Add SELinux policy for Virt

Nikola Knazekova

10 Mar 2021 10 Mar '21

12:41 p.m.

Hi, I created SELinux policy for Libvirt drivers, as part of Decentralized SELinux Policy (DSP) project. DSP guidelines is available: https://fedoraproject.org/wiki/SELinux/IndependentPolicy Discussion about the first version of SELinux policy for Libvirt is available on gitlab: https://gitlab.com/libvirt/libvirt/-/merge_requests/65 SELinux policy was created for: Hypervisor drivers: - virtqemud (QEMU/KVM) - virtlxcd (LXC) - virtvboxd (VirtualBox) Secondary drivers: - virtstoraged (host storage mgmt) - virtnetworkd (virtual network mgmt) - virtinterface (network interface mgmt) - virtnodedevd (physical device mgmt) - virtsecretd (security credential mgmt) - virtnwfilterd (ip[6]tables/ebtables mgmt) - virtproxyd (proxy daemon) SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made. Can you please look at it? Thanks Nikola

Show replies by date

Nikola Knazekova

10 Mar 10 Mar

12:41 p.m.

New subject: [PATCH 1/3] Add SELinux policy for virt

SELinux policy was created for: Hypervisor drivers: - virtqemud (QEMU/KVM) - virtlxcd (LXC) - virtvboxd (VirtualBox) Secondary drivers: - virtstoraged (host storage mgmt) - virtnetworkd (virtual network mgmt) - virtinterface (network interface mgmt) - virtnodedevd (physical device mgmt) - virtsecretd (security credential mgmt) - virtnwfilterd (ip[6]tables/ebtables mgmt) - virtproxyd (proxy daemon) SELinux policy for virtvxz and virtxend has not been created yet, because I wasn't able to reproduce AVC messages. These drivers run in unconfined_domain until the AVC messages are reproduced internally and policy for these drivers is made. Signed-off-by: Nikola Knazekova <nknazeko@redhat.com> --- libvirt.spec.in | 62 ++ selinux/virt.fc | 111 +++ selinux/virt.if | 1984 ++++++++++++++++++++++++++++++++++++++++++++ selinux/virt.te | 2086 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 4243 insertions(+) create mode 100644 selinux/virt.fc create mode 100644 selinux/virt.if create mode 100644 selinux/virt.te diff --git a/libvirt.spec.in b/libvirt.spec.in index 8d8b900fbb..db08d91043 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -3,6 +3,13 @@ # This spec file assumes you are building on a Fedora or RHEL version # that's still supported by the vendor. It may work on other distros # or versions, but no effort will be made to ensure that going forward. + +%if 0%{?fedora} > 33 || 0%{?rhel} > 8 + %global with_selinux 1 + %global selinuxtype targeted + %global modulename virt +%endif + %define min_rhel 7 %define min_fedora 31 @@ -256,6 +263,12 @@ Requires: libvirt-daemon-driver-nodedev = %{version}-%{release} Requires: libvirt-client = %{version}-%{release} Requires: libvirt-libs = %{version}-%{release} +%if 0%{?with_selinux} +# This ensures that the *-selinux package and all it’s dependencies are not pulled +# into containers and other systems that do not use SELinux +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif + # All build-time requirements. Run-time requirements are # listed against each sub-RPM %if 0%{?rhel} == 7 @@ -983,6 +996,19 @@ Requires: libvirt-daemon-driver-network = %{version}-%{release} %description nss Libvirt plugin for NSS for translating domain names into IP addresses. +%if 0%{?with_selinux} +# SELinux subpackage +%package selinux +Summary: Libvirt SELinux policy +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} + +%description selinux +SELinux policy module for libvirt. +%endif %prep @@ -1214,6 +1240,14 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec) %{?arg_login_shell} %meson_build +%if 0%{?with_selinux} +# SELinux policy (originally from selinux-policy-contrib) +# this policy module will override the production module +cd selinux + +make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp +bzip2 -9 %{modulename}.pp +%endif %install rm -fr %{buildroot} @@ -1298,6 +1332,10 @@ mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \ %endif %endif +%if 0%{?with_selinux} +install -D -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +%endif + %check # Building on slow archs, like emulated s390x in Fedora copr, requires # raising the test timeout @@ -1506,6 +1544,24 @@ getent group virtlogin >/dev/null || groupadd -r virtlogin exit 0 %endif +%if 0%{?with_selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} +%endif + %files %files docs @@ -1972,5 +2028,11 @@ exit 0 %{_datadir}/libvirt/api/libvirt-qemu-api.xml %{_datadir}/libvirt/api/libvirt-lxc-api.xml +%if 0%{?with_selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +%endif + %changelog diff --git a/selinux/virt.fc b/selinux/virt.fc new file mode 100644 index 0000000000..b7a2375ca1 --- /dev/null +++ b/selinux/virt.fc @@ -0,0 +1,111 @@ +HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) +HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) + +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/virtlogd\.conf -- gen_context(system_u:object_r:virtlogd_etc_t,s0) +/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/virtlogd -- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0) + +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) + +/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) + +/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtinterfaced_exec_t,s0) +/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0) +/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtnetworkd_exec_t,s0) +/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtnodedevd_exec_t,s0) +/usr/sbin/virtnwfilterd -- gen_context(system_u:object_r:virtnwfilterd_exec_t,s0) +/usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtproxyd_exec_t,s0) +/usr/sbin/virtqemud -- gen_context(system_u:object_r:virtqemud_exec_t,s0) +/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtsecretd_exec_t,s0) +/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtstoraged_exec_t,s0) +/usr/sbin/virtvboxd -- gen_context(system_u:object_r:virtvboxd_exec_t,s0) +/usr/sbin/virtvzd -- gen_context(system_u:object_r:virtvzd_exec_t,s0) +/usr/sbin/virtxend -- gen_context(system_u:object_r:virtxend_exec_t,s0) + +/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) + +/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) + +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) +# Avoid calling m4's "interface" by using en empty string +/var/run/libvirt/interfac(e)(/.*)? gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/libvirt/nodedev(/.*)? gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/libvirt/nwfilter(/.*)? gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/secrets(/.*)? gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/libvirt/storage(/.*)? gen_context(system_u:object_r:virtstoraged_var_run_t,s0) + +/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/virtlxcd\.pid -- gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/virtqemud\.pid -- gen_context(system_u:object_r:virtqemud_var_run_t,s0) +/var/run/virtvboxd\.pid -- gen_context(system_u:object_r:virtvboxd_var_run_t,s0) +/var/run/virtproxyd\.pid -- gen_context(system_u:object_r:virtproxyd_var_run_t,s0) +/var/run/virtinterfaced\.pid -- gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/virtnetworkd\.pid -- gen_context(system_u:object_r:virtnetworkd_var_run_t,s0) +/var/run/virtnodedevd\.pid -- gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/virtnwfilterd\.pid -- gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/virtnwfilterd-binding\.pid -- gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/virtsecretd\.pid -- gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/virtstoraged\.pid -- gen_context(system_u:object_r:virtstoraged_var_run_t,s0) + +/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) +/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/libvirt/libvirt-sock -s gen_context(system_u:object_r:virt_var_run_t,s0) +/var/run/libvirt/virtlogd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/libvirt/virtinterfaced-admin-sock -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/libvirt/virtinterfaced-sock -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/libvirt/virtinterfaced-sock-ro -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) +/var/run/libvirt/virtlxcd-admin-sock -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/libvirt/virtlxcd-sock -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/libvirt/virtlxcd-sock-ro -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/libvirt/virtnetworkd-admin-sock -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0) +/var/run/libvirt/virtnetworkd-sock -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0) +/var/run/libvirt/virtnetworkd-sock-ro -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0) +/var/run/libvirt/virtnodedevd-admin-sock -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/libvirt/virtnodedevd-sock -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/libvirt/virtnodedevd-sock-ro -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0) +/var/run/libvirt/virtnwfilterd-admin-sock -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/virtnwfilterd-sock -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/virtnwfilterd-sock-ro -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0) +/var/run/libvirt/virtproxyd-admin-sock -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0) +/var/run/libvirt/virtproxyd-sock -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0) +/var/run/libvirt/virtproxyd-sock-ro -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0) +/var/run/libvirt/virtqemud-admin-sock -s gen_context(system_u:object_r:virtqemud_var_run_t,s0) +/var/run/libvirt/virtqemud-sock -s gen_context(system_u:object_r:virtqemud_var_run_t,s0) +/var/run/libvirt/virtqemud-sock-ro -s gen_context(system_u:object_r:virtqemud_var_run_t,s0) +/var/run/libvirt/virtsecretd-admin-sock -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/libvirt/virtsecretd-sock -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/libvirt/virtsecretd-sock-ro -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0) +/var/run/libvirt/virtstoraged-admin-sock -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0) +/var/run/libvirt/virtstoraged-sock -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0) +/var/run/libvirt/virtstoraged-sock-ro -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0) +/var/run/libvirt/virtvboxd-admin-sock -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0) +/var/run/libvirt/virtvboxd-sock -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0) +/var/run/libvirt/virtvboxd-sock-ro -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0) + +/usr/lib/systemd/system/*virtlogd.* gen_context(system_u:object_r:virtlogd_unit_file_t,s0) + +/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) +/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) diff --git a/selinux/virt.if b/selinux/virt.if new file mode 100644 index 0000000000..7e92675750 --- /dev/null +++ b/selinux/virt.if @@ -0,0 +1,1984 @@ +## <summary>Libvirt virtualization API</summary> + +######################################## +## <summary> +## virtd_lxc_t stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_stub_lxc',` + gen_require(` + type virtd_lxc_t; + ') +') + +######################################## +## <summary> +## svirt_sandbox_domain attribute stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_stub_svirt_sandbox_domain',` + gen_require(` + attribute svirt_sandbox_domain; + ') +') + +######################################## +## <summary> +## container_file_t stub interface. No access allowed. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_stub_container_image',` + gen_require(` + type container_file_t; + ') +') + +interface(`virt_stub_svirt_sandbox_file',` + gen_require(` + type container_file_t; + type container_ro_file_t; + ') +') + +######################################## +## <summary> +## Creates types and rules for a basic +## qemu process domain. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`virt_domain_template',` + gen_require(` + attribute virt_image_type, virt_domain; + attribute virt_tmpfs_type; + attribute virt_ptynode; + type qemu_exec_t; + type virtlogd_t; + ') + + type $1_t, virt_domain; + application_domain($1_t, qemu_exec_t) + domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) + mcs_constrained($1_t) + role system_r types $1_t; + + type $1_devpts_t, virt_ptynode; + term_pty($1_devpts_t) + + kernel_read_system_state($1_t) + + auth_read_passwd($1_t) + + logging_send_syslog_msg($1_t) + + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + term_create_pty($1_t, $1_devpts_t) + + # Allow domain to write to pipes connected to virtlogd + allow $1_t virtlogd_t:fd use; + allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; +') + +###################################### +## <summary> +## Creates types and rules for a basic +## virt driver domain. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`virt_driver_template',` + gen_require(` + attribute virt_driver_domain; + attribute virt_driver_executable; + attribute virt_driver_var_run; + type virtd_t; + type virtqemud_t; + type virt_etc_t; + type virt_etc_rw_t; + type virt_var_run_t; + ') + + type $1_t, virt_driver_domain; + + type $1_exec_t, virt_driver_executable; + init_daemon_domain($1_t, $1_exec_t) + + type $1_var_run_t, virt_driver_var_run; + files_pid_file($1_var_run_t) + + ################################## + # + # Local policy + # + + allow $1_t self:netlink_audit_socket create; + allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; + allow $1_t self:netlink_route_socket create_netlink_socket_perms; + allow $1_t self:rawip_socket create_socket_perms; + allow $1_t self:unix_dgram_socket create_socket_perms; + + allow virt_driver_domain virtd_t:unix_stream_socket rw_stream_socket_perms; + allow virt_driver_domain virtqemud_t:unix_stream_socket connectto; + + manage_dirs_pattern($1_t, virt_var_run_t, virt_var_run_t) + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_sock_files_pattern($1_t, virt_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file } ) + filetrans_pattern($1_t, virt_var_run_t, $1_var_run_t, { file sock_file } ) + + read_files_pattern($1_t, virt_etc_t, virt_etc_t) + manage_dirs_pattern($1_t, virt_etc_rw_t, virt_etc_rw_t) + manage_files_pattern($1_t, virt_etc_rw_t, virt_etc_rw_t) + filetrans_pattern($1_t, virt_etc_t, virt_etc_rw_t, dir) + + read_files_pattern(virt_driver_domain, virtqemud_t, virtqemud_t) + + kernel_dgram_send($1_t) + + auth_read_passwd($1_t) + + dbus_read_pid_files($1_t) + dbus_stream_connect_system_dbusd($1_t) + + dev_read_sysfs($1_t) + + files_read_non_security_files($1_t) + init_read_utmp($1_t) + + logging_send_syslog_msg($1_t) + + miscfiles_read_generic_certs($1_t) + + virt_manage_cache($1_t) + virt_manage_pid_files($1_t) + virt_stream_connect($1_t) + + optional_policy(` + dbus_system_bus_client($1_t) + ') + + optional_policy(` + dnsmasq_filetrans_named_content_fromdir($1_t, $1_var_run_t) + ') + + optional_policy(` + systemd_dbus_chat_logind($1_t) + systemd_machined_stream_connect($1_t) + systemd_write_inhibit_pipes($1_t) + ') +') + +######################################## +## <summary> +## Make the specified type usable as a virt image +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a virtual image +## </summary> +## </param> +# +interface(`virt_image',` + gen_require(` + attribute virt_image_type; + ') + + typeattribute $1 virt_image_type; + files_type($1) + + # virt images can be assigned to blk devices + dev_node($1) +') + +####################################### +## <summary> +## Getattr on virt executable. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`virt_getattr_exec',` + gen_require(` + attribute virt_driver_executable; + type virtd_exec_t; + ') + + allow $1 virtd_exec_t:file getattr; + allow $1 virt_driver_executable:file getattr; +') + +######################################## +## <summary> +## Execute a domain transition to run virt. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`virt_domtrans',` + gen_require(` + type virtd_t, virtd_exec_t; + ') + + domtrans_pattern($1, virtd_exec_t, virtd_t) +') + +######################################## +## <summary> +## Execute virtd in the caller domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_exec',` + gen_require(` + attribute virt_driver_executable; + type virtd_exec_t; + ') + + can_exec($1, virtd_exec_t) + can_exec($1, virt_driver_executable) +') + +####################################### +## <summary> +## Connect to virt over a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_stream_connect',` + gen_require(` + attribute virt_driver_domain; + attribute virt_driver_var_run; + type virtd_t, virt_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) + stream_connect_pattern($1, virt_driver_var_run, virt_driver_var_run, virt_driver_domain) +') + +######################################## +## <summary> +## Read and write to virt_domain unix +## stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_rw_stream_sockets_virt_domain',` + gen_require(` + attribute virt_domain; + ') + + allow $1 virt_domain:unix_stream_socket { read write }; +') + + +####################################### +## <summary> +## Connect to svirt process over a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_stream_connect_svirt',` + gen_require(` + type svirt_t; + type svirt_image_t; + ') + + stream_connect_pattern($1, svirt_image_t, svirt_image_t, svirt_t) +') + +######################################## +## <summary> +## Read and write to apmd unix +## stream sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_rw_stream_sockets_svirt',` + gen_require(` + type svirt_t; + ') + + allow $1 svirt_t:unix_stream_socket { getopt read setopt write }; +') + +######################################## +## <summary> +## Allow domain to attach to virt TUN devices +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_attach_tun_iface',` + gen_require(` + attribute virt_driver_domain; + type virtd_t; + ') + + allow $1 virtd_t:tun_socket relabelfrom; + allow $1 virt_driver_domain:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') + +######################################## +## <summary> +## Allow domain to attach to virt sandbox TUN devices +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_attach_sandbox_tun_iface',` + gen_require(` + attribute svirt_sandbox_domain; + ') + + allow $1 svirt_sandbox_domain:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') + +######################################## +## <summary> +## Read virt config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_config',` + gen_require(` + type virt_etc_t, virt_etc_rw_t; + ') + + files_search_etc($1) + read_files_pattern($1, virt_etc_t, virt_etc_t) + read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +') + +######################################## +## <summary> +## manage virt config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_config',` + gen_require(` + type virt_etc_t, virt_etc_rw_t; + ') + + files_search_etc($1) + manage_files_pattern($1, virt_etc_t, virt_etc_t) + manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) + manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) +') + +######################################## +## <summary> +## Allow domain to manage virt image files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_getattr_content',` + gen_require(` + type virt_content_t; + ') + + allow $1 virt_content_t:file getattr_file_perms; +') + +######################################## +## <summary> +## Allow domain to manage virt image files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_content',` + gen_require(` + type virt_content_t; + ') + + virt_search_lib($1) + allow $1 virt_content_t:dir list_dir_perms; + allow $1 virt_content_t:blk_file map; + allow $1 virt_content_t:file map; + list_dirs_pattern($1, virt_content_t, virt_content_t) + read_files_pattern($1, virt_content_t, virt_content_t) + read_lnk_files_pattern($1, virt_content_t, virt_content_t) + read_blk_files_pattern($1, virt_content_t, virt_content_t) + read_chr_files_pattern($1, virt_content_t, virt_content_t) + + tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_list_cifs($1) + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) + ') +') + +######################################## +## <summary> +## Allow domain to write virt image files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_write_content',` + gen_require(` + type virt_content_t; + ') + + allow $1 virt_content_t:file write_file_perms; +') + +######################################## +## <summary> +## Read virt PID symlinks files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_pid_symlinks',` + gen_require(` + attribute virt_driver_var_run; + type virt_var_run_t; + ') + + files_search_pids($1) + read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) + read_lnk_files_pattern($1, virt_driver_var_run, virt_driver_var_run) +') + +######################################## +## <summary> +## Read virt PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_pid_files',` + gen_require(` + attribute virt_driver_var_run; + type virt_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, virt_var_run_t, virt_var_run_t) + read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) + read_files_pattern($1, virt_driver_var_run, virt_driver_var_run) + read_lnk_files_pattern($1, virt_driver_var_run, virt_driver_var_run) +') + +######################################## +## <summary> +## Manage virt pid directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_pid_dirs',` + gen_require(` + attribute virt_driver_var_run; + type virt_var_run_t; + type virt_lxc_var_run_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t) + manage_dirs_pattern($1, virt_driver_var_run, virt_driver_var_run) + manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) + virt_filetrans_named_content($1) +') + +######################################## +## <summary> +## Manage virt pid files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_pid_files',` + gen_require(` + attribute virt_driver_var_run; + type virt_var_run_t; + type virt_lxc_var_run_t; + ') + + files_search_pids($1) + manage_files_pattern($1, virt_var_run_t, virt_var_run_t) + manage_files_pattern($1, virt_driver_var_run, virt_driver_var_run) + manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) +') + +######################################## +## <summary> +## Create objects in the pid directory +## with a private type with a type transition. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="file"> +## <summary> +## Type to which the created node will be transitioned. +## </summary> +## </param> +## <param name="class"> +## <summary> +## Object class(es) (single or set including {}) for which this +## the transition will occur. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`virt_pid_filetrans',` + gen_require(` + attribute virt_driver_var_run; + type virt_var_run_t; + ') + + filetrans_pattern($1, virt_var_run_t, $2, $3, $4) + filetrans_pattern($1, virt_driver_var_run, $2, $3, $4) +') + +######################################## +## <summary> +## Search virt lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_search_lib',` + gen_require(` + type virt_var_lib_t; + ') + + allow $1 virt_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read virt lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_lib_files',` + gen_require(` + type virt_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + list_dirs_pattern($1, virt_var_lib_t, virt_var_lib_t) + read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +') + +######################################## +## <summary> +## Dontaudit inherited read virt lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`virt_dontaudit_read_lib_files',` + gen_require(` + type virt_var_lib_t; + ') + + dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete +## virt lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_lib_files',` + gen_require(` + type virt_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +') + +######################################## +## <summary> +## Allow the specified domain to read virt's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`virt_read_log',` + gen_require(` + type virt_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## <summary> +## Allow the specified domain to append +## virt log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_append_log',` + gen_require(` + type virt_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## <summary> +## Allow domain to manage virt log files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_log',` + gen_require(` + type virt_log_t; + ') + + manage_dirs_pattern($1, virt_log_t, virt_log_t) + manage_files_pattern($1, virt_log_t, virt_log_t) + manage_lnk_files_pattern($1, virt_log_t, virt_log_t) +') + +######################################## +## <summary> +## Allow domain to getattr virt image direcories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_getattr_images',` + gen_require(` + attribute virt_image_type; + ') + + virt_search_lib($1) + allow $1 virt_image_type:file getattr_file_perms; +') + +######################################## +## <summary> +## Allow domain to search virt image direcories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_search_images',` + gen_require(` + attribute virt_image_type; + ') + + virt_search_lib($1) + allow $1 virt_image_type:dir search_dir_perms; +') + +######################################## +## <summary> +## Allow domain to read virt image files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_images',` + gen_require(` + type virt_var_lib_t; + attribute virt_image_type; + ') + + virt_search_lib($1) + allow $1 virt_image_type:dir list_dir_perms; + list_dirs_pattern($1, virt_image_type, virt_image_type) + read_files_pattern($1, virt_image_type, virt_image_type) + read_lnk_files_pattern($1, virt_image_type, virt_image_type) + read_blk_files_pattern($1, virt_image_type, virt_image_type) + read_chr_files_pattern($1, virt_image_type, virt_image_type) + + tunable_policy(`virt_use_nfs',` + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) + ') + + tunable_policy(`virt_use_samba',` + fs_list_cifs($1) + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) + ') +') + +######################################## +## <summary> +## Allow domain to read virt blk image files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_blk_images',` + gen_require(` + attribute virt_image_type; + ') + + read_blk_files_pattern($1, virt_image_type, virt_image_type) +') + +######################################## +## <summary> +## Allow domain to read/write virt image chr files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_rw_chr_files',` + gen_require(` + attribute virt_image_type; + ') + + rw_chr_files_pattern($1, virt_image_type, virt_image_type) +') + +######################################## +## <summary> +## Create, read, write, and delete +## svirt cache files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_cache',` + gen_require(` + type virt_cache_t; + ') + + files_search_var($1) + manage_dirs_pattern($1, virt_cache_t, virt_cache_t) + manage_files_pattern($1, virt_cache_t, virt_cache_t) + manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) +') + +######################################## +## <summary> +## Allow domain to manage virt image files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_images',` + gen_require(` + type virt_var_lib_t; + attribute virt_image_type; + ') + + virt_search_lib($1) + allow $1 virt_image_type:dir list_dir_perms; + manage_dirs_pattern($1, virt_image_type, virt_image_type) + manage_files_pattern($1, virt_image_type, virt_image_type) + read_lnk_files_pattern($1, virt_image_type, virt_image_type) + rw_blk_files_pattern($1, virt_image_type, virt_image_type) + rw_chr_files_pattern($1, virt_image_type, virt_image_type) +') + +####################################### +## <summary> +## Allow domain to manage virt image files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_default_image_type',` + gen_require(` + type virt_var_lib_t; + type virt_image_t; + ') + + virt_search_lib($1) + manage_dirs_pattern($1, virt_image_t, virt_image_t) + manage_files_pattern($1, virt_image_t, virt_image_t) + read_lnk_files_pattern($1, virt_image_t, virt_image_t) +') + +####################################### +## <summary> +## Get virtd services status +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`virtd_service_status',` + gen_require(` + type virtd_unit_file_t; + ') + + allow $1 virtd_unit_file_t:service status; +') + +######################################## +## <summary> +## Execute virt server in the virt domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`virt_systemctl',` + gen_require(` + type virtd_unit_file_t; + type virtd_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 virtd_unit_file_t:file read_file_perms; + allow $1 virtd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, virtd_t) +') + +######################################## +## <summary> +## Ptrace the svirt domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`virt_ptrace',` + gen_require(` + attribute virt_domain; + ') + + allow $1 virt_domain:process ptrace; +') + +####################################### +## <summary> +## Execute Sandbox Files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_exec_sandbox_files',` + gen_require(` + attribute svirt_file_type; + ') + + can_exec($1, svirt_file_type) +') + +######################################## +## <summary> +## Allow any svirt_file_type to be an entrypoint of this domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`virt_sandbox_entrypoint',` + gen_require(` + attribute svirt_file_type; + ') + allow $1 svirt_file_type:file entrypoint; +') + +####################################### +## <summary> +## List Sandbox Dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_list_sandbox_dirs',` + gen_require(` + type svirt_sandbox_file_t; + ') + + list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) +') + +####################################### +## <summary> +## Read Sandbox Files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_sandbox_files',` + gen_require(` + attribute svirt_file_type; + ') + + list_dirs_pattern($1, svirt_file_type, svirt_file_type) + read_files_pattern($1, svirt_file_type, svirt_file_type) + read_lnk_files_pattern($1, svirt_file_type, svirt_file_type) +') + +####################################### +## <summary> +## Manage Sandbox Files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_sandbox_files',` + gen_require(` + attribute svirt_file_type; + ') + + manage_dirs_pattern($1, svirt_file_type, svirt_file_type) + manage_files_pattern($1, svirt_file_type, svirt_file_type) + manage_fifo_files_pattern($1, svirt_file_type, svirt_file_type) + manage_chr_files_pattern($1, svirt_file_type, svirt_file_type) + manage_lnk_files_pattern($1, svirt_file_type, svirt_file_type) + allow $1 svirt_file_type:dir_file_class_set { relabelfrom relabelto }; +') + +####################################### +## <summary> +## Getattr Sandbox File systems +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_getattr_sandbox_filesystem',` + gen_require(` + attribute svirt_file_type; + ') + + allow $1 svirt_file_type:filesystem getattr; +') + +####################################### +## <summary> +## Relabel Sandbox File systems +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_relabel_sandbox_filesystem',` + gen_require(` + attribute svirt_file_type; + ') + + allow $1 svirt_file_type:filesystem { relabelfrom relabelto }; +') + +####################################### +## <summary> +## Mounton Sandbox Files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_mounton_sandbox_file',` + gen_require(` + attribute svirt_file_type; + ') + + allow $1 svirt_file_type:dir_file_class_set mounton; +') + +####################################### +## <summary> +## Connect to virt over a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_stream_connect_sandbox',` + gen_require(` + attribute svirt_sandbox_domain; + attribute svirt_file_type; + ') + + files_search_pids($1) + stream_connect_pattern($1, svirt_file_type, svirt_file_type, svirt_sandbox_domain) + ps_process_pattern(svirt_sandbox_domain, $1) +') + +######################################## +## <summary> +## Execute qemu in the svirt domain, and +## allow the specified role the svirt domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the sandbox domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`virt_transition_svirt',` + gen_require(` + attribute virt_domain; + type virt_bridgehelper_t; + type svirt_image_t; + type svirt_socket_t; + ') + + allow $1 virt_domain:process transition; + role $2 types virt_domain; + role $2 types virt_bridgehelper_t; + role $2 types svirt_socket_t; + + allow $1 virt_domain:process { sigkill signal signull sigstop }; + allow $1 svirt_image_t:file { relabelfrom relabelto }; + allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; + allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; + allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms; + + optional_policy(` + ptchown_run(virt_domain, $2) + ') +') + +######################################## +## <summary> +## Do not audit attempts to write virt daemon unnamed pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`virt_dontaudit_write_pipes',` + gen_require(` + type virtd_t; + ') + + dontaudit $1 virtd_t:fd use; + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; +') + +######################################## +## <summary> +## Send a sigkill to virtual machines +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_kill_svirt',` + gen_require(` + attribute virt_domain; + ') + + allow $1 virt_domain:process sigkill; +') + +######################################## +## <summary> +## Send a sigkill to virtd daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_kill',` + gen_require(` + attribute virt_driver_domain; + type virtd_t; + ') + + allow $1 virtd_t:process sigkill; + allow $1 virt_driver_domain:process sigkill; +') + +######################################## +## <summary> +## Send a signal to virtd daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_signal',` + gen_require(` + attribute virt_driver_domain; + type virtd_t; + ') + + allow $1 virtd_t:process signal; + allow $1 virt_driver_domain:process signal; +') + +######################################## +## <summary> +## Send null signal to virtd daemon. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_signull',` + gen_require(` + attribute virt_driver_domain; + type virtd_t; + ') + + allow $1 virtd_t:process signull; + allow $1 virt_driver_domain:process signull; +') + +######################################## +## <summary> +## Send a signal to virtual machines +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_signal_svirt',` + gen_require(` + attribute virt_domain; + ') + + allow $1 virt_domain:process signal; +') + +######################################## +## <summary> +## Send a signal to sandbox domains +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_signal_sandbox',` + gen_require(` + attribute svirt_sandbox_domain; + ') + + allow $1 svirt_sandbox_domain:process signal; +') + +######################################## +## <summary> +## Manage virt home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_home_files',` + gen_require(` + type virt_home_t; + ') + + userdom_search_user_home_dirs($1) + manage_files_pattern($1, virt_home_t, virt_home_t) +') + +######################################## +## <summary> +## allow domain to read +## virt tmpfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`virt_read_tmpfs_files',` + gen_require(` + attribute virt_tmpfs_type; + ') + + allow $1 virt_tmpfs_type:file read_file_perms; +') + +######################################## +## <summary> +## allow domain to manage +## virt tmpfs files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`virt_manage_tmpfs_files',` + gen_require(` + attribute virt_tmpfs_type; + ') + + allow $1 virt_tmpfs_type:file manage_file_perms; +') + +######################################## +## <summary> +## Create .virt directory in the user home directory +## with an correct label. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_filetrans_home_content',` + gen_require(` + type virt_home_t; + type svirt_home_t; + ') + + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") + filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") + + optional_policy(` + gnome_config_filetrans($1, virt_home_t, dir, "libvirt") + gnome_cache_filetrans($1, virt_home_t, dir, "libvirt") + gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox") + gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") + gnome_data_filetrans($1, svirt_home_t, dir, "images") + gnome_data_filetrans($1, svirt_home_t, dir, "boot") + ') +') + +######################################## +## <summary> +## Dontaudit attempts to Read virt_image_type devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_dontaudit_read_chr_dev',` + gen_require(` + attribute virt_image_type; + ') + + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; +') + +######################################## +## <summary> +## Make the specified type usable as a virt file type +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a virt file type +## </summary> +## </param> +# +interface(`virt_file_types',` + gen_require(` + attribute virt_file_type; + ') + + typeattribute $1 virt_file_type; +') + +######################################## +## <summary> +## Make the specified type usable as a svirt file type +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a svirt file type +## </summary> +## </param> +# +interface(`svirt_file_types',` + gen_require(` + attribute svirt_file_type; + ') + + typeattribute $1 svirt_file_type; +') + + +######################################## +## <summary> +## Creates types and rules for a basic +## virt_lxc process domain. +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`virt_sandbox_domain_template',` + gen_require(` + attribute svirt_sandbox_domain; + ') + + type $1_t, svirt_sandbox_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) + mcs_constrained($1_t) + role system_r types $1_t; + + logging_send_syslog_msg($1_t) + + kernel_read_system_state($1_t) + kernel_read_all_proc($1_t) + + # optional_policy(` + # container_runtime_typebounds($1_t) + # ') +') + +######################################## +## <summary> +## Make the specified type usable as a lxc domain +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a lxc domain +## </summary> +## </param> +# +template(`virt_sandbox_domain',` + gen_require(` + attribute svirt_sandbox_domain; + ') + + typeattribute $1 svirt_sandbox_domain; +') + +######################################## +## <summary> +## Make the specified type usable as a lxc network domain +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a lxc network domain +## </summary> +## </param> +# +template(`virt_sandbox_net_domain',` + gen_require(` + attribute sandbox_net_domain; + ') + + virt_sandbox_domain($1) + typeattribute $1 sandbox_net_domain; +') + +######################################## +## <summary> +## Make the specified type usable as a virt system domain +## </summary> +## <param name="type"> +## <summary> +## Type to be used as a virt system domain +## </summary> +## </param> +# +interface(`virt_system_domain_type',` + gen_require(` + attribute virt_system_domain; + ') + + typeattribute $1 virt_system_domain; +') + +######################################## +## <summary> +## Execute a qemu_exec_t in the callers domain +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_exec_qemu',` + gen_require(` + type qemu_exec_t; + ') + + can_exec($1, qemu_exec_t) +') + +######################################## +## <summary> +## Transition to virt named content +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_filetrans_named_content',` + gen_require(` + type virt_lxc_var_run_t; + type virt_var_run_t; + ') + + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") + files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") + files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") +') + +######################################## +## <summary> +## Execute qemu in the svirt domain, and +## allow the specified role the svirt domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the sandbox domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`virt_transition_svirt_sandbox',` + gen_require(` + attribute svirt_sandbox_domain; + ') + + allow $1 svirt_sandbox_domain:process { signal_perms transition }; + role $2 types svirt_sandbox_domain; + allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; + + allow svirt_sandbox_domain $1:fd use; + + allow svirt_sandbox_domain $1:process sigchld; + ps_process_pattern($1, svirt_sandbox_domain) +') + +######################################## +## <summary> +## Read the process state of virt sandbox containers +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_sandbox_read_state',` + gen_require(` + attribute svirt_sandbox_domain; + ') + + ps_process_pattern($1, svirt_sandbox_domain) +') + +######################################## +## <summary> +## Read and write to svirt_image devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_rw_svirt_dev',` + gen_require(` + type svirt_image_t; + ') + + allow $1 svirt_image_t:chr_file rw_file_perms; +') + +######################################## +## <summary> +## Read and write to svirt_image files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_rw_svirt_image',` + gen_require(` + type svirt_image_t; + ') + + allow $1 svirt_image_t:file rw_file_perms; +') + +######################################## +## <summary> +## Read and write to svirt_image devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_rlimitinh',` + gen_require(` + type virtd_t; + ') + + allow $1 virtd_t:process { rlimitinh }; +') + +######################################## +## <summary> +## Read and write to svirt_image devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_noatsecure',` + gen_require(` + type virtd_t; + ') + + allow $1 virtd_t:process { noatsecure rlimitinh }; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an virt environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`virt_admin',` + gen_require(` + attribute virt_domain; + attribute virt_system_domain; + attribute svirt_file_type; + attribute virt_file_type; + type virtd_initrc_exec_t; + type virtd_unit_file_t; + ') + + allow $1 virt_system_domain:process signal_perms; + allow $1 virt_domain:process signal_perms; + ps_process_pattern($1, virt_system_domain) + ps_process_pattern($1, virt_domain) + tunable_policy(`deny_ptrace',`',` + allow $1 virt_system_domain:process ptrace; + allow $1 virt_domain:process ptrace; + ') + + init_labeled_script_domtrans($1, virtd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 virtd_initrc_exec_t system_r; + allow $2 system_r; + + allow $1 virt_domain:process signal_perms; + + admin_pattern($1, virt_file_type) + admin_pattern($1, svirt_file_type) + + virt_systemctl($1) + allow $1 virtd_unit_file_t:service all_service_perms; + + virt_stream_connect_sandbox($1) + virt_stream_connect_svirt($1) + virt_stream_connect($1) +') + +####################################### +## <summary> +## Getattr on virt executable. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`virt_default_capabilities',` + gen_require(` + attribute sandbox_caps_domain; + ') + + typeattribute $1 sandbox_caps_domain; +') + +######################################## +## <summary> +## Send and receive messages from +## virt over dbus. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_dbus_chat',` + gen_require(` + attribute virt_driver_domain; + type virtd_t; + class dbus send_msg; + ') + + allow $1 virtd_t:dbus send_msg; + allow virtd_t $1:dbus send_msg; + allow $1 virt_driver_domain:dbus send_msg; + allow virt_driver_domain $1:dbus send_msg; + ps_process_pattern(virtd_t, $1) + ps_process_pattern(virt_driver_domain, $1) +') + +######################################## +## <summary> +## Execute a file in a sandbox directory +## in the specified domain. +## </summary> +## <desc> +## +## Execute a file in a sandbox directory +## in the specified domain. This allows +## the specified domain to execute any file +## on these filesystems in the specified +## domain. +## +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="target_domain"> +## <summary> +## The type of the new process. +## </summary> +## </param> +# +interface(`virt_sandbox_domtrans',` + gen_require(` + type container_file_t; + ') + + domtrans_pattern($1,container_file_t, $2) +') + +######################################## +## <summary> +## Dontaudit read the process state (/proc/pid) of libvirt +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_dontaudit_read_state',` + gen_require(` + type virtd_t; + ') + + dontaudit $1 virtd_t:dir search_dir_perms; + dontaudit $1 virtd_t:file read_file_perms; + dontaudit $1 virtd_t:lnk_file read_lnk_file_perms; +') + +####################################### +## <summary> +## Send to libvirt with a unix dgram socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_dgram_send',` + gen_require(` + type virtd_t, virt_var_run_t; + ') + + files_search_pids($1) + dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) +') + +######################################## +## <summary> +## Manage svirt home files,dirs and sockfiles. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_svirt_manage_home',` + gen_require(` + type svirt_home_t; + ') + + manage_files_pattern($1, svirt_home_t, svirt_home_t) + manage_dirs_pattern($1, svirt_home_t, svirt_home_t) + manage_sock_files_pattern($1, svirt_home_t, svirt_home_t) +') + +######################################## +## <summary> +## Manage svirt tmp files,dirs and sockfiles. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_svirt_manage_tmp',` + gen_require(` + type svirt_tmp_t; + ') + + manage_files_pattern($1, svirt_tmp_t, svirt_tmp_t) + manage_dirs_pattern($1, svirt_tmp_t, svirt_tmp_t) + manage_sock_files_pattern($1, svirt_tmp_t, svirt_tmp_t) +') + +######################################## +## <summary> +## Read qemu PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_read_qemu_pid_files',` + gen_require(` + type qemu_var_run_t; + ') + + files_search_pids($1) + list_dirs_pattern($1, qemu_var_run_t, qemu_var_run_t) + read_files_pattern($1, qemu_var_run_t, qemu_var_run_t) +') diff --git a/selinux/virt.te b/selinux/virt.te new file mode 100644 index 0000000000..59dedb8754 --- /dev/null +++ b/selinux/virt.te @@ -0,0 +1,2086 @@ +policy_module(virt, 1.5.0) + +######################################## +# +# Declarations +# + +## <desc> +## +## Allow confined virtual guests to use serial/parallel communication ports +## +## </desc> +gen_tunable(virt_use_comm, false) + +## <desc> +## +## Allow virtual processes to run as userdomains +## +## </desc> +gen_tunable(virt_transition_userdomain, false) + +## <desc> +## +## Allow confined virtual guests to use executable memory and executable stack +## +## </desc> +gen_tunable(virt_use_execmem, false) + +## <desc> +## +## Allow virtqemu driver to use executable memory and executable stack +## +## </desc> +gen_tunable(virtqemud_use_execmem, true) + +## <desc> +## +## Allow confined virtual guests to read fuse files +## +## </desc> +gen_tunable(virt_use_fusefs, false) + +## <desc> +## +## Allow confined virtual guests to use glusterd +## +## </desc> +gen_tunable(virt_use_glusterd, false) + +## <desc> +## +## Allow sandbox containers to share apache content +## +## </desc> +gen_tunable(virt_sandbox_share_apache_content, false) + +## <desc> +## +## Allow sandbox containers manage fuse files +## +## </desc> +gen_tunable(virt_sandbox_use_fusefs, false) + +## <desc> +## +## Allow confined virtual guests to manage nfs files +## +## </desc> +gen_tunable(virt_use_nfs, false) + +## <desc> +## +## Allow confined virtual guests to manage cifs files +## +## </desc> +gen_tunable(virt_use_samba, false) + +## <desc> +## +## Allow confined virtual guests to interact with the sanlock +## +## </desc> +gen_tunable(virt_use_sanlock, false) + +## <desc> +## +## Allow confined virtual guests to interact with rawip sockets +## +## </desc> +gen_tunable(virt_use_rawip, false) + +## <desc> +## +## Allow confined virtual guests to interact with the xserver +## +## </desc> +gen_tunable(virt_use_xserver, false) + +## <desc> +## +## Allow confined virtual guests to use usb devices +## +## </desc> +gen_tunable(virt_use_usb, true) + +## <desc> +## +## Allow confined virtual guests to use smartcards +## +## </desc> +gen_tunable(virt_use_pcscd, false) + +## <desc> +## +## Allow sandbox containers to send audit messages + +## +## </desc> +gen_tunable(virt_sandbox_use_audit, true) + +## <desc> +## +## Allow sandbox containers to use netlink system calls +## +## </desc> +gen_tunable(virt_sandbox_use_netlink, false) + +## <desc> +## +## Allow sandbox containers to use sys_admin system calls, for example mount +## +## </desc> +gen_tunable(virt_sandbox_use_sys_admin, false) + +## <desc> +## +## Allow sandbox containers to use mknod system calls +## +## </desc> +gen_tunable(virt_sandbox_use_mknod, false) + +## <desc> +## +## Allow sandbox containers to use all capabilities +## +## </desc> +gen_tunable(virt_sandbox_use_all_caps, true) + +## <desc> +## +## Allow virtlockd read and lock block devices. +## +## </desc> +gen_tunable(virt_lockd_blk_devs, false) + +gen_require(` + class passwd rootok; + class passwd passwd; +') + +attribute virsh_transition_domain; +attribute virt_ptynode; +attribute virt_system_domain; +attribute virt_domain; +attribute virt_driver_domain; +attribute virt_driver_executable; +attribute virt_driver_var_run; +attribute virt_image_type; +attribute virt_tmpfs_type; +attribute svirt_file_type; +attribute virt_file_type; +attribute sandbox_net_domain; +attribute sandbox_caps_domain; + +type svirt_tmp_t, svirt_file_type; +files_tmp_file(svirt_tmp_t) + +type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type; +files_tmpfs_file(svirt_tmpfs_t) + +type svirt_image_t, virt_image_type, svirt_file_type; +files_type(svirt_image_t) +dev_node(svirt_image_t) +dev_associate_sysfs(svirt_image_t) + +virt_domain_template(svirt) +role system_r types svirt_t; +typealias svirt_t alias qemu_t; + +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; + +type qemu_exec_t, virt_file_type; + +type virt_cache_t alias svirt_cache_t, virt_file_type; +files_type(virt_cache_t) + +type virt_etc_t, virt_file_type; +files_config_file(virt_etc_t) + +type virt_etc_rw_t, virt_file_type; +files_type(virt_etc_rw_t) + +type virt_home_t, virt_file_type; +userdom_user_home_content(virt_home_t) + +type svirt_home_t, svirt_file_type; +userdom_user_home_content(svirt_home_t) + +# virt Image files +type virt_image_t, virt_file_type; # customizable +virt_image(virt_image_t) +files_mountpoint(virt_image_t) + +# virt Image files +type virt_content_t, virt_file_type; # customizable +virt_image(virt_content_t) +userdom_user_home_content(virt_content_t) + +type virt_tmp_t, virt_file_type; +files_tmp_file(virt_tmp_t) + +type virt_log_t, virt_file_type; +logging_log_file(virt_log_t) +mls_trusted_object(virt_log_t) + +type virt_lock_t, virt_file_type; +files_lock_file(virt_lock_t) + +type virt_var_run_t, virt_file_type; +files_pid_file(virt_var_run_t) + +type virt_var_lib_t, virt_file_type; +files_mountpoint(virt_var_lib_t) + +type virt_var_lockd_t, virt_file_type; + +type virtd_t, virt_system_domain; +type virtd_exec_t, virt_file_type; +init_daemon_domain(virtd_t, virtd_exec_t) +domain_obj_id_change_exemption(virtd_t) +domain_subj_id_change_exemption(virtd_t) + +type virtd_unit_file_t, virt_file_type; +systemd_unit_file(virtd_unit_file_t) + +type virtd_initrc_exec_t, virt_file_type; +init_script_file(virtd_initrc_exec_t) + +type virtd_keytab_t; +files_type(virtd_keytab_t) + +type virtlogd_t, virt_system_domain; +type virtlogd_exec_t, virt_file_type; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_etc_t, virt_file_type; +files_config_file(virtlogd_etc_t) + +type virtlogd_var_run_t, virt_file_type; +files_pid_file(virtlogd_var_run_t) + +type virtlogd_unit_file_t, virt_file_type; +systemd_unit_file(virtlogd_unit_file_t) + +type virtlogd_initrc_exec_t, virt_file_type; +init_script_file(virtlogd_initrc_exec_t) + +type qemu_var_run_t, virt_file_type; +typealias qemu_var_run_t alias svirt_var_run_t; +files_pid_file(qemu_var_run_t) +mls_trusted_object(qemu_var_run_t) + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) +') + +# virtinterfaced +virt_driver_template(virtinterfaced) +files_type(virtinterfaced_t) + +# virtnetworkd +virt_driver_template(virtnetworkd) +files_type(virtnetworkd_t) + +# virtnodedevd +virt_driver_template(virtnodedevd) +files_type(virtnodedevd_t) + +# virtnwfilterd +virt_driver_template(virtnwfilterd) +files_type(virtnwfilterd_t) + +# virtproxyd +virt_driver_template(virtproxyd) +files_type(virtproxyd_t) + +# virtqemud +virt_driver_template(virtqemud) +files_type(virtqemud_t) +domain_obj_id_change_exemption(virtqemud_t) + +type virtqemud_tmp_t; +files_tmp_file(virtqemud_tmp_t) + +# virtsecretd +virt_driver_template(virtsecretd) +files_type(virtsecretd_t) + +# virtstoraged +virt_driver_template(virtstoraged) +files_type(virtstoraged_t) + +type virtstoraged_tmp_t; +files_tmp_file(virtstoraged_tmp_t) + +# virtvboxd +virt_driver_template(virtvboxd) +files_type(virtvboxd_t) + +# virtvzd +virt_driver_template(virtvzd) +files_type(virtvzd_t) + +# virtxend +virt_driver_template(virtxend) +files_type(virtxend_t) + +######################################## +# +# Declarations +# +attribute svirt_sandbox_domain; + +type virtd_lxc_t, virt_system_domain; +type virtd_lxc_exec_t, virt_file_type; +init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) + +type virt_lxc_var_run_t, virt_file_type; +files_pid_file(virt_lxc_var_run_t) +typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; + +# virt lxc container files +type container_file_t, svirt_file_type; +typealias container_file_t alias { svirt_sandbox_file_t svirt_lxc_file_t }; +files_mountpoint(container_file_t) + +type container_ro_file_t, svirt_file_type; +files_mountpoint(container_ro_file_t) + +######################################## +# +# svirt local policy +# + +allow svirt_t self:process ptrace; + +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + +read_files_pattern(svirt_t, virtqemud_t, virtqemud_t) + +corenet_udp_sendrecv_generic_if(svirt_t) +corenet_udp_sendrecv_generic_node(svirt_t) +corenet_udp_sendrecv_all_ports(svirt_t) +corenet_udp_bind_generic_node(svirt_t) +corenet_udp_bind_all_ports(svirt_t) +corenet_tcp_bind_all_ports(svirt_t) +corenet_tcp_connect_all_ports(svirt_t) + +init_dontaudit_read_state(svirt_t) + +virt_dontaudit_read_state(svirt_t) + +storage_rw_inherited_fixed_disk_dev(svirt_t) + +userdom_read_all_users_state(svirt_t) + +####################################### +# +# svirt_prot_exec local policy +# + +allow svirt_tcg_t self:process { execmem execstack }; +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; + +corenet_udp_sendrecv_generic_if(svirt_tcg_t) +corenet_udp_sendrecv_generic_node(svirt_tcg_t) +corenet_udp_sendrecv_all_ports(svirt_tcg_t) +corenet_udp_bind_generic_node(svirt_tcg_t) +corenet_udp_bind_all_ports(svirt_tcg_t) +corenet_tcp_bind_all_ports(svirt_tcg_t) +corenet_tcp_connect_all_ports(svirt_tcg_t) + +ps_process_pattern(svirt_tcg_t, virtd_t) + +virt_dontaudit_read_state(svirt_tcg_t) + +######################################## +# +# virtd local policy +# + +allow virtd_t self:capability { chown dac_read_search fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice sys_ptrace }; +#allow virtd_t self:capability2 compromise_kernel; +allow virtd_t self:process { execmem getcap getsched setcap setexec setfscreate setsched setsockcreate sigkill signal signull }; +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code + dontaudit virtd_t self:capability { sys_module }; +') + +allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; +allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto }; +allow virtd_t self:tcp_socket create_stream_socket_perms; +allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; +allow virtd_t self:rawip_socket create_socket_perms; +allow virtd_t self:packet_socket create_socket_perms; +allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow virtd_t self:netlink_route_socket create_netlink_socket_perms; +allow virtd_t self:netlink_socket create_socket_perms; + +manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) +manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) +files_var_filetrans(virtd_t, virt_cache_t, dir) + +manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t) +manage_files_pattern(virtd_t, virt_content_t, virt_content_t) + +allow virtd_t virtd_keytab_t:file read_file_perms; + +allow virtd_t virt_domain:process { getattr getsched setsched sigkill signal signull transition }; +allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched sigkill signal signull transition }; +allow virt_domain virtd_t:fd use; +allow virt_domain virtd_t:unix_stream_socket { accept getattr getopt read write }; +allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms }; +allow virt_domain virtd_t:tun_socket attach_queue; + +can_exec(virtd_t, qemu_exec_t) +can_exec(virt_domain, qemu_exec_t) + +allow virtd_t qemu_var_run_t:file relabel_file_perms; +manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +relabelfrom_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +relabelfrom_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) +stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain) +filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu") + +read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) +read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) + +manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) + +relabelto_dirs_pattern(virtd_t, virt_image_type, virt_image_type) +manage_files_pattern(virtd_t, virt_image_type, virt_image_type) +manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type) +manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) +manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) +allow virtd_t virt_image_type:dir { rmdir setattr }; +allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; +allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; +allow virtd_t virt_image_type:unix_stream_socket { getattr relabelfrom relabelto }; +allow virtd_t virt_ptynode:chr_file rw_term_perms; + +manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) +files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) +can_exec(virtd_t, virt_tmp_t) + +manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) +manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t) +manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t) +files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file }) + +manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) +manage_files_pattern(virtd_t, virt_log_t, virt_log_t) +logging_log_filetrans(virtd_t, virt_log_t, { file dir }) + +manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) +manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) +files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) +allow virtd_t virt_var_lib_t:file { relabelfrom relabelto }; + +manage_dirs_pattern(virtlogd_t, virt_var_lockd_t, virt_var_lockd_t) +manage_files_pattern(virtlogd_t, virt_var_lockd_t, virt_var_lockd_t) + +manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +files_pid_filetrans(virtd_t, virt_var_run_t, { file dir sock_file }) + +manage_dirs_pattern(virtd_t, virt_driver_var_run, virt_driver_var_run) +manage_files_pattern(virtd_t, virt_driver_var_run, virt_driver_var_run) +manage_sock_files_pattern(virtd_t, virt_driver_var_run, virt_driver_var_run) + +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) + +# libvirtd is permitted to talk to virtlogd +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) +allow virtd_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; + +kernel_read_system_state(virtd_t) +kernel_read_network_state(virtd_t) +kernel_rw_net_sysctls(virtd_t) +kernel_read_kernel_sysctls(virtd_t) +kernel_request_load_module(virtd_t) +kernel_search_debugfs(virtd_t) +kernel_dontaudit_setsched(virtd_t) +kernel_write_proc_files(virtd_t) + +corecmd_exec_bin(virtd_t) +corecmd_exec_shell(virtd_t) + +corenet_all_recvfrom_netlabel(virtd_t) +corenet_tcp_sendrecv_generic_if(virtd_t) +corenet_tcp_sendrecv_generic_node(virtd_t) +corenet_tcp_sendrecv_all_ports(virtd_t) +corenet_tcp_bind_generic_node(virtd_t) +corenet_tcp_bind_virt_port(virtd_t) +corenet_tcp_bind_vnc_port(virtd_t) +corenet_tcp_connect_vnc_port(virtd_t) +corenet_tcp_connect_soundd_port(virtd_t) +corenet_rw_tun_tap_dev(virtd_t) +corenet_relabel_tun_tap_dev(virtd_t) + +dev_rw_vfio_dev(virtd_t) +dev_rw_sysfs(virtd_t) +dev_read_urand(virtd_t) +dev_read_rand(virtd_t) +dev_rw_kvm(virtd_t) +dev_getattr_all_chr_files(virtd_t) +dev_rw_mtrr(virtd_t) +dev_rw_vhost(virtd_t) +dev_setattr_generic_usb_dev(virtd_t) +dev_relabel_generic_usb_dev(virtd_t) + +# Init script handling +domain_use_interactive_fds(virtd_t) +domain_read_all_domains_state(virtd_t) +domain_signull_all_domains(virtd_t) + +files_list_all_mountpoints(virtd_t) +files_read_etc_runtime_files(virtd_t) +files_search_all(virtd_t) +files_read_kernel_modules(virtd_t) +files_read_usr_src_files(virtd_t) +files_relabelto_system_conf_files(virtd_t) +files_relabelfrom_system_conf_files(virtd_t) +files_relabelfrom_boot_files(virtd_t) +files_relabelto_boot_files(virtd_t) +files_manage_boot_files(virtd_t) + +# Manages /etc/sysconfig/system-config-firewall +files_manage_system_conf_files(virtd_t) + +fs_read_tmpfs_symlinks(virtd_t) +fs_list_auto_mountpoints(virtd_t) +fs_getattr_all_fs(virtd_t) +fs_rw_anon_inodefs_files(virtd_t) +fs_list_inotifyfs(virtd_t) +fs_manage_cgroup_dirs(virtd_t) +fs_rw_cgroup_files(virtd_t) +fs_manage_hugetlbfs_dirs(virtd_t) +fs_rw_hugetlbfs_files(virtd_t) + +mls_fd_share_all_levels(virtd_t) +mls_file_read_to_clearance(virtd_t) +mls_file_write_to_clearance(virtd_t) +mls_process_read_to_clearance(virtd_t) +mls_process_write_to_clearance(virtd_t) +mls_net_write_within_range(virtd_t) +mls_socket_write_to_clearance(virtd_t) +mls_socket_read_to_clearance(virtd_t) +mls_rangetrans_source(virtd_t) +mls_file_upgrade(virtd_t) + +mcs_process_set_categories(virtd_t) + +storage_manage_fixed_disk(virtd_t) +storage_relabel_fixed_disk(virtd_t) +storage_raw_write_removable_device(virtd_t) +storage_raw_read_removable_device(virtd_t) + +term_getattr_pty_fs(virtd_t) +term_use_generic_ptys(virtd_t) +term_use_ptmx(virtd_t) + +auth_use_nsswitch(virtd_t) + +init_dbus_chat(virtd_t) + +miscfiles_read_generic_certs(virtd_t) +miscfiles_read_hwdata(virtd_t) + +modutils_read_module_deps(virtd_t) +modutils_read_module_config(virtd_t) +modutils_manage_module_config(virtd_t) + +logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) +logging_stream_connect_syslog(virtd_t) + +selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) +seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) + +sysnet_signull_ifconfig(virtd_t) +sysnet_signal_ifconfig(virtd_t) +sysnet_domtrans_ifconfig(virtd_t) +sysnet_read_config(virtd_t) + +systemd_dbus_chat_logind(virtd_t) +systemd_write_inhibit_pipes(virtd_t) + +userdom_list_admin_dir(virtd_t) +userdom_getattr_all_users(virtd_t) +userdom_list_user_home_content(virtd_t) +userdom_read_all_users_state(virtd_t) +userdom_read_user_home_content_files(virtd_t) +userdom_relabel_user_tmp_files(virtd_t) +userdom_setattr_user_tmp_files(virtd_t) +userdom_relabel_user_home_files(virtd_t) +userdom_setattr_user_home_content_files(virtd_t) +manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t) +manage_files_pattern(virtd_t, virt_home_t, virt_home_t) +manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) +manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) +#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) +virt_filetrans_home_content(virtd_t) + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virtd_t) + fs_manage_nfs_files(virtd_t) + fs_mmap_nfs_files(virtd_t) + fs_read_nfs_symlinks(virtd_t) +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(virtd_t) + fs_manage_cifs_files(virtd_t) + fs_read_cifs_symlinks(virtd_t) +') + +optional_policy(` + brctl_domtrans(virtd_t) +') + +optional_policy(` + consoletype_exec(virtd_t) +') + +optional_policy(` + dbus_system_bus_client(virtd_t) + + optional_policy(` + avahi_dbus_chat(virtd_t) + ') + + optional_policy(` + consolekit_dbus_chat(virtd_t) + ') + + optional_policy(` + hal_dbus_chat(virtd_t) + ') + + optional_policy(` + networkmanager_dbus_chat(virtd_t) + ') +') + +optional_policy(` + dmidecode_domtrans(virtd_t) +') + +optional_policy(` + dnsmasq_domtrans(virtd_t) + dnsmasq_signal(virtd_t) + dnsmasq_kill(virtd_t) + dnsmasq_signull(virtd_t) + dnsmasq_create_pid_dirs(virtd_t) + dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t) + dnsmasq_manage_pid_files(virtd_t) +') + +optional_policy(` + firewalld_dbus_chat(virtd_t) +') + +optional_policy(` + iptables_domtrans(virtd_t) + iptables_initrc_domtrans(virtd_t) + iptables_systemctl(virtd_t) + + # Manages /etc/sysconfig/system-config-firewall + iptables_manage_config(virtd_t) +') + +optional_policy(` + kerberos_read_keytab(virtd_t) + kerberos_use(virtd_t) +') + +optional_policy(` + kernel_read_xen_state(virtd_t) + kernel_write_xen_state(virtd_t) + + xen_exec(virtd_t) + xen_stream_connect(virtd_t) + xen_stream_connect_xenstore(virtd_t) + xen_read_image_files(virtd_t) +') + +optional_policy(` + lvm_domtrans(virtd_t) +') + +optional_policy(` + # Run mount in the mount_t domain. + mount_domtrans(virtd_t) + mount_signal(virtd_t) +') + +optional_policy(` + numad_domtrans(virtd_t) + numad_dbus_chat(virtd_t) +') + +optional_policy(` + policykit_dbus_chat(virtd_t) + policykit_domtrans_auth(virtd_t) + policykit_domtrans_resolve(virtd_t) + policykit_read_lib(virtd_t) +') + +optional_policy(` + qemu_exec(virtd_t) +') + +optional_policy(` + sanlock_stream_connect(virtd_t) +') + +optional_policy(` + sasl_connect(virtd_t) +') + +optional_policy(` + setrans_manage_pid_files(virtd_t) +') + +optional_policy(` + udev_domtrans(virtd_t) + udev_read_db(virtd_t) + udev_read_pid_files(virtd_t) +') + +optional_policy(` + unconfined_domain(virtd_t) +') + +######################################## +# +# virtlogd local policy +# + +# virtlogd is allowed to manage files it creates in /var/run/libvirt +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t) + +# virtlogd needs to read /etc/libvirt/virtlogd.conf only +allow virtlogd_t virtlogd_etc_t:file read_file_perms; +files_search_etc(virtlogd_t) +allow virtlogd_t virt_etc_t:file read_file_perms; +allow virtlogd_t virt_etc_t:lnk_file { read_lnk_file_perms ioctl lock }; +allow virtlogd_t virt_etc_t:dir search; + +manage_dirs_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_files_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t) +manage_lnk_files_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t) +filetrans_pattern(virtlogd_t, virt_etc_t, virt_etc_rw_t, dir) + +# virtlogd creates /var/run/libvirt/virtlogd-sock with isolated +# context from other stuff in /var/run/libvirt +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file }) +# This lets systemd create the socket itself too + +# virtlogd creates a /var/run/virtlogd.pid file +allow virtlogd_t virtlogd_var_run_t:file manage_file_perms; +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t) +files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file) + +manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t) +manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t) +manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t) +files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file }) + +manage_dirs_pattern(virtlogd_t, virt_tmp_t, virt_tmp_t) +manage_files_pattern(virtlogd_t, virt_tmp_t, virt_tmp_t) + +can_exec(virtlogd_t, virtlogd_exec_t) + +kernel_read_network_state(virtlogd_t) + +allow virtlogd_t self:unix_stream_socket create_stream_socket_perms; + +# Allow virtlogd_t to execute itself. +allow virtlogd_t virtlogd_exec_t:file execute_no_trans; + +dev_read_sysfs(virtlogd_t) + +logging_send_syslog_msg(virtlogd_t) + +auth_use_nsswitch(virtlogd_t) + +manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t) + +manage_files_pattern(virtlogd_t, svirt_image_t, svirt_image_t) + +# Allow virtlogd to look at /proc/$PID/status +# to authenticate the connecting libvirtd +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +read_files_pattern(virtlogd_t, virtqemud_t, virtqemud_t) + +virt_manage_lib_files(virtlogd_t) + +tunable_policy(`virt_lockd_blk_devs',` + dev_lock_all_blk_files(virtlogd_t) +') + +tunable_policy(`virt_use_nfs',` + fs_append_nfs_files(virtlogd_t) +') + +optional_policy(` + dbus_system_bus_client(virtlogd_t) +') + +optional_policy(` + systemd_write_inhibit_pipes(virtlogd_t) + systemd_dbus_chat_logind(virtlogd_t) +') + +######################################## +# +# virtual domains common policy +# +#allow virt_domain self:capability2 compromise_kernel; +allow virt_domain self:process { getsched setrlimit setsched signal_perms }; +allow virt_domain self:fifo_file rw_fifo_file_perms; +allow virt_domain self:shm create_shm_perms; +allow virt_domain self:unix_stream_socket { connectto create_stream_socket_perms }; +allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow virt_domain self:tcp_socket create_stream_socket_perms; +allow virt_domain self:udp_socket create_socket_perms; +allow virt_domain self:icmp_socket create_socket_perms; +allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms; + +list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) +read_files_pattern(virt_domain, virt_content_t, virt_content_t) +dontaudit virt_domain virt_content_t:file write_file_perms; +dontaudit virt_domain virt_content_t:dir write; + +kernel_read_net_sysctls(virt_domain) +kernel_read_network_state(virt_domain) +kernel_ib_access_unlabeled_pkeys(virt_domain) + +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) +append_files_pattern(virt_domain, virt_home_t, virt_home_t) +manage_dirs_pattern(virt_domain, svirt_home_t, svirt_home_t) +manage_files_pattern(virt_domain, svirt_home_t, svirt_home_t) +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) + +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) + +read_files_pattern(virt_domain, virt_image_t, virt_image_t) +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) +manage_files_pattern(virt_domain, svirt_image_t, svirt_image_t) +manage_sock_files_pattern(virt_domain, svirt_image_t, svirt_image_t) +manage_fifo_files_pattern(virt_domain, svirt_image_t, svirt_image_t) +read_lnk_files_pattern(virt_domain, svirt_image_t, svirt_image_t) +rw_chr_files_pattern(virt_domain, svirt_image_t, svirt_image_t) +rw_blk_files_pattern(virt_domain, svirt_image_t, svirt_image_t) +fs_hugetlbfs_filetrans(virt_domain, svirt_image_t, file) +allow svirt_t svirt_image_t:file map; +allow svirt_t svirt_image_t:blk_file map; + +manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) +manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) +manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) +manage_sock_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t) +files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file sock_file}) +userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file }) + +manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) +manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) +manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t) +fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file }) +allow virt_domain svirt_tmpfs_t:file map; + +manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) +manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) +manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) +manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t) +files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file }) +stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t) + +dontaudit virtd_t virt_domain:process { noatsecure rlimitinh siginh}; + +dontaudit virt_domain virt_tmpfs_type:file { read write }; + +append_files_pattern(virt_domain, virt_log_t, virt_log_t) + +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) + +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + +corenet_tcp_sendrecv_generic_if(virt_domain) +corenet_tcp_sendrecv_generic_node(virt_domain) +corenet_tcp_sendrecv_all_ports(virt_domain) +corenet_tcp_bind_generic_node(virt_domain) +corenet_tcp_bind_vnc_port(virt_domain) +corenet_tcp_bind_virt_migration_port(virt_domain) +corenet_tcp_connect_virt_migration_port(virt_domain) +corenet_rw_inherited_tun_tap_dev(virt_domain) + +dev_list_sysfs(virt_domain) +dev_getattr_fs(virt_domain) +dev_dontaudit_getattr_all(virt_domain) +dev_read_generic_symlinks(virt_domain) +dev_read_rand(virt_domain) +dev_read_sound(virt_domain) +dev_read_urand(virt_domain) +dev_write_sound(virt_domain) +dev_rw_ksm(virt_domain) +dev_rw_vfio_dev(virt_domain) +dev_rw_kvm(virt_domain) +dev_rw_sev(virt_domain) +dev_rw_qemu(virt_domain) +dev_rw_inherited_vhost(virt_domain) +dev_rw_infiniband_dev(virt_domain) +dev_rw_dri(virt_domain) +dev_rw_tpm(virt_domain) +dev_rw_xserver_misc(virt_domain) + +domain_use_interactive_fds(virt_domain) + +files_read_mnt_symlinks(virt_domain) +files_read_var_files(virt_domain) +files_search_all(virt_domain) + +fs_rw_cephfs_files(virt_domain) +fs_getattr_xattr_fs(virt_domain) +fs_getattr_tmpfs(virt_domain) +fs_rw_anon_inodefs_files(virt_domain) +fs_rw_inherited_tmpfs_files(virt_domain) +fs_getattr_hugetlbfs(virt_domain) +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) + +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +miscfiles_read_generic_certs(virt_domain) + +storage_raw_read_removable_device(virt_domain) + +sysnet_read_config(virt_domain) + +term_use_all_inherited_terms(virt_domain) +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) +term_use_ptmx(virt_domain) + +tunable_policy(`use_ecryptfs_home_dirs',` + fs_manage_ecryptfs_files(virt_domain) +') + +tunable_policy(`virt_use_comm',` + term_use_unallocated_ttys(virt_domain) + dev_rw_printer(virt_domain) +') + +tunable_policy(`virt_use_execmem',` + allow virt_domain self:process { execmem execstack }; +') + +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virt_domain) + fs_manage_fusefs_files(virt_domain) + fs_read_fusefs_symlinks(virt_domain) + fs_getattr_fusefs(virt_domain) +') + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virt_domain) + fs_manage_nfs_files(virt_domain) + fs_manage_nfs_named_sockets(virt_domain) + fs_read_nfs_symlinks(virt_domain) + fs_getattr_nfs(virt_domain) + fs_mmap_nfs_files(virt_domain) +') + +tunable_policy(`virt_use_rawip',` + allow virt_domain self:rawip_socket create_socket_perms; +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(virt_domain) + fs_manage_cifs_files(virt_domain) + fs_manage_cifs_named_sockets(virt_domain) + fs_read_cifs_symlinks(virt_domain) + fs_getattr_cifs(virt_domain) +') + +tunable_policy(`virt_use_usb',` + dev_rw_usbfs(virt_domain) + dev_read_sysfs(virt_domain) + fs_getattr_dos_fs(virt_domain) + fs_manage_dos_dirs(virt_domain) + fs_manage_dos_files(virt_domain) + udev_read_db(virt_domain) +') + +optional_policy(` + tunable_policy(`virt_use_glusterd',` + glusterd_manage_pid(virt_domain) + ') +') + +optional_policy(` + tunable_policy(`virt_use_pcscd',` + pcscd_stream_connect(virt_domain) + ') +') + +optional_policy(` + tunable_policy(`virt_use_sanlock',` + sanlock_stream_connect(virt_domain) + sanlock_read_state(virt_domain) + ') +') + +optional_policy(` + tunable_policy(`virt_use_xserver',` + xserver_stream_connect(virt_domain) + ') +') + +optional_policy(` + alsa_read_rw_config(virt_domain) +') + +optional_policy(` + gnome_dontaudit_manage_cache_home_dir(virt_domain) +') + +optional_policy(` + nscd_dontaudit_read_pid(virt_domain) +') + +optional_policy(` + nscd_dontaudit_write_sock_file(virt_domain) +') + +optional_policy(` + openvswitch_stream_connect(svirt_t) +') + +optional_policy(` + ptchown_domtrans(virt_domain) +') + +optional_policy(` + pulseaudio_dontaudit_exec(virt_domain) +') + +optional_policy(` + sssd_dontaudit_stream_connect(virt_domain) + sssd_dontaudit_read_lib(virt_domain) +') + +optional_policy(` + sssd_read_public_files(virt_domain) +') + +optional_policy(` + unconfined_dontaudit_read_state(virt_domain) +') + +optional_policy(` + virt_read_config(virt_domain) + virt_read_lib_files(virt_domain) + virt_read_content(virt_domain) + virt_stream_connect(virt_domain) + virt_read_pid_symlinks(virt_domain) + virt_domtrans_bridgehelper(virt_domain) +') + +optional_policy(` + xserver_rw_shm(virt_domain) +') + +######################################## +# +# xm local policy +# +type virsh_t, virt_system_domain; +type virsh_exec_t, virt_file_type; +init_system_domain(virsh_t, virsh_exec_t) +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; + +allow virsh_t self:capability { dac_read_search ipc_lock setpcap sys_admin sys_chroot sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setcap setexec setsched signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow virsh_t self:tcp_socket create_stream_socket_perms; + +ps_process_pattern(virsh_t, svirt_sandbox_domain) + +can_exec(virsh_t, virsh_exec_t) +virt_domtrans(virsh_t) +virt_manage_images(virsh_t) +virt_manage_config(virsh_t) +virt_stream_connect(virsh_t) + +manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t) +manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t) +manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t) +files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file }) + +manage_files_pattern(virsh_t, virt_image_type, virt_image_type) +manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) + +manage_dirs_pattern(virsh_t, container_file_t, container_file_t) +manage_files_pattern(virsh_t, container_file_t, container_file_t) +manage_chr_files_pattern(virsh_t, container_file_t, container_file_t) +manage_lnk_files_pattern(virsh_t, container_file_t, container_file_t) +manage_sock_files_pattern(virsh_t, container_file_t, container_file_t) +manage_fifo_files_pattern(virsh_t, container_file_t, container_file_t) +virt_transition_svirt_sandbox(virsh_t, system_r) + +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +virt_filetrans_named_content(virsh_t) +filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") + +dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; + +kernel_write_proc_files(virsh_t) +kernel_read_system_state(virsh_t) +kernel_read_network_state(virsh_t) +kernel_read_kernel_sysctls(virsh_t) +kernel_read_sysctl(virsh_t) +kernel_read_xen_state(virsh_t) +kernel_write_xen_state(virsh_t) + +corecmd_exec_bin(virsh_t) +corecmd_exec_shell(virsh_t) + +corenet_tcp_sendrecv_generic_if(virsh_t) +corenet_tcp_sendrecv_generic_node(virsh_t) +corenet_tcp_connect_soundd_port(virsh_t) + +dev_read_rand(virsh_t) +dev_read_urand(virsh_t) +dev_read_sysfs(virsh_t) + +files_read_etc_runtime_files(virsh_t) +files_list_mnt(virsh_t) +files_list_tmp(virsh_t) +# Some common macros (you might be able to remove some) + +fs_getattr_all_fs(virsh_t) +fs_manage_xenfs_dirs(virsh_t) +fs_manage_xenfs_files(virsh_t) +fs_search_auto_mountpoints(virsh_t) + +storage_raw_read_fixed_disk(virsh_t) + +term_use_all_inherited_terms(virsh_t) +term_dontaudit_use_generic_ptys(virsh_t) + +userdom_search_admin_dir(virsh_t) +userdom_read_home_certs(virsh_t) + +init_stream_connect_script(virsh_t) +init_rw_script_stream_sockets(virsh_t) +init_use_fds(virsh_t) + +systemd_exec_systemctl(virsh_t) + +auth_read_passwd(virsh_t) + +logging_send_syslog_msg(virsh_t) + +sysnet_dns_name_resolve(virsh_t) + +userdom_stream_connect(virsh_t) + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virsh_t) + fs_manage_nfs_files(virsh_t) + fs_read_nfs_symlinks(virsh_t) +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(virsh_t) + fs_manage_cifs_files(virsh_t) + fs_read_cifs_symlinks(virsh_t) +') + +optional_policy(` + cron_system_entry(virsh_t, virsh_exec_t) +') + +optional_policy(` + dbus_system_bus_client(virsh_t) + + optional_policy(` + hal_dbus_chat(virsh_t) + ') +') + +optional_policy(` + rhcs_domtrans_fenced(virsh_t) +') + +optional_policy(` + rpm_exec(virsh_t) +') + +optional_policy(` + vhostmd_rw_tmpfs_files(virsh_t) + vhostmd_stream_connect(virsh_t) + vhostmd_dontaudit_rw_stream_connect(virsh_t) +') + +optional_policy(` + ssh_basic_client_template(virsh, virsh_t, system_r) + + kernel_read_xen_state(virsh_ssh_t) + kernel_write_xen_state(virsh_ssh_t) + + dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms; + files_search_tmp(virsh_ssh_t) + + fs_manage_xenfs_dirs(virsh_ssh_t) + fs_manage_xenfs_files(virsh_ssh_t) + + userdom_search_admin_dir(virsh_ssh_t) +') + +optional_policy(` + xen_manage_image_dirs(virsh_t) + xen_read_image_files(virsh_t) + xen_read_lib_files(virsh_t) + xen_append_log(virsh_t) + xen_domtrans(virsh_t) + xen_read_pid_files_xenstored(virsh_t) + xen_stream_connect(virsh_t) + xen_stream_connect_xenstore(virsh_t) +') + +######################################## +# +# virt_lxc local policy +# +allow virtd_lxc_t self:bpf { map_create map_read map_write prog_load prog_run }; +allow virtd_lxc_t self:capability { chown dac_read_search net_admin net_raw setgid setpcap setuid sys_admin sys_boot sys_nice sys_resource }; +allow virtd_lxc_t self:process { setpgid setsockcreate signal_perms transition }; +#allow virtd_lxc_t self:capability2 compromise_kernel; + +allow virtd_lxc_t self:process { getcap setcap setexec setrlimit setsched signal_perms }; +allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; +allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms; +allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow virtd_lxc_t self:packet_socket create_socket_perms; +ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain) +allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms; + +corecmd_entrypoint_all_executables(virtd_lxc_t) +files_entrypoint_all_mountpoint(virtd_lxc_t) + +allow virtd_lxc_t virt_image_type:dir mounton; +manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) + +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) +allow virtd_t virtd_lxc_t:process { getattr noatsecure signal_perms }; + +allow virtd_lxc_t virt_var_run_t:dir search_dir_perms; +manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir }) +filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") + +manage_dirs_pattern(virtd_lxc_t, container_file_t, container_file_t) +manage_files_pattern(virtd_lxc_t, container_file_t, container_file_t) +manage_chr_files_pattern(virtd_lxc_t, container_file_t, container_file_t) +manage_lnk_files_pattern(virtd_lxc_t, container_file_t, container_file_t) +manage_sock_files_pattern(virtd_lxc_t, container_file_t, container_file_t) +manage_fifo_files_pattern(virtd_lxc_t, container_file_t, container_file_t) +allow virtd_lxc_t container_file_t:dir_file_class_set { relabelfrom relabelto }; +allow virtd_lxc_t container_file_t:filesystem { relabelfrom relabelto }; +files_associate_rootfs(container_file_t) + +seutil_read_file_contexts(virtd_lxc_t) + +storage_manage_fixed_disk(virtd_lxc_t) +storage_rw_fuse(virtd_lxc_t) + +kernel_read_all_sysctls(virtd_lxc_t) +kernel_read_network_state(virtd_lxc_t) +kernel_read_system_state(virtd_lxc_t) +kernel_request_load_module(virtd_lxc_t) + +corecmd_exec_bin(virtd_lxc_t) +corecmd_exec_shell(virtd_lxc_t) + +dev_relabel_all_dev_nodes(virtd_lxc_t) +dev_rw_sysfs(virtd_lxc_t) +dev_read_sysfs(virtd_lxc_t) +dev_read_urand(virtd_lxc_t) + +domain_use_interactive_fds(virtd_lxc_t) + +files_search_all(virtd_lxc_t) +files_getattr_all_files(virtd_lxc_t) +files_relabel_rootfs(virtd_lxc_t) +files_mounton_non_security(virtd_lxc_t) +files_mount_all_file_type_fs(virtd_lxc_t) +files_unmount_all_file_type_fs(virtd_lxc_t) +files_list_isid_type_dirs(virtd_lxc_t) +files_root_filetrans(virtd_lxc_t, container_file_t, dir_file_class_set) + +fs_read_fusefs_files(virtd_lxc_t) +fs_getattr_all_fs(virtd_lxc_t) +fs_manage_tmpfs_dirs(virtd_lxc_t) +fs_manage_tmpfs_chr_files(virtd_lxc_t) +fs_manage_tmpfs_symlinks(virtd_lxc_t) +fs_manage_cgroup_dirs(virtd_lxc_t) +fs_mounton_tmpfs(virtd_lxc_t) +fs_remount_all_fs(virtd_lxc_t) +fs_rw_cgroup_files(virtd_lxc_t) +fs_unmount_all_fs(virtd_lxc_t) +fs_relabelfrom_tmpfs(virtd_lxc_t) + +logging_send_audit_msgs(virtd_lxc_t) + +selinux_mount_fs(virtd_lxc_t) +selinux_unmount_fs(virtd_lxc_t) +seutil_read_config(virtd_lxc_t) + +term_use_generic_ptys(virtd_lxc_t) +term_use_ptmx(virtd_lxc_t) +term_relabel_pty_fs(virtd_lxc_t) + +auth_use_nsswitch(virtd_lxc_t) + +logging_send_syslog_msg(virtd_lxc_t) + +seutil_domtrans_setfiles(virtd_lxc_t) +seutil_read_default_contexts(virtd_lxc_t) + +selinux_get_enforce_mode(virtd_lxc_t) +selinux_get_fs_mount(virtd_lxc_t) +selinux_validate_context(virtd_lxc_t) +selinux_compute_access_vector(virtd_lxc_t) +selinux_compute_create_context(virtd_lxc_t) +selinux_compute_relabel_context(virtd_lxc_t) +selinux_compute_user_contexts(virtd_lxc_t) + +sysnet_exec_ifconfig(virtd_lxc_t) + +systemd_dbus_chat_machined(virtd_lxc_t) + +userdom_read_admin_home_files(virtd_lxc_t) + +optional_policy(` + dbus_system_bus_client(virtd_lxc_t) + init_dbus_chat(virtd_lxc_t) + + optional_policy(` + hal_dbus_chat(virtd_lxc_t) + ') +') + +optional_policy(` + container_exec_lib(virtd_lxc_t) +') + +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') + +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') + +optional_policy(` + unconfined_domain(virtd_lxc_t) +') + +######################################## +# +# svirt_sandbox_domain local policy +# +allow svirt_sandbox_domain self:key manage_key_perms; +dontaudit svirt_sandbox_domain svirt_sandbox_domain:key search; + +allow svirt_sandbox_domain self:process { getattr getcap getpgid getsched setcap setpgid setrlimit setsched signal_perms }; +allow svirt_sandbox_domain self:fifo_file manage_fifo_file_perms; +allow svirt_sandbox_domain self:msg all_msg_perms; +allow svirt_sandbox_domain self:sem create_sem_perms; +allow svirt_sandbox_domain self:shm create_shm_perms; +allow svirt_sandbox_domain self:msgq create_msgq_perms; +allow svirt_sandbox_domain self:unix_stream_socket { connectto create_stream_socket_perms }; +allow svirt_sandbox_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow svirt_sandbox_domain self:passwd rootok; +allow svirt_sandbox_domain self:filesystem associate; +allow svirt_sandbox_domain self:netlink_kobject_uevent_socket create_socket_perms; + +dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) + +fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) +fs_rw_onload_sockets(svirt_sandbox_domain) + +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') + +allow virtd_t svirt_sandbox_domain:unix_stream_socket { connectto create_stream_socket_perms }; +allow virtd_t svirt_sandbox_domain:process { getattr signal_perms }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setrlimit setsched signal_perms transition }; + +allow svirt_sandbox_domain virtd_lxc_t:process sigchld; +allow svirt_sandbox_domain virtd_lxc_t:fd use; +allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; + +manage_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_fifo_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +allow svirt_sandbox_domain container_file_t:file { execmod relabelfrom relabelto }; +allow svirt_sandbox_domain container_file_t:dir { execmod relabelfrom relabelto }; +allow svirt_sandbox_domain svirt_file_type:dir_file_class_set mounton; + +list_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +read_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +read_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +allow svirt_sandbox_domain container_file_t:file execmod; +can_exec(svirt_sandbox_domain, container_file_t) + +allow svirt_sandbox_domain container_file_t:blk_file setattr; +rw_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +can_exec(svirt_sandbox_domain, container_file_t) +allow svirt_sandbox_domain container_file_t:dir mounton; +allow svirt_sandbox_domain container_file_t:filesystem { getattr remount }; + +kernel_getattr_proc(svirt_sandbox_domain) +kernel_list_all_proc(svirt_sandbox_domain) +kernel_read_all_sysctls(svirt_sandbox_domain) +kernel_rw_net_sysctls(svirt_sandbox_domain) +kernel_rw_unix_sysctls(svirt_sandbox_domain) +kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) +kernel_dontaudit_access_check_proc(svirt_sandbox_domain) +kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain) +kernel_dontaudit_setattr_proc_dirs(svirt_sandbox_domain) +kernel_dontaudit_write_usermodehelper_state(svirt_sandbox_domain) + +corecmd_exec_all_executables(svirt_sandbox_domain) + +domain_dontaudit_link_all_domains_keyrings(svirt_sandbox_domain) +domain_dontaudit_search_all_domains_keyrings(svirt_sandbox_domain) + +files_dontaudit_getattr_all_dirs(svirt_sandbox_domain) +files_dontaudit_getattr_all_files(svirt_sandbox_domain) +files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) +files_dontaudit_getattr_all_pipes(svirt_sandbox_domain) +files_dontaudit_getattr_all_sockets(svirt_sandbox_domain) +files_search_all_mountpoints(svirt_sandbox_domain) +files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) +files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) + +files_entrypoint_all_mountpoint(svirt_sandbox_domain) +corecmd_entrypoint_all_executables(svirt_sandbox_domain) + +files_search_all(svirt_sandbox_domain) +files_read_usr_symlinks(svirt_sandbox_domain) +files_search_locks(svirt_sandbox_domain) +files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain) +fs_rw_cephfs_files(svirt_sandbox_domain) + +fs_getattr_all_fs(svirt_sandbox_domain) +fs_list_inotifyfs(svirt_sandbox_domain) +fs_rw_inherited_tmpfs_files(svirt_sandbox_domain) +fs_read_hugetlbfs_files(svirt_sandbox_domain) +fs_read_tmpfs_symlinks(svirt_sandbox_domain) +fs_search_tmpfs(svirt_sandbox_domain) +fs_rw_hugetlbfs_files(svirt_sandbox_domain) + +auth_dontaudit_read_passwd(svirt_sandbox_domain) +auth_dontaudit_read_login_records(svirt_sandbox_domain) +auth_dontaudit_write_login_records(svirt_sandbox_domain) +auth_search_pam_console_data(svirt_sandbox_domain) + +init_dontaudit_read_utmp(svirt_sandbox_domain) +init_dontaudit_write_utmp(svirt_sandbox_domain) + +libs_dontaudit_setattr_lib_files(svirt_sandbox_domain) + +miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain) +miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain) +miscfiles_read_fonts(svirt_sandbox_domain) +miscfiles_read_hwdata(svirt_sandbox_domain) + +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(svirt_sandbox_domain) + fs_manage_nfs_files(svirt_sandbox_domain) + fs_manage_nfs_named_sockets(svirt_sandbox_domain) + fs_manage_nfs_symlinks(svirt_sandbox_domain) + fs_mount_nfs(svirt_sandbox_domain) + fs_unmount_nfs(svirt_sandbox_domain) + fs_exec_nfs_files(svirt_sandbox_domain) + kernel_rw_fs_sysctls(svirt_sandbox_domain) +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(svirt_sandbox_domain) + fs_manage_cifs_dirs(svirt_sandbox_domain) + fs_manage_cifs_named_sockets(svirt_sandbox_domain) + fs_manage_cifs_symlinks(svirt_sandbox_domain) + fs_exec_cifs_files(svirt_sandbox_domain) +') + +tunable_policy(`virt_sandbox_use_fusefs',` + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_symlinks(svirt_sandbox_domain) + fs_mount_fusefs(svirt_sandbox_domain) + fs_unmount_fusefs(svirt_sandbox_domain) + fs_exec_fusefs_files(svirt_sandbox_domain) +') + +optional_policy(` +tunable_policy(`virt_sandbox_share_apache_content',` + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) + ') +') + +optional_policy(` + container_read_share_files(svirt_sandbox_domain) + container_exec_share_files(svirt_sandbox_domain) + container_lib_filetrans(svirt_sandbox_domain,container_file_t, sock_file) + container_use_ptys(svirt_sandbox_domain) + container_spc_stream_connect(svirt_sandbox_domain) + fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) + dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) +') + +optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') + +optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) +') + +optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') + +optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') + +######################################## +# +# container_t local policy +# +virt_sandbox_domain_template(container) +typealias container_t alias svirt_lxc_net_t; +# Policy moved to container-selinux policy package + +######################################## +# +# container_t local policy +# +virt_sandbox_domain_template(svirt_qemu_net) +typeattribute svirt_qemu_net_t sandbox_net_domain; + +allow svirt_qemu_net_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_ptrace sys_resource }; +dontaudit svirt_qemu_net_t self:capability2 block_suspend; +allow svirt_qemu_net_t self:process { execmem execstack }; + +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_qemu_net_t self:netlink_socket create_socket_perms; + allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; + allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; +') + +manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +manage_fifo_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +manage_lnk_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +manage_sock_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(sandbox_net_domain, virt_home_t, svirt_home_t, { dir sock_file file }) + +term_use_generic_ptys(svirt_qemu_net_t) +term_use_ptmx(svirt_qemu_net_t) + +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) + +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) + +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) + +dev_read_sysfs(svirt_qemu_net_t) +dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t) +dev_read_urand(svirt_qemu_net_t) + +files_read_kernel_modules(svirt_qemu_net_t) + +fs_noxattr_type(container_file_t) +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) +fs_manage_cgroup_files(svirt_qemu_net_t) + +term_pty(container_file_t) + +auth_use_nsswitch(svirt_qemu_net_t) + +rpm_read_db(svirt_qemu_net_t) + +logging_send_syslog_msg(svirt_qemu_net_t) + +userdom_use_user_ptys(svirt_qemu_net_t) + +tunable_policy(`virt_sandbox_use_audit',` + logging_send_audit_msgs(svirt_qemu_net_t) +') + +####################################### +# +# virtinterfaced local policy +# +allow virtinterfaced_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(virtinterfaced_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virtinterfaced_t, virt_var_lib_t, virt_var_lib_t) +manage_sock_files_pattern(virtinterfaced_t, virt_var_lib_t, virt_var_lib_t) +files_var_lib_filetrans(virtinterfaced_t, virt_var_lib_t, { file dir }) + +kernel_read_network_state(virtinterfaced_t) + +corecmd_exec_bin(virtinterfaced_t) + +fs_getattr_all_fs(virtinterfaced_t) + +modutils_read_module_config(virtinterfaced_t) + +sysnet_manage_config(virtinterfaced_t) + +userdom_read_all_users_state(virtinterfaced_t) + +####################################### +# +# virtnetworkd local policy +# +allow virtnetworkd_t self:capability { kill sys_ptrace }; +allow virtnetworkd_t self:netlink_netfilter_socket create_socket_perms; +allow virtnetworkd_t self:process setcap; +allow virtnetworkd_t self:tun_socket { create relabelfrom relabelto }; + +manage_lnk_files_pattern(virtnetworkd_t, virt_etc_rw_t, virt_etc_rw_t) + +manage_dirs_pattern(virtnetworkd_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virtnetworkd_t, virt_var_lib_t, virt_var_lib_t) + +kernel_read_network_state(virtnetworkd_t) +kernel_request_load_module(virtnetworkd_t) +kernel_rw_net_sysctls(virtnetworkd_t) + +corenet_rw_tun_tap_dev(virtnetworkd_t) + +dev_rw_sysfs(virtnetworkd_t) + +sysnet_read_config(virtnetworkd_t) + +optional_policy(` + dnsmasq_domtrans(virtnetworkd_t) + dnsmasq_manage_pid_files(virtnetworkd_t) + dnsmasq_read_state(virtnetworkd_t) + dnsmasq_signal(virtnetworkd_t) + dnsmasq_signull(virtnetworkd_t) +') + +optional_policy(` + iptables_domtrans(virtnetworkd_t) + iptables_read_var_run(virtnetworkd_t) +') + +####################################### +# +# virtnodedevd local policy +# +allow virtnodedevd_t self:capability sys_admin; +allow virtnodedevd_t self:netlink_generic_socket create_socket_perms; + +kernel_request_load_module(virtnodedevd_t) + +dev_rw_mtrr(virtnodedevd_t) + +miscfiles_read_hwdata(virtnodedevd_t) + +optional_policy(` + udev_read_pid_files(virtnodedevd_t) +') + +####################################### +# +# virtnwfilterd local policy +# +allow virtnwfilterd_t self:capability net_raw; +allow virtnwfilterd_t self:netlink_netfilter_socket create_socket_perms; +allow virtnwfilterd_t self:netlink_rdma_socket create_socket_perms; +allow virtnwfilterd_t self:packet_socket { bind create getopt ioctl map setopt }; +allow virtnwfilterd_t self:rawip_socket create_socket_perms; + +manage_dirs_pattern(virtnwfilterd_t, virtnetworkd_var_run_t, virtnetworkd_var_run_t) +manage_files_pattern(virtnwfilterd_t, virtnetworkd_var_run_t, virtnetworkd_var_run_t) + +manage_files_pattern(virtnwfilterd_t, virt_var_run_t, virtlogd_var_run_t) + +kernel_read_all_proc(virtnwfilterd_t) +kernel_read_net_sysctls(virtnwfilterd_t) +kernel_request_load_module(virtnwfilterd_t) + +corecmd_exec_bin(virtnwfilterd_t) + +optional_policy(` + dnsmasq_domtrans(virtnwfilterd_t) + dnsmasq_manage_pid_files(virtnwfilterd_t) +') + +optional_policy(` + iptables_domtrans(virtnwfilterd_t) + iptables_filetrans_named_content(virtnwfilterd_t) + iptables_read_var_run(virtnwfilterd_t) +') + +####################################### +# +# virtproxyd local policy +# +allow virtproxyd_t self:tcp_socket create_stream_socket_perms; +allow virtproxyd_t self:udp_socket create_socket_perms; + +corenet_tcp_bind_generic_node(virtproxyd_t) +corenet_tcp_bind_virt_port(virtproxyd_t) + +userdom_read_all_users_state(virtproxyd_t) + +####################################### +# +# virtqemud local policy +# +allow virtqemud_t self:bpf { map_create map_read map_write prog_load prog_run }; +allow virtqemud_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_admin sys_chroot sys_ptrace sys_rawio }; +allow virtqemud_t self:netlink_audit_socket nlmsg_relay; +allow virtqemud_t self:process { setcap setexec setrlimit setsockcreate }; +allow virtqemud_t self:tcp_socket create_socket_perms; +allow virtqemud_t self:tun_socket create; +allow virtqemud_t self:udp_socket { create getattr }; + +allow virtqemud_t svirt_t:process { setsched signal signull transition }; +allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms }; +allow virtqemud_t svirt_socket_t:unix_stream_socket connectto; + +allow virtqemud_t qemu_var_run_t:dir relabelfrom; + +allow virtqemud_t virt_cache_t:file { relabelfrom relabelto }; + +allow virtqemud_t virt_driver_domain:unix_stream_socket connectto; + +allow virtqemud_t virt_var_run_t:file map; + +allow virtqemud_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; +allow virtqemud_t virtlogd_t:unix_stream_socket connectto; + +manage_dirs_pattern(virtqemud_t, virtqemud_tmp_t, virtqemud_tmp_t) +manage_files_pattern(virtqemud_t, virtqemud_tmp_t, virtqemud_tmp_t) +manage_sock_files_pattern(virtqemud_t, virtqemud_tmp_t, virtqemud_tmp_t) +files_tmp_filetrans(virtqemud_t, virtqemud_tmp_t, { file dir sock_file}) + +manage_dirs_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t) +manage_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t) +manage_sock_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t) + +manage_dirs_pattern(virtqemud_t, svirt_image_t, svirt_image_t) +manage_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t) +manage_sock_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t) +read_files_pattern(virtqemud_t, svirt_t, svirt_t) +read_lnk_files_pattern(virtqemud_t, svirt_t, svirt_t) + +manage_files_pattern(virtqemud_t, virt_content_t, virt_content_t) + +manage_files_pattern(virtqemud_t, virt_image_t, virt_image_t) + +manage_dirs_pattern(virtqemud_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virtqemud_t, virt_var_lib_t, virt_var_lib_t) + +manage_sock_files_pattern(virtqemud_t, virt_var_run_t, virt_var_run_t) + +manage_sock_files_pattern(virtqemud_t, virtlogd_var_run_t, virtlogd_var_run_t) + +read_files_pattern(virtqemud_t, virtproxyd_t, virtproxyd_t) + +kernel_read_all_proc(virtqemud_t) +kernel_request_load_module(virtqemud_t) + +corecmd_exec_bin(virtqemud_t) +corecmd_exec_shell(virtqemud_t) + +corenet_rw_tun_tap_dev(virtqemud_t) +corenet_tcp_bind_generic_node(virtqemud_t) +corenet_tcp_bind_vnc_port(virtqemud_t) + +dev_read_cpuid(virtqemud_t) +dev_read_sysfs(virtqemud_t) +dev_read_urand(virtqemud_t) +dev_relabel_all_dev_nodes(virtqemud_t) +dev_rw_kvm(virtqemud_t) +dev_rw_vhost(virtqemud_t) + +files_mounton_non_security(virtqemud_t) +files_read_all_symlinks(virtqemud_t) + +fs_getattr_hugetlbfs(virtqemud_t) +fs_manage_hugetlbfs_dirs(virtqemud_t) +fs_manage_cgroup_dirs(virtqemud_t) +fs_manage_cgroup_files(virtqemud_t) +fs_manage_tmpfs_chr_files(virtqemud_t) +fs_manage_tmpfs_dirs(virtqemud_t) +fs_manage_tmpfs_symlinks(virtqemud_t) +fs_mount_tmpfs(virtqemud_t) +fs_read_nsfs_files(virtqemud_t) +fs_relabel_tmpfs_chr_file(virtqemud_t) + +seutil_read_default_contexts(virtqemud_t) +seutil_read_file_contexts(virtqemud_t) + +init_stream_connect(virtqemud_t) +init_stream_connect_script(virtqemud_t) + +sysnet_exec_ifconfig(virtqemud_t) +sysnet_manage_config(virtqemud_t) + +userdom_read_all_users_state(virtqemud_t) +userdom_read_user_home_content_files(virtqemud_t) +userdom_relabel_user_home_files(virtqemud_t) + +tunable_policy(`virtqemud_use_execmem',` + allow virtqemud_t self:process { execmem execstack }; +') + +optional_policy(` + dmidecode_domtrans(virtqemud_t) +') + +optional_policy(` + qemu_exec(virtqemud_t) +') + +optional_policy(` + systemd_userdbd_stream_connect(virtqemud_t) +') + +####################################### +# +# virtstoraged local policy +# +allow virtstoraged_t self:capability { dac_override dac_read_search ipc_lock }; + +files_tmp_filetrans(virtstoraged_t, virtstoraged_tmp_t, { file dir }) + +manage_lnk_files_pattern(virtstoraged_t, virt_etc_rw_t, virt_etc_rw_t) + +manage_files_pattern(virtstoraged_t, virt_image_t, virt_image_t) + +manage_files_pattern(virtstoraged_t, svirt_image_t, svirt_image_t) + +manage_dirs_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t) +manage_files_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t) + +corecmd_exec_bin(virtstoraged_t) + +fs_getattr_all_fs(virtstoraged_t) + +userdom_read_user_home_content_files(virtstoraged_t) + +####################################### +# +# virtvboxd local policy +# +allow virtvboxd_t self:netlink_audit_socket create; +allow virtvboxd_t self:netlink_kobject_uevent_socket create_socket_perms; +allow virtvboxd_t self:netlink_route_socket create_socket_perms; +allow virtvboxd_t self:unix_dgram_socket create; +allow virtvboxd_t virt_etc_t:dir search; + +####################################### +# +# virtvzd local policy +# +# Use unconfined_domain macro until the policy for this driver is made, +# to avoid lots of SELinux policy denials and confused users. +optional_policy(` + unconfined_domain(virtvzd_t) +') + +####################################### +# +# virtxend local policy +# +# Use unconfined_domain macro until the policy for this driver is made, +# to avoid lots of SELinux policy denials and confused users. +optional_policy(` + unconfined_domain(virtxend_t) +') + +####################################### +# +# tye for svirt sockets +# + +type svirt_socket_t; +domain_type(svirt_socket_t) +role system_r types svirt_socket_t; +allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; +allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; + +tunable_policy(`virt_transition_userdomain',` + userdom_transition(virtd_t) + userdom_transition(virtd_lxc_t) +') + +######################################## +# +# svirt_kvm_net_t local policy +# +virt_sandbox_domain_template(svirt_kvm_net) +typeattribute svirt_kvm_net_t sandbox_net_domain; + +allow svirt_kvm_net_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_ptrace sys_resource }; +dontaudit svirt_kvm_net_t self:capability2 block_suspend; + +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_kvm_net_t self:netlink_socket create_socket_perms; + allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; + allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms; +') + +term_use_generic_ptys(svirt_kvm_net_t) +term_use_ptmx(svirt_kvm_net_t) + +dev_rw_kvm(svirt_kvm_net_t) + +manage_sock_files_pattern(svirt_kvm_net_t, virt_var_run_t, virt_var_run_t) + +list_dirs_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t) + +append_files_pattern(svirt_kvm_net_t, virt_log_t, virt_log_t) + +kernel_read_network_state(svirt_kvm_net_t) +kernel_read_irq_sysctls(svirt_kvm_net_t) + +dev_read_sysfs(svirt_kvm_net_t) +dev_getattr_mtrr_dev(svirt_kvm_net_t) +dev_read_rand(svirt_kvm_net_t) +dev_read_urand(svirt_kvm_net_t) + +files_read_kernel_modules(svirt_kvm_net_t) + +fs_noxattr_type(container_file_t) +fs_mount_cgroup(svirt_kvm_net_t) +fs_manage_cgroup_dirs(svirt_kvm_net_t) +fs_manage_cgroup_files(svirt_kvm_net_t) + +term_pty(container_file_t) + +auth_use_nsswitch(svirt_kvm_net_t) + +rpm_read_db(svirt_kvm_net_t) + +logging_send_syslog_msg(svirt_kvm_net_t) + +tunable_policy(`virt_sandbox_use_audit',` + logging_send_audit_msgs(svirt_kvm_net_t) +') + +userdom_use_user_ptys(svirt_kvm_net_t) + +kernel_read_network_state(sandbox_net_domain) + +allow sandbox_net_domain self:capability { net_admin net_bind_service net_raw }; +allow sandbox_net_domain self:cap_userns { net_admin net_bind_service net_raw }; + +allow sandbox_net_domain self:udp_socket create_socket_perms; +allow sandbox_net_domain self:tcp_socket create_stream_socket_perms; +allow sandbox_net_domain self:netlink_route_socket create_netlink_socket_perms; +allow sandbox_net_domain self:packet_socket create_socket_perms; +allow sandbox_net_domain self:socket create_socket_perms; +allow sandbox_net_domain self:rawip_socket create_stream_socket_perms; +allow sandbox_net_domain self:netlink_kobject_uevent_socket create_socket_perms; + +corenet_tcp_bind_generic_node(sandbox_net_domain) +corenet_udp_bind_generic_node(sandbox_net_domain) +corenet_raw_bind_generic_node(sandbox_net_domain) +corenet_tcp_sendrecv_all_ports(sandbox_net_domain) +corenet_udp_sendrecv_all_ports(sandbox_net_domain) +corenet_udp_bind_all_ports(sandbox_net_domain) +corenet_tcp_bind_all_ports(sandbox_net_domain) +corenet_tcp_connect_all_ports(sandbox_net_domain) + +optional_policy(` + sssd_stream_connect(sandbox_net_domain) +') + +optional_policy(` + systemd_dbus_chat_logind(sandbox_net_domain) +') + +allow sandbox_caps_domain self:capability { audit_write chown dac_read_search fowner kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot }; +allow sandbox_caps_domain self:cap_userns { audit_write chown dac_read_search fowner kill mknod net_bind_service net_raw setfcap setgid setpcap setuid sys_chroot }; + +list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) +read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) +read_lnk_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t) +allow svirt_sandbox_domain container_ro_file_t:file execmod; +can_exec(svirt_sandbox_domain, container_ro_file_t) -- 2.29.2

Nikola Knazekova

12:41 p.m.

New subject: [PATCH 2/3] [DO NOT MERGE] Install selinux-policy-devel in test environment

From: Vit Mojzis <vmojzis@redhat.com> Temporary commit for testing purposes. The change needs to be done in https://gitlab.com/libvirt/libvirt-ci/-/blob/master/guests/lcitool/lcitool/a... Signed-off-by: Vit Mojzis <vmojzis@redhat.com> --- ci/containers/ci-centos-8.Dockerfile | 1 + ci/containers/ci-centos-stream.Dockerfile | 1 + ci/containers/ci-fedora-32.Dockerfile | 1 + ci/containers/ci-fedora-33.Dockerfile | 1 + ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile | 1 + ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile | 1 + ci/containers/ci-fedora-rawhide.Dockerfile | 1 + 7 files changed, 7 insertions(+) diff --git a/ci/containers/ci-centos-8.Dockerfile b/ci/containers/ci-centos-8.Dockerfile index e600598329..7d6cbafe6b 100644 --- a/ci/containers/ci-centos-8.Dockerfile +++ b/ci/containers/ci-centos-8.Dockerfile @@ -84,6 +84,7 @@ RUN dnf update -y && \ rpm-build \ sanlock-devel \ scrub \ + selinux-policy-devel \ systemtap-sdt-devel \ wireshark-devel \ xfsprogs-devel \ diff --git a/ci/containers/ci-centos-stream.Dockerfile b/ci/containers/ci-centos-stream.Dockerfile index 2b51eccc8d..b4d02f4148 100644 --- a/ci/containers/ci-centos-stream.Dockerfile +++ b/ci/containers/ci-centos-stream.Dockerfile @@ -86,6 +86,7 @@ RUN dnf install -y centos-release-stream && \ rpm-build \ sanlock-devel \ scrub \ + selinux-policy-devel \ systemtap-sdt-devel \ wireshark-devel \ xfsprogs-devel \ diff --git a/ci/containers/ci-fedora-32.Dockerfile b/ci/containers/ci-fedora-32.Dockerfile index 71d391b7bd..3b9d98c83f 100644 --- a/ci/containers/ci-fedora-32.Dockerfile +++ b/ci/containers/ci-fedora-32.Dockerfile @@ -89,6 +89,7 @@ exec "$@"' > /usr/bin/nosync && \ rpm-build \ sanlock-devel \ scrub \ + selinux-policy-devel \ sheepdog \ systemtap-sdt-devel \ wireshark-devel \ diff --git a/ci/containers/ci-fedora-33.Dockerfile b/ci/containers/ci-fedora-33.Dockerfile index 5fb30380b0..c8b4dcca34 100644 --- a/ci/containers/ci-fedora-33.Dockerfile +++ b/ci/containers/ci-fedora-33.Dockerfile @@ -89,6 +89,7 @@ exec "$@"' > /usr/bin/nosync && \ rpm-build \ sanlock-devel \ scrub \ + selinux-policy-devel \ sheepdog \ systemtap-sdt-devel \ wireshark-devel \ diff --git a/ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile b/ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile index c718778acb..55825c9753 100644 --- a/ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile +++ b/ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile @@ -55,6 +55,7 @@ exec "$@"' > /usr/bin/nosync && \ rpcgen \ rpm-build \ scrub \ + selinux-policy-devel \ sheepdog \ zfs-fuse && \ nosync dnf autoremove -y && \ diff --git a/ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile b/ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile index 6058d0c0b2..69159a7e3c 100644 --- a/ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile +++ b/ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile @@ -55,6 +55,7 @@ exec "$@"' > /usr/bin/nosync && \ rpcgen \ rpm-build \ scrub \ + selinux-policy-devel \ sheepdog \ zfs-fuse && \ nosync dnf autoremove -y && \ diff --git a/ci/containers/ci-fedora-rawhide.Dockerfile b/ci/containers/ci-fedora-rawhide.Dockerfile index 027e8a7c41..edd9c34c46 100644 --- a/ci/containers/ci-fedora-rawhide.Dockerfile +++ b/ci/containers/ci-fedora-rawhide.Dockerfile @@ -90,6 +90,7 @@ exec "$@"' > /usr/bin/nosync && \ rpm-build \ sanlock-devel \ scrub \ + selinux-policy-devel \ sheepdog \ systemtap-sdt-devel \ wireshark-devel \ -- 2.29.2

Nikola Knazekova

12:41 p.m.

New subject: [PATCH 3/3] selinux: Remove 'make' dependency

From: Vit Mojzis <vmojzis@redhat.com> Compile the policy using a shell script executed by meson. Signed-off-by: Vit Mojzis <vmojzis@redhat.com> --- libvirt.spec.in | 12 ------------ meson.build | 12 ++++++++++++ selinux/compile_policy.sh | 39 +++++++++++++++++++++++++++++++++++++++ selinux/meson.build | 23 +++++++++++++++++++++++ 4 files changed, 74 insertions(+), 12 deletions(-) create mode 100755 selinux/compile_policy.sh create mode 100644 selinux/meson.build diff --git a/libvirt.spec.in b/libvirt.spec.in index db08d91043..de664084fa 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1240,14 +1240,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec) %{?arg_login_shell} %meson_build -%if 0%{?with_selinux} -# SELinux policy (originally from selinux-policy-contrib) -# this policy module will override the production module -cd selinux - -make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp -bzip2 -9 %{modulename}.pp -%endif %install rm -fr %{buildroot} @@ -1332,10 +1324,6 @@ mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \ %endif %endif -%if 0%{?with_selinux} -install -D -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 -%endif - %check # Building on slow archs, like emulated s390x in Fedora copr, requires # raising the test timeout diff --git a/meson.build b/meson.build index c81c6ab205..d060e441b5 100644 --- a/meson.build +++ b/meson.build @@ -2183,6 +2183,18 @@ endif subdir('build-aux') +os_release = run_command('grep', '^ID=', '/etc/os-release').stdout() +os_version = run_command('grep', '^VERSION_ID=', '/etc/os-release').stdout().split('=') +if (os_version.length() == 2) + os_version = os_version[1] +else + os_version = 0 +endif + +if ((os_release.contains('fedora') and os_version.version_compare('>32')) or + (os_release.contains('rhel') and os_version.version_compare('>7'))) + subdir('selinux') +endif # install pkgconfig files pkgconfig_files = [ diff --git a/selinux/compile_policy.sh b/selinux/compile_policy.sh new file mode 100755 index 0000000000..02780e4aed --- /dev/null +++ b/selinux/compile_policy.sh @@ -0,0 +1,39 @@ +#!/bin/sh +set -x + +if [[ $# -ne 5 ]] ; then + echo "Usage: compile_policy.sh <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>" + exit 1 +fi + +# checkmodule requires consistent file names +MODULE_NAME=$(basename -- "$1") +MODULE_NAME=${MODULE_NAME%.*} + +M4PARAM="-D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024" +SHAREDIR="/usr/share/selinux" +HEADERDIR="$SHAREDIR/devel/include" +M4SUPPORT=$(echo $HEADERDIR/support/*.spt) +HEADER_LAYERS=$(find "/usr/share/selinux/devel/include"/* -maxdepth 0 -type d | grep -v "/usr/share/selinux/devel/include/support") +HEADER_INTERFACES="" +for LAYER in $HEADER_LAYERS +do + HEADER_INTERFACES="$HEADER_INTERFACES $(echo $LAYER/*.if)" +done + +# prepare temp folder +mkdir -p $5 +# remove old trash from the temp folder +rm -rf "$5/iferror.m4 $5/all_interfaces.conf $5/$MODULE_NAME.*" +# tmp/all_interfaces.conf +echo "ifdef(\`__if_error',\`m4exit(1)')" > $5/iferror.m4 +echo "divert(-1)" > $5/all_interfaces.conf +m4 $M4SUPPORT $HEADER_INTERFACES $2 $5/iferror.m4 | sed -e s/dollarsstar/\$\$\*/g >> $5/all_interfaces.conf +echo "divert" >> $5/all_interfaces.conf +# tmp/%.mod +m4 $M4PARAM -s $M4SUPPORT $5/all_interfaces.conf $1 > $5/$MODULE_NAME.tmp +/usr/bin/checkmodule -M -m $5/$MODULE_NAME.tmp -o $5/$MODULE_NAME.mod +# tmp/%.mod.fc +m4 $M4PARAM $M4SUPPORT $3 > $5/$MODULE_NAME.mod.fc +# %.pp +/usr/bin/semodule_package -o $4 -m $5/$MODULE_NAME.mod -f $5/$MODULE_NAME.mod.fc diff --git a/selinux/meson.build b/selinux/meson.build new file mode 100644 index 0000000000..1c76fd40aa --- /dev/null +++ b/selinux/meson.build @@ -0,0 +1,23 @@ +selinux_sources = [ + 'virt.te', + 'virt.if', + 'virt.fc', +] + +compile_policy_prog = find_program('compile_policy.sh') + +virt_pp = custom_target('virt.pp', + output : 'virt.pp', + input : selinux_sources, + command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp'], + install : false) + +bzip2_prog = find_program('bzip2') + +bzip = custom_target('virt.pp.bz2', + output : 'virt.pp.bz2', + input : virt_pp, + command : [bzip2_prog, '-c', '-9', '@INPUT@'], + capture : true, + install : true, + install_dir : 'share/selinux/packages/targeted') -- 2.29.2

Neal Gompa

6:50 p.m.

New subject: [PATCH 3/3] selinux: Remove 'make' dependency

On Wed, Mar 10, 2021 at 7:43 AM Nikola Knazekova <nknazeko@redhat.com> wrote:

...

From: Vit Mojzis <vmojzis@redhat.com>

Compile the policy using a shell script executed by meson.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com> --- libvirt.spec.in | 12 ------------ meson.build | 12 ++++++++++++ selinux/compile_policy.sh | 39 +++++++++++++++++++++++++++++++++++++++ selinux/meson.build | 23 +++++++++++++++++++++++ 4 files changed, 74 insertions(+), 12 deletions(-) create mode 100755 selinux/compile_policy.sh create mode 100644 selinux/meson.build

diff --git a/libvirt.spec.in b/libvirt.spec.in index db08d91043..de664084fa 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1240,14 +1240,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec) %{?arg_login_shell}

%meson_build -%if 0%{?with_selinux} -# SELinux policy (originally from selinux-policy-contrib) -# this policy module will override the production module -cd selinux - -make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp -bzip2 -9 %{modulename}.pp -%endif

%install rm -fr %{buildroot} @@ -1332,10 +1324,6 @@ mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \ %endif %endif

-%if 0%{?with_selinux} -install -D -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 -%endif - %check # Building on slow archs, like emulated s390x in Fedora copr, requires # raising the test timeout diff --git a/meson.build b/meson.build index c81c6ab205..d060e441b5 100644 --- a/meson.build +++ b/meson.build @@ -2183,6 +2183,18 @@ endif

subdir('build-aux')

+os_release = run_command('grep', '^ID=', '/etc/os-release').stdout() +os_version = run_command('grep', '^VERSION_ID=', '/etc/os-release').stdout().split('=') +if (os_version.length() == 2) + os_version = os_version[1] +else + os_version = 0 +endif + +if ((os_release.contains('fedora') and os_version.version_compare('>32')) or + (os_release.contains('rhel') and os_version.version_compare('>7'))) + subdir('selinux') +endif

# install pkgconfig files pkgconfig_files = [ diff --git a/selinux/compile_policy.sh b/selinux/compile_policy.sh new file mode 100755 index 0000000000..02780e4aed --- /dev/null +++ b/selinux/compile_policy.sh @@ -0,0 +1,39 @@ +#!/bin/sh +set -x + +if [[ $# -ne 5 ]] ; then + echo "Usage: compile_policy.sh <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>" + exit 1 +fi + +# checkmodule requires consistent file names +MODULE_NAME=$(basename -- "$1") +MODULE_NAME=${MODULE_NAME%.*} + +M4PARAM="-D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024" +SHAREDIR="/usr/share/selinux" +HEADERDIR="$SHAREDIR/devel/include" +M4SUPPORT=$(echo $HEADERDIR/support/*.spt) +HEADER_LAYERS=$(find "/usr/share/selinux/devel/include"/* -maxdepth 0 -type d | grep -v "/usr/share/selinux/devel/include/support") +HEADER_INTERFACES="" +for LAYER in $HEADER_LAYERS +do + HEADER_INTERFACES="$HEADER_INTERFACES $(echo $LAYER/*.if)" +done + +# prepare temp folder +mkdir -p $5 +# remove old trash from the temp folder +rm -rf "$5/iferror.m4 $5/all_interfaces.conf $5/$MODULE_NAME.*" +# tmp/all_interfaces.conf +echo "ifdef(\`__if_error',\`m4exit(1)')" > $5/iferror.m4 +echo "divert(-1)" > $5/all_interfaces.conf +m4 $M4SUPPORT $HEADER_INTERFACES $2 $5/iferror.m4 | sed -e s/dollarsstar/\$\$\*/g >> $5/all_interfaces.conf +echo "divert" >> $5/all_interfaces.conf +# tmp/%.mod +m4 $M4PARAM -s $M4SUPPORT $5/all_interfaces.conf $1 > $5/$MODULE_NAME.tmp +/usr/bin/checkmodule -M -m $5/$MODULE_NAME.tmp -o $5/$MODULE_NAME.mod +# tmp/%.mod.fc +m4 $M4PARAM $M4SUPPORT $3 > $5/$MODULE_NAME.mod.fc +# %.pp +/usr/bin/semodule_package -o $4 -m $5/$MODULE_NAME.mod -f $5/$MODULE_NAME.mod.fc diff --git a/selinux/meson.build b/selinux/meson.build new file mode 100644 index 0000000000..1c76fd40aa --- /dev/null +++ b/selinux/meson.build @@ -0,0 +1,23 @@ +selinux_sources = [ + 'virt.te', + 'virt.if', + 'virt.fc', +] + +compile_policy_prog = find_program('compile_policy.sh') + +virt_pp = custom_target('virt.pp', + output : 'virt.pp', + input : selinux_sources, + command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp'], + install : false) + +bzip2_prog = find_program('bzip2') + +bzip = custom_target('virt.pp.bz2', + output : 'virt.pp.bz2', + input : virt_pp, + command : [bzip2_prog, '-c', '-9', '@INPUT@'], + capture : true, + install : true, + install_dir : 'share/selinux/packages/targeted') -- 2.29.2

This smells like a bad idea, because we're not relying on the framework that SELinux policies are supposed to be built with. I don't think we should do this. -- 真実はいつも一つ！/ Always, there's only one truth!

Add SELinux policy for Virt

tags

participants (5)