- Fixes for svirt

2009-03-27 00:01:52 +00:00 · 2009-03-27 00:01:52 +00:00 · 6130d52b7c
parent 9ca87fc9d8
commit 6130d52b7c
2 changed files with 52 additions and 52 deletions
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -4524,8 +4524,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.10/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-03-05 14:09:51.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc	2009-03-24 15:09:41.000000000 -0400
-@@ -91,6 +91,7 @@
+++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc	2009-03-25 08:24:42.000000000 -0400
+@@ -91,6 +90,7 @@
 /dev/sndstat		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@ -12127,7 +12127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.10/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/hal.te	2009-03-24 10:36:54.000000000 -0400
+++ serefpolicy-3.6.10/policy/modules/services/hal.te	2009-03-26 08:23:58.000000000 -0400
@@ -49,6 +49,15 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
@ -12251,7 +12251,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 miscfiles_read_localization(hald_mac_t)
 
 ########################################
-@@ -418,3 +459,49 @@
+@@ -415,6 +456,53 @@
+ 
+ dev_rw_input_dev(hald_keymap_t)
+ 
+files_read_etc_files(hald_keymap_t)
 files_read_usr_files(hald_keymap_t)
 
 miscfiles_read_localization(hald_keymap_t)
@ -21299,7 +21303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.10/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/services/virt.te	2009-03-24 15:41:15.000000000 -0400
+++ serefpolicy-3.6.10/policy/modules/services/virt.te	2009-03-26 14:25:09.000000000 -0400
@@ -8,20 +8,18 @@
 
 ## <desc>
@ -21338,7 +21342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 type virt_log_t;
 logging_log_file(virt_log_t)
-@@ -48,17 +50,40 @@
+@@ -48,17 +50,39 @@
 type virtd_initrc_exec_t;
 init_script_file(virtd_initrc_exec_t)
 
@ -21351,7 +21355,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +virt_domain_template(svirt)
-+virtual_separated_domain(svirt_t)
 +role system_r types svirt_t;
 +
 +type svirt_cache_t;
@ -21381,7 +21384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 
-@@ -67,7 +92,11 @@
+@@ -67,7 +91,11 @@
 manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 
@ -21394,7 +21397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
 manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,6 +115,7 @@
+@@ -86,6 +114,7 @@
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
 kernel_load_module(virtd_t)
@ -21402,7 +21405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 corecmd_exec_bin(virtd_t)
 corecmd_exec_shell(virtd_t)
-@@ -96,7 +126,7 @@
+@@ -96,7 +125,7 @@
 corenet_tcp_sendrecv_generic_node(virtd_t)
 corenet_tcp_sendrecv_all_ports(virtd_t)
 corenet_tcp_bind_generic_node(virtd_t)
@ -21411,11 +21414,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_bind_vnc_port(virtd_t)
 corenet_tcp_connect_vnc_port(virtd_t)
 corenet_tcp_connect_soundd_port(virtd_t)
-@@ -104,21 +134,38 @@
+@@ -104,21 +133,39 @@
 
 dev_read_sysfs(virtd_t)
 dev_read_rand(virtd_t)
-+dev_read_kvm(virtd_t)
+dev_rw_kvm(virtd_t)
 +dev_getattr_all_chr_files(virtd_t)
 
 # Init script handling
@ -21440,6 +21443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 fs_list_auto_mountpoints(virtd_t)
 +fs_getattr_xattr_fs(virtd_t)
+fs_rw_anon_inodefs_files(virtd_t)
 
 +storage_manage_fixed_disk(virtd_t)
 +storage_relabel_fixed_disk(virtd_t)
@ -21451,19 +21455,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 term_getattr_pty_fs(virtd_t)
 term_use_ptmx(virtd_t)
 
-@@ -129,6 +176,11 @@
+@@ -129,6 +176,13 @@
 
 logging_send_syslog_msg(virtd_t)
 
 +sysnet_domtrans_ifconfig(virtd_t)
 +
+virtual_transition(virtd_t)
+
 +userdom_dontaudit_list_admin_dir(virtd_t)
 +userdom_getattr_all_users(virtd_t)
 +userdom_search_user_home_content(virtd_t)
 userdom_read_all_users_state(virtd_t)
 
 tunable_policy(`virt_use_nfs',`
-@@ -167,22 +219,34 @@
+@@ -167,22 +221,34 @@
 	dnsmasq_domtrans(virtd_t)
 	dnsmasq_signal(virtd_t)
 	dnsmasq_kill(virtd_t)
@ -21481,14 +21487,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -#')
 +optional_policy(`
 +	kerberos_keytab_template(virtd, virtd_t)
+')
+
+optional_policy(`
+	lvm_domtrans(virtd_t)
 +')
 
 optional_policy(`
 -	qemu_domtrans(virtd_t)
-+	lvm_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
 +	polkit_domtrans_auth(virtd_t)
 +	polkit_domtrans_resolve(virtd_t)
 +	polkit_read_lib(virtd_t)
@ -21503,7 +21509,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -198,5 +262,76 @@
+@@ -198,5 +264,74 @@
 ')
 
 optional_policy(`
@ -21524,8 +21530,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +# svirt local policy
 +#
-+domain_user_exemption_target(svirt_t)
-+allow virtd_t svirt_t:process { setsched transition signal signull sigkill };
 +
 +manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
 +manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
@ -29350,8 +29354,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# No application file contexts.
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if
 --- nsaserefpolicy/policy/modules/system/virtual.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/virtual.if	2009-03-24 09:03:48.000000000 -0400
-@@ -0,0 +1,118 @@
+++ serefpolicy-3.6.10/policy/modules/system/virtual.if	2009-03-26 14:24:01.000000000 -0400
+@@ -0,0 +1,110 @@
 +## <summary>Virtual machine emulator and virtualizer</summary>
 +
 +########################################
@ -29385,32 +29389,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
-+##	Make the specified type a virtual domain
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Make the specified type a virtual domain
-+##	</p>
-+##	<p>
-+##	Gives the basic access required for a virtual operatins system
-+##	</p>
-+## </desc>
-+## <param name="type">
-+##	<summary>
-+##	Type granted access
-+##	</summary>
-+## </param>
-+#
-+interface(`virtual_separated_domain',`
-+	gen_require(`
-+		attribute virtualseparateddomain;
-+	')
-+
-+	typeattribute $1 virtualseparateddomain;
-+')
-+
-+########################################
-+## <summary>
 +##	Make the specified type usable as a virtual os image
 +## </summary>
 +## <param name="type">
@ -29470,10 +29448,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 virtual_image_type:file { relabelfrom relabelto };
 +')
 +
+########################################
+## <summary>
+##	Allow domain to transition and control virtualdomain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`virtual_transition',`
+	gen_require(`
+		attribute virtualdomain;
+	')
+
+	allow $1 virtualdomain:process { setsched transition signal signull sigkill };
+')
+
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.10/policy/modules/system/virtual.te
 --- nsaserefpolicy/policy/modules/system/virtual.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.10/policy/modules/system/virtual.te	2009-03-24 09:03:48.000000000 -0400
-@@ -0,0 +1,80 @@
+++ serefpolicy-3.6.10/policy/modules/system/virtual.te	2009-03-26 14:21:16.000000000 -0400
+@@ -0,0 +1,81 @@
 +
 +policy_module(virtualization, 1.1.2)
 +
@ -29517,6 +29513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +dev_rw_qemu(virtualdomain)
 +
 +domain_use_interactive_fds(virtualdomain)
+domain_user_exemption_target(virtualdomain)
 +
 +files_read_etc_files(virtualdomain)
 +files_read_usr_files(virtualdomain)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.10
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -444,6 +444,9 @@ exit 0
 %endif

 %changelog
+* Thu Mar 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-3
+- Fixes for svirt
+
 * Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-2
 - Fixes to allow svirt read iso files in homedir