev_relabel_generic_usb_dev(virtd_t)
+
+# Init script handling
+domain_use_interactive_fds(virtd_t)
+domain_read_all_domains_state(virtd_t)
+domain_signull_all_domains(virtd_t)
+
+files_list_all_mountpoints(virtd_t)
+files_read_etc_runtime_files(virtd_t)
+files_search_all(virtd_t)
+files_read_kernel_modules(virtd_t)
+files_read_usr_src_files(virtd_t)
+files_relabelto_system_conf_files(virtd_t)
+files_relabelfrom_system_conf_files(virtd_t)
+files_relabelfrom_boot_files(virtd_t)
+files_relabelto_boot_files(virtd_t)
+files_manage_boot_files(virtd_t)
+
+# Manages /etc/sysconfig/system-config-firewall
+files_manage_system_conf_files(virtd_t)
+
+fs_read_tmpfs_symlinks(virtd_t)
+fs_list_auto_mountpoints(virtd_t)
+fs_getattr_all_fs(virtd_t)
+fs_rw_anon_inodefs_files(virtd_t)
+fs_list_inotifyfs(virtd_t)
+fs_manage_cgroup_dirs(virtd_t)
+fs_rw_cgroup_files(virtd_t)
+fs_manage_hugetlbfs_dirs(virtd_t)
+fs_rw_hugetlbfs_files(virtd_t)
+
+mls_fd_share_all_levels(virtd_t)
+mls_file_read_to_clearance(virtd_t)
+mls_file_write_to_clearance(virtd_t)
+mls_process_read_to_clearance(virtd_t)
+mls_process_write_to_clearance(virtd_t)
+mls_net_write_within_range(virtd_t)
+mls_socket_write_to_clearance(virtd_t)
+mls_socket_read_to_clearance(virtd_t)
+mls_rangetrans_source(virtd_t)
+mls_file_upgrade(virtd_t)
+
+mcs_process_set_categories(virtd_t)
+
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
+storage_raw_write_removable_device(virtd_t)
+storage_raw_read_removable_device(virtd_t)
+
+term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
+term_use_ptmx(virtd_t)
+
+auth_use_nsswitch(virtd_t)
+
+init_dbus_chat(virtd_t)
+init_read_utmp(virtd_t)
+
+miscfiles_read_generic_certs(virtd_t)
+miscfiles_read_hwdata(virtd_t)
+
+modutils_read_module_deps(virtd_t)
+modutils_read_module_config(virtd_t)
+modutils_manage_module_config(virtd_t)
+
+logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
+logging_stream_connect_syslog(virtd_t)
+
+selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
+seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
+
+sysnet_signull_ifconfig(virtd_t)
+sysnet_signal_ifconfig(virtd_t)
+sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
+
+systemd_dbus_chat_logind(virtd_t)
+systemd_write_inhibit_pipes(virtd_t)
+
+userdom_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
+userdom_list_user_home_content(virtd_t)
+userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
+userdom_relabel_user_tmp_files(virtd_t)
+userdom_setattr_user_tmp_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
+#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
+virt_filetrans_home_content(virtd_t)
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virtd_t)
+ fs_manage_nfs_files(virtd_t)
+ fs_mmap_nfs_files(virtd_t)
+ fs_read_nfs_symlinks(virtd_t)
+')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virtd_t)
+ fs_manage_cifs_files(virtd_t)
+ fs_read_cifs_symlinks(virtd_t)
+')
+
+optional_policy(`
+ brctl_domtrans(virtd_t)
+')
+
+optional_policy(`
+ consoletype_exec(virtd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(virtd_t)
+
+ optional_policy(`
+ avahi_dbus_chat(virtd_t)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat(virtd_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(virtd_t)
+ ')
+')
+
+optional_policy(`
+ dmidecode_domtrans(virtd_t)
+')
+
+optional_policy(`
+ dnsmasq_domtrans(virtd_t)
+ dnsmasq_signal(virtd_t)
+ dnsmasq_kill(virtd_t)
+ dnsmasq_signull(virtd_t)
+ dnsmasq_create_pid_dirs(virtd_t)
+ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t)
+ dnsmasq_manage_pid_files(virtd_t)
+')
+
+optional_policy(`
+ firewalld_dbus_chat(virtd_t)
+')
+
+optional_policy(`
+ iptables_domtrans(virtd_t)
+ iptables_initrc_domtrans(virtd_t)
+ iptables_systemctl(virtd_t)
+
+ # Manages /etc/sysconfig/system-config-firewall
+ iptables_manage_config(virtd_t)
+')
+
+optional_policy(`
+ kerberos_read_keytab(virtd_t)
+ kerberos_use(virtd_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(virtd_t)
+ kernel_write_xen_state(virtd_t)
+
+ xen_exec(virtd_t)
+ xen_stream_connect(virtd_t)
+ xen_stream_connect_xenstore(virtd_t)
+ xen_read_image_files(virtd_t)
+')
+
+optional_policy(`
+ lvm_domtrans(virtd_t)
+')
+
+optional_policy(`
+ # Run mount in the mount_t domain.
+ mount_domtrans(virtd_t)
+ mount_signal(virtd_t)
+')
+
+optional_policy(`
+ numad_domtrans(virtd_t)
+ numad_dbus_chat(virtd_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(virtd_t)
+ policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t)
+ policykit_read_lib(virtd_t)
+')
+
+optional_policy(`
+ qemu_exec(virtd_t)
+')
+
+optional_policy(`
+ sanlock_stream_connect(virtd_t)
+')
+
+optional_policy(`
+ sasl_connect(virtd_t)
+')
+
+optional_policy(`
+ setrans_manage_pid_files(virtd_t)
+')
+
+optional_policy(`
+ udev_domtrans(virtd_t)
+ udev_read_db(virtd_t)
+ udev_read_pid_files(virtd_t)
+')
+
+optional_policy(`
+ unconfined_domain(virtd_t)
+')
+
+########################################
+#
+# virtlogd local policy
+#
+
+# virtlogd is allowed to manage files it creates in /var/run/libvirt
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
+
+# virtlogd needs to read /etc/libvirt/virtlogd.conf only
+allow virtlogd_t virtlogd_etc_t:file read_file_perms;
+files_search_etc(virtlogd_t)
+allow virtlogd_t virt_etc_t:file read_file_perms;
+allow virtlogd_t virt_etc_t:lnk_file { read_lnk_file_perms ioctl lock };
+allow virtlogd_t virt_etc_t:dir search;
+
+manage_dirs_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_files_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_lnk_files_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t)
+filetrans_pattern(virtlogd_t, virt_etc_t, virt_etc_rw_t, dir)
+
+# virtlogd creates /var/run/libvirt/virtlogd-sock with isolated
+# context from other stuff in /var/run/libvirt
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file })
+# This lets systemd create the socket itself too
+
+# virtlogd creates a /var/run/virtlogd.pid file
+allow virtlogd_t virtlogd_var_run_t:file manage_file_perms;
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
+files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file)
+
+manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
+files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file })
+
+manage_dirs_pattern(virtlogd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtlogd_t, virt_tmp_t, virt_tmp_t)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+kernel_read_network_state(virtlogd_t)
+
+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
+
+# Allow virtlogd_t to execute itself.
+allow virtlogd_t virtlogd_exec_t:file execute_no_trans;
+
+dev_read_sysfs(virtlogd_t)
+
+logging_send_syslog_msg(virtlogd_t)
+
+auth_use_nsswitch(virtlogd_t)
+
+manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t)
+
+manage_files_pattern(virtlogd_t, svirt_image_t, svirt_image_t)
+
+# Allow virtlogd to look at /proc/$PID/status
+# to authenticate the connecting libvirtd
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+read_files_pattern(virtlogd_t, virtqemud_t, virtqemud_t)
+
+virt_manage_lib_files(virtlogd_t)
+
+tunable_policy(`virt_lockd_blk_devs',`
+ dev_lock_all_blk_files(virtlogd_t)
+')
+
+tunable_policy(`virt_use_nfs',`
+ fs_append_nfs_files(virtlogd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(virtlogd_t)
+')
+
+optional_policy(`
+ systemd_write_inhibit_pipes(virtlogd_t)
+ systemd_dbus_chat_logind(virtlogd_t)
+')
+
+########################################
+#
+# virtual domains common policy
+#
+#allow virt_domain self:capability2 compromise_kernel;
+allow virt_domain self:process { getsched setrlimit setsched signal_perms };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket { connectto create_stream_socket_perms };
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+allow virt_domain self:udp_socket create_socket_perms;
+allow virt_domain self:icmp_socket create_socket_perms;
+allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
+dontaudit virt_domain virt_content_t:file write_file_perms;
+dontaudit virt_domain virt_content_t:dir write;
+
+kernel_read_net_sysctls(virt_domain)
+kernel_read_network_state(virt_domain)
+kernel_ib_access_unlabeled_pkeys(virt_domain)
+
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
+append_files_pattern(virt_domain, virt_home_t, virt_home_t)
+manage_dirs_pattern(virt_domain, svirt_home_t, svirt_home_t)
+manage_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
+
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
+
+read_files_pattern(virt_domain, virt_image_t, virt_image_t)
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
+manage_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+manage_sock_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+manage_fifo_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+read_lnk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+rw_chr_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+rw_blk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
+fs_hugetlbfs_filetrans(virt_domain, svirt_image_t, file)
+allow svirt_t svirt_image_t:file map;
+allow svirt_t svirt_image_t:blk_file map;
+
+manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+manage_sock_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
+files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file sock_file})
+userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
+manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
+manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
+fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file })
+allow virt_domain svirt_tmpfs_t:file map;
+
+manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
+files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file })
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
+
+dontaudit virtd_t virt_domain:process { noatsecure rlimitinh siginh};
+
+dontaudit virt_domain virt_tmpfs_type:file { read write };
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
+corenet_tcp_sendrecv_generic_if(virt_domain)
+corenet_tcp_sendrecv_generic_node(virt_domain)
+corenet_tcp_sendrecv_all_ports(virt_domain)
+corenet_tcp_bind_generic_node(virt_domain)
+corenet_tcp_bind_vnc_port(virt_domain)
+corenet_tcp_bind_virt_migration_port(virt_domain)
+corenet_tcp_connect_virt_migration_port(virt_domain)
+corenet_rw_inherited_tun_tap_dev(virt_domain)
+
+dev_list_sysfs(virt_domain)
+dev_getattr_fs(virt_domain)
+dev_dontaudit_getattr_all(virt_domain)
+dev_read_generic_symlinks(virt_domain)
+dev_read_rand(virt_domain)
+dev_read_sound(virt_domain)
+dev_read_urand(virt_domain)
+dev_write_sound(virt_domain)
+dev_rw_ksm(virt_domain)
+dev_rw_vfio_dev(virt_domain)
+dev_rw_kvm(virt_domain)
+dev_rw_sev(virt_domain)
+dev_rw_qemu(virt_domain)
+dev_rw_inherited_vhost(virt_domain)
+dev_rw_infiniband_dev(virt_domain)
+dev_rw_dri(virt_domain)
+dev_rw_tpm(virt_domain)
+dev_rw_xserver_misc(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
+
+files_read_mnt_symlinks(virt_domain)
+files_read_var_files(virt_domain)
+files_search_all(virt_domain)
+
+fs_rw_cephfs_files(virt_domain)
+fs_getattr_xattr_fs(virt_domain)
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
+fs_rw_inherited_tmpfs_files(virt_domain)
+fs_getattr_hugetlbfs(virt_domain)
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
+
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+miscfiles_read_generic_certs(virt_domain)
+
+storage_raw_read_removable_device(virt_domain)
+
+sysnet_read_config(virt_domain)
+
+term_use_all_inherited_terms(virt_domain)
+term_getattr_pty_fs(virt_domain)
+term_use_generic_ptys(virt_domain)
+term_use_ptmx(virt_domain)
+
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_manage_ecryptfs_files(virt_domain)
+')
+
+tunable_policy(`virt_use_comm',`
+ term_use_unallocated_ttys(virt_domain)
+ dev_rw_printer(virt_domain)
+')
+
+tunable_policy(`virt_use_execmem',`
+ allow virt_domain self:process { execmem execstack };
+')
+
+tunable_policy(`virt_use_fusefs',`
+ fs_manage_fusefs_dirs(virt_domain)
+ fs_manage_fusefs_files(virt_domain)
+ fs_read_fusefs_symlinks(virt_domain)
+ fs_getattr_fusefs(virt_domain)
+')
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virt_domain)
+ fs_manage_nfs_files(virt_domain)
+ fs_manage_nfs_named_sockets(virt_domain)
+ fs_read_nfs_symlinks(virt_domain)
+ fs_getattr_nfs(virt_domain)
+ fs_mmap_nfs_files(virt_domain)
+')
+
+tunable_policy(`virt_use_rawip',`
+ allow virt_domain self:rawip_socket create_socket_perms;
+')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_dirs(virt_domain)
+ fs_manage_cifs_files(virt_domain)
+ fs_manage_cifs_named_sockets(virt_domain)
+ fs_read_cifs_symlinks(virt_domain)
+ fs_getattr_cifs(virt_domain)
+')
+
+tunable_policy(`virt_use_usb',`
+ dev_rw_usbfs(virt_domain)
+ dev_read_sysfs(virt_domain)
+ fs_getattr_dos_fs(virt_domain)
+ fs_manage_dos_dirs(virt_domain)
+ fs_manage_dos_files(virt_domain)
+ udev_read_db(virt_domain)
+')
+
+optional_policy(`
+ tunable_policy(`virt_use_glusterd',`
+ glusterd_manage_pid(virt_domain)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`virt_use_pcscd',`
+ pcscd_stream_connect(virt_domain)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`virt_use_sanlock',`
+ sanlock_stream_connect(virt_domain)
+ sanlock_read_state(virt_domain)
+ ')
+')
+
+optional_policy(`
+ tunable_policy(`virt_use_xserver',`
+ xserver_stream_connect(virt_domain)
+ ')
+')
+
+optional_policy(`
+ alsa_read_rw_config(virt_domain)
+')
+
+optional_policy(`
+ gnome_dontaudit_manage_cache_home_dir(virt_domain)
+')
+
+optional_policy(`
+ nscd_dontaudit_read_pid(virt_domain)
+')
+
+optional_policy(`
+ nscd_dontaudit_write_sock_file(virt_domain)
+')
+
+optional_policy(`
+ openvswitch_stream_connect(svirt_t)
+')
+
+optional_policy(`
+ ptchown_domtrans(virt_domain)
+')
+
+optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
+')
+
+optional_policy(`
+ sssd_dontaudit_stream_connect(virt_domain)
+ sssd_dontaudit_read_lib(virt_domain)
+')
+
+optional_policy(`
+ sssd_read_public_files(virt_domain)
+')
+
+optional_policy(`
+ unconfined_dontaudit_read_state(virt_domain)
+')
+
+optional_policy(`
+ virt_read_config(virt_domain)
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
+ virt_read_pid_symlinks(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
+')
+
+optional_policy(`
+ xserver_rw_shm(virt_domain)
+')
+
+########################################
+#
+# xm local policy
+#
+type virsh_t, virt_system_domain;
+type virsh_exec_t, virt_file_type;
+init_system_domain(virsh_t, virsh_exec_t)
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
+
+allow virsh_t self:capability { dac_read_search ipc_lock setpcap sys_admin sys_chroot
sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setcap setexec setsched signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow virsh_t self:tcp_socket create_stream_socket_perms;
+
+ps_process_pattern(virsh_t, svirt_sandbox_domain)
+
+can_exec(virsh_t, virsh_exec_t)
+virt_domtrans(virsh_t)
+virt_manage_images(virsh_t)
+virt_manage_config(virsh_t)
+virt_stream_connect(virsh_t)
+
+manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t)
+manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
+manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
+files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file })
+
+manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
+manage_dirs_pattern(virsh_t, container_file_t, container_file_t)
+manage_files_pattern(virsh_t, container_file_t, container_file_t)
+manage_chr_files_pattern(virsh_t, container_file_t, container_file_t)
+manage_lnk_files_pattern(virsh_t, container_file_t, container_file_t)
+manage_sock_files_pattern(virsh_t, container_file_t, container_file_t)
+manage_fifo_files_pattern(virsh_t, container_file_t, container_file_t)
+virt_transition_svirt_sandbox(virsh_t, system_r)
+
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
+filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
+kernel_write_proc_files(virsh_t)
+kernel_read_system_state(virsh_t)
+kernel_read_network_state(virsh_t)
+kernel_read_kernel_sysctls(virsh_t)
+kernel_read_sysctl(virsh_t)
+kernel_read_xen_state(virsh_t)
+kernel_write_xen_state(virsh_t)
+
+corecmd_exec_bin(virsh_t)
+corecmd_exec_shell(virsh_t)
+
+corenet_tcp_sendrecv_generic_if(virsh_t)
+corenet_tcp_sendrecv_generic_node(virsh_t)
+corenet_tcp_connect_soundd_port(virsh_t)
+
+dev_read_rand(virsh_t)
+dev_read_urand(virsh_t)
+dev_read_sysfs(virsh_t)
+
+files_read_etc_runtime_files(virsh_t)
+files_list_mnt(virsh_t)
+files_list_tmp(virsh_t)
+# Some common macros (you might be able to remove some)
+
+fs_getattr_all_fs(virsh_t)
+fs_manage_xenfs_dirs(virsh_t)
+fs_manage_xenfs_files(virsh_t)
+fs_search_auto_mountpoints(virsh_t)
+
+storage_raw_read_fixed_disk(virsh_t)
+
+term_use_all_inherited_terms(virsh_t)
+term_dontaudit_use_generic_ptys(virsh_t)
+
+userdom_search_admin_dir(virsh_t)
+userdom_read_home_certs(virsh_t)
+
+init_stream_connect_script(virsh_t)
+init_rw_script_stream_sockets(virsh_t)
+init_use_fds(virsh_t)
+
+systemd_exec_systemctl(virsh_t)
+
+auth_read_passwd(virsh_t)
+
+logging_send_syslog_msg(virsh_t)
+
+sysnet_dns_name_resolve(virsh_t)
+
+userdom_stream_connect(virsh_t)
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virsh_t)
+ fs_manage_nfs_files(virsh_t)
+ fs_read_nfs_symlinks(virsh_t)
+')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_files(virsh_t)
+ fs_manage_cifs_files(virsh_t)
+ fs_read_cifs_symlinks(virsh_t)
+')
+
+optional_policy(`
+ cron_system_entry(virsh_t, virsh_exec_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(virsh_t)
+')
+
+optional_policy(`
+ rhcs_domtrans_fenced(virsh_t)
+')
+
+optional_policy(`
+ rpm_exec(virsh_t)
+')
+
+optional_policy(`
+ vhostmd_rw_tmpfs_files(virsh_t)
+ vhostmd_stream_connect(virsh_t)
+ vhostmd_dontaudit_rw_stream_connect(virsh_t)
+')
+
+optional_policy(`
+ ssh_basic_client_template(virsh, virsh_t, system_r)
+
+ kernel_read_xen_state(virsh_ssh_t)
+ kernel_write_xen_state(virsh_ssh_t)
+
+ dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+ files_search_tmp(virsh_ssh_t)
+
+ fs_manage_xenfs_dirs(virsh_ssh_t)
+ fs_manage_xenfs_files(virsh_ssh_t)
+
+ userdom_search_admin_dir(virsh_ssh_t)
+')
+
+optional_policy(`
+ xen_manage_image_dirs(virsh_t)
+ xen_read_image_files(virsh_t)
+ xen_read_lib_files(virsh_t)
+ xen_append_log(virsh_t)
+ xen_domtrans(virsh_t)
+ xen_read_pid_files_xenstored(virsh_t)
+ xen_stream_connect(virsh_t)
+ xen_stream_connect_xenstore(virsh_t)
+')
+
+########################################
+#
+# virt_lxc local policy
+#
+allow virtd_lxc_t self:bpf { map_create map_read map_write prog_load prog_run };
+allow virtd_lxc_t self:capability { chown dac_read_search net_admin net_raw setgid
setpcap setuid sys_admin sys_boot sys_nice sys_resource };
+allow virtd_lxc_t self:process { setpgid setsockcreate signal_perms transition };
+#allow virtd_lxc_t self:capability2 compromise_kernel;
+
+allow virtd_lxc_t self:process { getcap setcap setexec setrlimit setsched signal_perms
};
+allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow virtd_lxc_t self:packet_socket create_socket_perms;
+ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain)
+allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms;
+
+corecmd_entrypoint_all_executables(virtd_lxc_t)
+files_entrypoint_all_mountpoint(virtd_lxc_t)
+
+allow virtd_lxc_t virt_image_type:dir mounton;
+manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
+
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
+allow virtd_t virtd_lxc_t:process { getattr noatsecure signal_perms };
+
+allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
+manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
+filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+
+manage_dirs_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_chr_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_lnk_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_sock_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+manage_fifo_files_pattern(virtd_lxc_t, container_file_t, container_file_t)
+allow virtd_lxc_t container_file_t:dir_file_class_set { relabelfrom relabelto };
+allow virtd_lxc_t container_file_t:filesystem { relabelfrom relabelto };
+files_associate_rootfs(container_file_t)
+
+seutil_read_file_contexts(virtd_lxc_t)
+
+storage_manage_fixed_disk(virtd_lxc_t)
+storage_rw_fuse(virtd_lxc_t)
+
+kernel_read_all_sysctls(virtd_lxc_t)
+kernel_read_network_state(virtd_lxc_t)
+kernel_read_system_state(virtd_lxc_t)
+kernel_request_load_module(virtd_lxc_t)
+
+corecmd_exec_bin(virtd_lxc_t)
+corecmd_exec_shell(virtd_lxc_t)
+
+dev_relabel_all_dev_nodes(virtd_lxc_t)
+dev_rw_sysfs(virtd_lxc_t)
+dev_read_sysfs(virtd_lxc_t)
+dev_read_urand(virtd_lxc_t)
+
+domain_use_interactive_fds(virtd_lxc_t)
+
+files_search_all(virtd_lxc_t)
+files_getattr_all_files(virtd_lxc_t)
+files_relabel_rootfs(virtd_lxc_t)
+files_mounton_non_security(virtd_lxc_t)
+files_mount_all_file_type_fs(virtd_lxc_t)
+files_unmount_all_file_type_fs(virtd_lxc_t)
+files_list_isid_type_dirs(virtd_lxc_t)
+files_root_filetrans(virtd_lxc_t, container_file_t, dir_file_class_set)
+
+fs_read_fusefs_files(virtd_lxc_t)
+fs_getattr_all_fs(virtd_lxc_t)
+fs_manage_tmpfs_dirs(virtd_lxc_t)
+fs_manage_tmpfs_chr_files(virtd_lxc_t)
+fs_manage_tmpfs_symlinks(virtd_lxc_t)
+fs_manage_cgroup_dirs(virtd_lxc_t)
+fs_mounton_tmpfs(virtd_lxc_t)
+fs_remount_all_fs(virtd_lxc_t)
+fs_rw_cgroup_files(virtd_lxc_t)
+fs_unmount_all_fs(virtd_lxc_t)
+fs_relabelfrom_tmpfs(virtd_lxc_t)
+
+logging_send_audit_msgs(virtd_lxc_t)
+
+selinux_mount_fs(virtd_lxc_t)
+selinux_unmount_fs(virtd_lxc_t)
+seutil_read_config(virtd_lxc_t)
+
+term_use_generic_ptys(virtd_lxc_t)
+term_use_ptmx(virtd_lxc_t)
+term_relabel_pty_fs(virtd_lxc_t)
+
+auth_use_nsswitch(virtd_lxc_t)
+
+logging_send_syslog_msg(virtd_lxc_t)
+
+seutil_domtrans_setfiles(virtd_lxc_t)
+seutil_read_default_contexts(virtd_lxc_t)
+
+selinux_get_enforce_mode(virtd_lxc_t)
+selinux_get_fs_mount(virtd_lxc_t)
+selinux_validate_context(virtd_lxc_t)
+selinux_compute_access_vector(virtd_lxc_t)
+selinux_compute_create_context(virtd_lxc_t)
+selinux_compute_relabel_context(virtd_lxc_t)
+selinux_compute_user_contexts(virtd_lxc_t)
+
+sysnet_exec_ifconfig(virtd_lxc_t)
+
+systemd_dbus_chat_machined(virtd_lxc_t)
+
+userdom_read_admin_home_files(virtd_lxc_t)
+
+optional_policy(`
+ dbus_system_bus_client(virtd_lxc_t)
+ init_dbus_chat(virtd_lxc_t)
+')
+
+optional_policy(`
+ container_exec_lib(virtd_lxc_t)
+')
+
+optional_policy(`
+ gnome_read_generic_cache_files(virtd_lxc_t)
+')
+
+optional_policy(`
+ setrans_manage_pid_files(virtd_lxc_t)
+')
+
+optional_policy(`
+ unconfined_domain(virtd_lxc_t)
+')
+
+########################################
+#
+# svirt_sandbox_domain local policy
+#
+allow svirt_sandbox_domain self:key manage_key_perms;
+dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search;
+
+allow svirt_sandbox_domain self:process { getattr getcap getpgid getsched setcap setpgid
setrlimit setsched signal_perms };
+allow svirt_sandbox_domain self:fifo_file manage_fifo_file_perms;
+allow svirt_sandbox_domain self:msg all_msg_perms;
+allow svirt_sandbox_domain self:sem create_sem_perms;
+allow svirt_sandbox_domain self:shm create_shm_perms;
+allow svirt_sandbox_domain self:msgq create_msgq_perms;
+allow svirt_sandbox_domain self:unix_stream_socket { connectto create_stream_socket_perms
};
+allow svirt_sandbox_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow svirt_sandbox_domain self:passwd rootok;
+allow svirt_sandbox_domain self:filesystem associate;
+allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
+
+fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+fs_rw_onload_sockets(svirt_sandbox_domain)
+
+tunable_policy(`deny_ptrace',`',`
+ allow svirt_sandbox_domain self:process ptrace;
+')
+
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { connectto
create_stream_socket_perms };
+allow virtd_t svirt_sandbox_domain:process { getattr signal_perms };
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setrlimit setsched
signal_perms transition };
+
+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
+manage_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+manage_fifo_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+allow svirt_sandbox_domain container_file_t:file { execmod relabelfrom relabelto };
+allow svirt_sandbox_domain container_file_t:dir { execmod relabelfrom relabelto };
+allow svirt_sandbox_domain svirt_file_type:dir_file_class_set mounton;
+
+list_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+read_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+read_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+allow svirt_sandbox_domain container_file_t:file execmod;
+can_exec(svirt_sandbox_domain, container_file_t)
+
+allow svirt_sandbox_domain container_file_t:blk_file setattr;
+rw_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
+can_exec(svirt_sandbox_domain, container_file_t)
+allow svirt_sandbox_domain container_file_t:dir mounton;
+allow svirt_sandbox_domain container_file_t:filesystem { getattr remount };
+
+kernel_list_all_proc(svirt_sandbox_domain)
+kernel_read_all_sysctls(svirt_sandbox_domain)
+kernel_rw_net_sysctls(svirt_sandbox_domain)
+kernel_rw_unix_sysctls(svirt_sandbox_domain)
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
+kernel_dontaudit_access_check_proc(svirt_sandbox_domain)
+kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain)
+kernel_dontaudit_setattr_proc_dirs(svirt_sandbox_domain)
+kernel_dontaudit_write_usermodehelper_state(svirt_sandbox_domain)
+
+corecmd_exec_all_executables(svirt_sandbox_domain)
+
+domain_dontaudit_link_all_domains_keyrings(svirt_sandbox_domain)
+domain_dontaudit_search_all_domains_keyrings(svirt_sandbox_domain)
+
+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
+files_search_all_mountpoints(svirt_sandbox_domain)
+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
+
+files_entrypoint_all_mountpoint(svirt_sandbox_domain)
+corecmd_entrypoint_all_executables(svirt_sandbox_domain)
+
+files_search_all(svirt_sandbox_domain)
+files_read_usr_symlinks(svirt_sandbox_domain)
+files_search_locks(svirt_sandbox_domain)
+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
+fs_rw_cephfs_files(svirt_sandbox_domain)
+
+fs_getattr_all_fs(svirt_sandbox_domain)
+fs_list_inotifyfs(svirt_sandbox_domain)
+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
+fs_read_hugetlbfs_files(svirt_sandbox_domain)
+fs_read_tmpfs_symlinks(svirt_sandbox_domain)
+fs_search_tmpfs(svirt_sandbox_domain)
+fs_rw_hugetlbfs_files(svirt_sandbox_domain)
+
+auth_dontaudit_read_passwd(svirt_sandbox_domain)
+auth_dontaudit_read_login_records(svirt_sandbox_domain)
+auth_dontaudit_write_login_records(svirt_sandbox_domain)
+auth_search_pam_console_data(svirt_sandbox_domain)
+
+init_dontaudit_read_utmp(svirt_sandbox_domain)
+init_dontaudit_write_utmp(svirt_sandbox_domain)
+
+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
+
+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
+miscfiles_read_fonts(svirt_sandbox_domain)
+miscfiles_read_hwdata(svirt_sandbox_domain)
+
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(svirt_sandbox_domain)
+ fs_manage_nfs_files(svirt_sandbox_domain)
+ fs_manage_nfs_named_sockets(svirt_sandbox_domain)
+ fs_manage_nfs_symlinks(svirt_sandbox_domain)
+ fs_mount_nfs(svirt_sandbox_domain)
+ fs_unmount_nfs(svirt_sandbox_domain)
+ fs_exec_nfs_files(svirt_sandbox_domain)
+ kernel_rw_fs_sysctls(svirt_sandbox_domain)
+')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_cifs_files(svirt_sandbox_domain)
+ fs_manage_cifs_dirs(svirt_sandbox_domain)
+ fs_manage_cifs_named_sockets(svirt_sandbox_domain)
+ fs_manage_cifs_symlinks(svirt_sandbox_domain)
+ fs_exec_cifs_files(svirt_sandbox_domain)
+')
+
+tunable_policy(`virt_sandbox_use_fusefs',`
+ fs_manage_fusefs_dirs(svirt_sandbox_domain)
+ fs_manage_fusefs_files(svirt_sandbox_domain)
+ fs_manage_fusefs_symlinks(svirt_sandbox_domain)
+ fs_mount_fusefs(svirt_sandbox_domain)
+ fs_unmount_fusefs(svirt_sandbox_domain)
+ fs_exec_fusefs_files(svirt_sandbox_domain)
+')
+
+optional_policy(`
+tunable_policy(`virt_sandbox_share_apache_content',`
+ apache_exec_modules(svirt_sandbox_domain)
+ apache_read_sys_content(svirt_sandbox_domain)
+ ')
+')
+
+optional_policy(`
+ container_read_share_files(svirt_sandbox_domain)
+ container_exec_share_files(svirt_sandbox_domain)
+ container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file)
+ container_use_ptys(svirt_sandbox_domain)
+ container_spc_stream_connect(svirt_sandbox_domain)
+ fs_dontaudit_remount_tmpfs(svirt_sandbox_domain)
+ dev_dontaudit_mounton_sysfs(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ ssh_use_ptys(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ udev_read_pid_files(svirt_sandbox_domain)
+')
+
+optional_policy(`
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
+')
+
+########################################
+#
+# container_t local policy
+#
+virt_sandbox_domain_template(container)
+typealias container_t alias svirt_lxc_net_t;
+# Policy moved to container-selinux policy package
+
+########################################
+#
+# container_t local policy
+#
+virt_sandbox_domain_template(svirt_qemu_net)
+typeattribute svirt_qemu_net_t sandbox_net_domain;
+
+allow svirt_qemu_net_t self:capability { chown dac_read_search fowner fsetid ipc_lock
kill setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_ptrace sys_resource
};
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
+allow svirt_qemu_net_t self:process { execmem execstack };
+
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
+ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
+filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+
+term_use_generic_ptys(svirt_qemu_net_t)
+term_use_ptmx(svirt_qemu_net_t)
+
+dev_rw_kvm(svirt_qemu_net_t)
+
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
+
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
+
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
+
+kernel_read_irq_sysctls(svirt_qemu_net_t)
+
+dev_read_sysfs(svirt_qemu_net_t)
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
+dev_read_rand(svirt_qemu_net_t)
+dev_read_urand(svirt_qemu_net_t)
+
+files_read_kernel_modules(svirt_qemu_net_t)
+
+fs_noxattr_type(container_file_t)
+fs_mount_cgroup(svirt_qemu_net_t)
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
+fs_manage_cgroup_files(svirt_qemu_net_t)
+
+term_pty(container_file_t)
+
+auth_use_nsswitch(svirt_qemu_net_t)
+
+rpm_read_db(svirt_qemu_net_t)
+
+logging_send_syslog_msg(svirt_qemu_net_t)
+
+userdom_use_user_ptys(svirt_qemu_net_t)
+
+tunable_policy(`virt_sandbox_use_audit',`
+ logging_send_audit_msgs(svirt_qemu_net_t)
+')
+
+#######################################
+#
+# virtinterfaced local policy
+#
+allow virtinterfaced_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(virtinterfaced_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virtinterfaced_t, virt_var_lib_t, virt_var_lib_t)
+manage_sock_files_pattern(virtinterfaced_t, virt_var_lib_t, virt_var_lib_t)
+files_var_lib_filetrans(virtinterfaced_t, virt_var_lib_t, { dir file })
+
+kernel_read_network_state(virtinterfaced_t)
+
+corecmd_exec_bin(virtinterfaced_t)
+
+fs_getattr_all_fs(virtinterfaced_t)
+
+modutils_read_module_config(virtinterfaced_t)
+
+sysnet_manage_config(virtinterfaced_t)
+
+userdom_read_all_users_state(virtinterfaced_t)
+
+#######################################
+#
+# virtnetworkd local policy
+#
+allow virtnetworkd_t self:capability { kill sys_ptrace };
+allow virtnetworkd_t self:netlink_netfilter_socket create_socket_perms;
+allow virtnetworkd_t self:process setcap;
+allow virtnetworkd_t self:tun_socket { create relabelfrom relabelto };
+
+manage_lnk_files_pattern(virtnetworkd_t, virt_etc_rw_t, virt_etc_rw_t)
+
+manage_dirs_pattern(virtnetworkd_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virtnetworkd_t, virt_var_lib_t, virt_var_lib_t)
+
+kernel_read_network_state(virtnetworkd_t)
+kernel_request_load_module(virtnetworkd_t)
+kernel_rw_net_sysctls(virtnetworkd_t)
+
+corenet_rw_tun_tap_dev(virtnetworkd_t)
+
+dev_rw_sysfs(virtnetworkd_t)
+
+sysnet_read_config(virtnetworkd_t)
+
+optional_policy(`
+ dnsmasq_domtrans(virtnetworkd_t)
+ dnsmasq_manage_pid_files(virtnetworkd_t)
+ dnsmasq_read_state(virtnetworkd_t)
+ dnsmasq_signal(virtnetworkd_t)
+ dnsmasq_signull(virtnetworkd_t)
+')
+
+optional_policy(`
+ iptables_domtrans(virtnetworkd_t)
+ iptables_read_var_run(virtnetworkd_t)
+')
+
+#######################################
+#
+# virtnodedevd local policy
+#
+allow virtnodedevd_t self:capability sys_admin;
+allow virtnodedevd_t self:netlink_generic_socket create_socket_perms;
+
+kernel_request_load_module(virtnodedevd_t)
+
+dev_rw_mtrr(virtnodedevd_t)
+
+miscfiles_read_hwdata(virtnodedevd_t)
+
+optional_policy(`
+ udev_read_pid_files(virtnodedevd_t)
+')
+
+#######################################
+#
+# virtnwfilterd local policy
+#
+allow virtnwfilterd_t self:capability net_raw;
+allow virtnwfilterd_t self:netlink_netfilter_socket create_socket_perms;
+allow virtnwfilterd_t self:netlink_rdma_socket create_socket_perms;
+allow virtnwfilterd_t self:packet_socket { bind create getopt ioctl map setopt };
+allow virtnwfilterd_t self:rawip_socket create_socket_perms;
+
+manage_dirs_pattern(virtnwfilterd_t, virtnetworkd_var_run_t, virtnetworkd_var_run_t)
+manage_files_pattern(virtnwfilterd_t, virtnetworkd_var_run_t, virtnetworkd_var_run_t)
+
+manage_files_pattern(virtnwfilterd_t, virt_var_run_t, virtlogd_var_run_t)
+
+kernel_read_all_proc(virtnwfilterd_t)
+kernel_read_net_sysctls(virtnwfilterd_t)
+kernel_request_load_module(virtnwfilterd_t)
+
+corecmd_exec_bin(virtnwfilterd_t)
+
+optional_policy(`
+ dnsmasq_domtrans(virtnwfilterd_t)
+ dnsmasq_manage_pid_files(virtnwfilterd_t)
+')
+
+optional_policy(`
+ iptables_domtrans(virtnwfilterd_t)
+ iptables_filetrans_named_content(virtnwfilterd_t)
+ iptables_read_var_run(virtnwfilterd_t)
+')
+
+#######################################
+#
+# virtproxyd local policy
+#
+allow virtproxyd_t self:tcp_socket create_stream_socket_perms;
+allow virtproxyd_t self:udp_socket create_socket_perms;
+
+corenet_tcp_bind_generic_node(virtproxyd_t)
+corenet_tcp_bind_virt_port(virtproxyd_t)
+
+userdom_read_all_users_state(virtproxyd_t)
+
+#######################################
+#
+# virtqemud local policy
+#
+allow virtqemud_t self:bpf { map_create map_read map_write prog_load prog_run };
+allow virtqemud_t self:capability { audit_write chown dac_override dac_read_search fowner
fsetid kill setgid setuid sys_admin sys_chroot sys_ptrace sys_rawio };
+allow virtqemud_t self:netlink_audit_socket nlmsg_relay;
+allow virtqemud_t self:process { setcap setexec setrlimit setsockcreate };
+allow virtqemud_t self:tcp_socket create_socket_perms;
+allow virtqemud_t self:tun_socket create;
+allow virtqemud_t self:udp_socket { create getattr };
+
+allow virtqemud_t svirt_t:process { setsched signal signull transition };
+allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms };
+allow virtqemud_t svirt_socket_t:unix_stream_socket connectto;
+
+allow virtqemud_t qemu_var_run_t:dir relabelfrom;
+
+allow virtqemud_t virt_cache_t:file { relabelfrom relabelto };
+
+allow virtqemud_t virt_driver_domain:unix_stream_socket connectto;
+
+allow virtqemud_t virt_var_run_t:file map;
+
+allow virtqemud_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
+allow virtqemud_t virtlogd_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(virtqemud_t, virtqemud_tmp_t, virtqemud_tmp_t)
+manage_files_pattern(virtqemud_t, virtqemud_tmp_t, virtqemud_tmp_t)
+manage_sock_files_pattern(virtqemud_t, virtqemud_tmp_t, virtqemud_tmp_t)
+files_tmp_filetrans(virtqemud_t, virtqemud_tmp_t, { file dir sock_file})
+
+manage_dirs_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t)
+manage_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t)
+manage_sock_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t)
+
+manage_dirs_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
+manage_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
+manage_sock_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
+read_files_pattern(virtqemud_t, svirt_t, svirt_t)
+read_lnk_files_pattern(virtqemud_t, svirt_t, svirt_t)
+
+manage_files_pattern(virtqemud_t, virt_content_t, virt_content_t)
+
+manage_files_pattern(virtqemud_t, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virtqemud_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virtqemud_t, virt_var_lib_t, virt_var_lib_t)
+
+manage_sock_files_pattern(virtqemud_t, virt_var_run_t, virt_var_run_t)
+
+manage_sock_files_pattern(virtqemud_t, virtlogd_var_run_t, virtlogd_var_run_t)
+
+read_files_pattern(virtqemud_t, virtproxyd_t, virtproxyd_t)
+
+kernel_read_all_proc(virtqemud_t)
+kernel_request_load_module(virtqemud_t)
+
+corecmd_exec_bin(virtqemud_t)
+corecmd_exec_shell(virtqemud_t)
+
+corenet_rw_tun_tap_dev(virtqemud_t)
+corenet_tcp_bind_generic_node(virtqemud_t)
+corenet_tcp_bind_vnc_port(virtqemud_t)
+
+dev_read_cpuid(virtqemud_t)
+dev_read_sysfs(virtqemud_t)
+dev_read_urand(virtqemud_t)
+dev_relabel_all_dev_nodes(virtqemud_t)
+dev_rw_kvm(virtqemud_t)
+dev_rw_vhost(virtqemud_t)
+
+files_mounton_non_security(virtqemud_t)
+files_read_all_symlinks(virtqemud_t)
+
+fs_getattr_hugetlbfs(virtqemud_t)
+fs_manage_hugetlbfs_dirs(virtqemud_t)
+fs_manage_cgroup_dirs(virtqemud_t)
+fs_manage_cgroup_files(virtqemud_t)
+fs_manage_tmpfs_chr_files(virtqemud_t)
+fs_manage_tmpfs_dirs(virtqemud_t)
+fs_manage_tmpfs_symlinks(virtqemud_t)
+fs_mount_tmpfs(virtqemud_t)
+fs_read_nsfs_files(virtqemud_t)
+fs_relabel_tmpfs_chr_file(virtqemud_t)
+
+seutil_read_default_contexts(virtqemud_t)
+seutil_read_file_contexts(virtqemud_t)
+
+init_stream_connect(virtqemud_t)
+init_stream_connect_script(virtqemud_t)
+
+sysnet_exec_ifconfig(virtqemud_t)
+sysnet_manage_config(virtqemud_t)
+
+userdom_read_all_users_state(virtqemud_t)
+userdom_read_user_home_content_files(virtqemud_t)
+userdom_relabel_user_home_files(virtqemud_t)
+
+tunable_policy(`virtqemud_use_execmem',`
+ allow virtqemud_t self:process { execmem execstack };
+')
+
+optional_policy(`
+ dmidecode_domtrans(virtqemud_t)
+')
+
+optional_policy(`
+ qemu_exec(virtqemud_t)
+')
+
+optional_policy(`
+ systemd_userdbd_stream_connect(virtqemud_t)
+')
+
+#######################################
+#
+# virtstoraged local policy
+#
+allow virtstoraged_t self:capability { dac_override dac_read_search ipc_lock };
+
+files_tmp_filetrans(virtstoraged_t, virtstoraged_tmp_t, { file dir })
+
+manage_lnk_files_pattern(virtstoraged_t, virt_etc_rw_t, virt_etc_rw_t)
+
+manage_files_pattern(virtstoraged_t, virt_image_t, virt_image_t)
+
+manage_files_pattern(virtstoraged_t, svirt_image_t, svirt_image_t)
+
+manage_dirs_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t)
+
+corecmd_exec_bin(virtstoraged_t)
+
+fs_getattr_all_fs(virtstoraged_t)
+
+userdom_read_user_home_content_files(virtstoraged_t)
+
+#######################################
+#
+# virtvboxd local policy
+#
+allow virtvboxd_t self:netlink_audit_socket create;
+allow virtvboxd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow virtvboxd_t self:netlink_route_socket create_socket_perms;
+allow virtvboxd_t self:unix_dgram_socket create;
+allow virtvboxd_t virt_etc_t:dir search;
+
+#######################################
+#
+# virtvzd local policy
+#
+# Use unconfined_domain macro until the policy for this driver is made,
+# to avoid lots of SELinux policy denials and confused users.
+optional_policy(`
+ unconfined_domain(virtvzd_t)
+')
+
+#######################################
+#
+# virtxend local policy
+#
+# Use unconfined_domain macro until the policy for this driver is made,
+# to avoid lots of SELinux policy denials and confused users.
+optional_policy(`
+ unconfined_domain(virtxend_t)
+')
+
+#######################################
+#
+# tye for svirt sockets
+#
+
+type svirt_socket_t;
+domain_type(svirt_socket_t)
+role system_r types svirt_socket_t;
+allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms
};
+allow virt_domain svirt_socket_t:unix_stream_socket { connectto
create_stream_socket_perms };
+
+tunable_policy(`virt_transition_userdomain',`
+ userdom_transition(virtd_t)
+ userdom_transition(virtd_lxc_t)
+')
+
+########################################
+#
+# svirt_kvm_net_t local policy
+#
+virt_sandbox_domain_template(svirt_kvm_net)
+typeattribute svirt_kvm_net_t sandbox_net_domain;
+
+allow svirt_kvm_net_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill
setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_ptrace sys_resource };
+dontaudit svirt_kvm_net_t self:capability2 block_suspend;
+
+tunable_policy(`virt_sandbox_use_netlink',`
+ allow svirt_kvm_net_t self:netlink_socket create_socket_perms;
+ allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
+ allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+')
+
+term_use_generic_ptys(svirt_kvm_net_t)
+term_use_ptmx(svirt_kvm_net_t)
+
+dev_rw_kvm(svirt_kvm_net_t)
+
+manage_sock_files_pattern(svirt_kvm_net_t, virt_var_run_t, virt_var_run_t)
+
+list_dirs_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t)
+
+append_files_pattern(svirt_kvm_net_t, virt_log_t, virt_log_t)
+
+kernel_read_network_state(svirt_kvm_net_t)
+kernel_read_irq_sysctls(svirt_kvm_net_t)
+
+dev_read_sysfs(svirt_kvm_net_t)
+dev_getattr_mtrr_dev(svirt_kvm_net_t)
+dev_read_rand(svirt_kvm_net_t)
+dev_read_urand(svirt_kvm_net_t)
+
+files_read_kernel_modules(svirt_kvm_net_t)
+
+fs_noxattr_type(container_file_t)
+fs_mount_cgroup(svirt_kvm_net_t)
+fs_manage_cgroup_dirs(svirt_kvm_net_t)
+fs_manage_cgroup_files(svirt_kvm_net_t)
+
+term_pty(container_file_t)
+
+auth_use_nsswitch(svirt_kvm_net_t)
+
+rpm_read_db(svirt_kvm_net_t)
+
+logging_send_syslog_msg(svirt_kvm_net_t)
+
+tunable_policy(`virt_sandbox_use_audit',`
+ logging_send_audit_msgs(svirt_kvm_net_t)
+')
+
+userdom_use_user_ptys(svirt_kvm_net_t)
+
+kernel_read_network_state(sandbox_net_domain)
+
+allow sandbox_net_domain self:capability { net_admin net_bind_service net_raw };
+allow sandbox_net_domain self:cap_userns { net_admin net_bind_service net_raw };
+
+allow sandbox_net_domain self:udp_socket create_socket_perms;
+allow sandbox_net_domain self:tcp_socket create_stream_socket_perms;
+allow sandbox_net_domain self:netlink_route_socket create_netlink_socket_perms;
+allow sandbox_net_domain self:packet_socket create_socket_perms;
+allow sandbox_net_domain self:socket create_socket_perms;
+allow sandbox_net_domain self:rawip_socket create_stream_socket_perms;
+allow sandbox_net_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+corenet_tcp_bind_generic_node(sandbox_net_domain)
+corenet_udp_bind_generic_node(sandbox_net_domain)
+corenet_raw_bind_generic_node(sandbox_net_domain)
+corenet_tcp_sendrecv_all_ports(sandbox_net_domain)
+corenet_udp_sendrecv_all_ports(sandbox_net_domain)
+corenet_udp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_bind_all_ports(sandbox_net_domain)
+corenet_tcp_connect_all_ports(sandbox_net_domain)
+
+optional_policy(`
+ sssd_stream_connect(sandbox_net_domain)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(sandbox_net_domain)
+')
+
+allow sandbox_caps_domain self:capability { audit_write chown dac_read_search fowner kill
mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot };
+allow sandbox_caps_domain self:cap_userns { audit_write chown dac_read_search fowner kill
mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot };
+
+list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
+read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
+read_lnk_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
+allow svirt_sandbox_domain container_ro_file_t:file execmod;
+can_exec(svirt_sandbox_domain, container_ro_file_t)
--
2.31.1