- Fixes for svirt

This commit is contained in:
Daniel J Walsh 2009-03-27 00:01:52 +00:00
parent 9ca87fc9d8
commit 6130d52b7c
2 changed files with 52 additions and 52 deletions

View File

@ -4524,8 +4524,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.10/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-03-05 14:09:51.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc 2009-03-24 15:09:41.000000000 -0400
@@ -91,6 +91,7 @@
+++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc 2009-03-25 08:24:42.000000000 -0400
@@ -91,6 +90,7 @@
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
@ -12127,7 +12127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.10/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-24 10:36:54.000000000 -0400
+++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-26 08:23:58.000000000 -0400
@@ -49,6 +49,15 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@ -12251,7 +12251,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(hald_mac_t)
########################################
@@ -418,3 +459,49 @@
@@ -415,6 +456,53 @@
dev_rw_input_dev(hald_keymap_t)
+files_read_etc_files(hald_keymap_t)
files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@ -21299,7 +21303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.10/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-24 15:41:15.000000000 -0400
+++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-26 14:25:09.000000000 -0400
@@ -8,20 +8,18 @@
## <desc>
@ -21338,7 +21342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type virt_log_t;
logging_log_file(virt_log_t)
@@ -48,17 +50,40 @@
@@ -48,17 +50,39 @@
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@ -21351,7 +21355,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+virt_domain_template(svirt)
+virtual_separated_domain(svirt_t)
+role system_r types svirt_t;
+
+type svirt_cache_t;
@ -21381,7 +21384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
@@ -67,7 +92,11 @@
@@ -67,7 +91,11 @@
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
@ -21394,7 +21397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
@@ -86,6 +115,7 @@
@@ -86,6 +114,7 @@
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
kernel_load_module(virtd_t)
@ -21402,7 +21405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t)
@@ -96,7 +126,7 @@
@@ -96,7 +125,7 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@ -21411,11 +21414,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
@@ -104,21 +134,38 @@
@@ -104,21 +133,39 @@
dev_read_sysfs(virtd_t)
dev_read_rand(virtd_t)
+dev_read_kvm(virtd_t)
+dev_rw_kvm(virtd_t)
+dev_getattr_all_chr_files(virtd_t)
# Init script handling
@ -21440,6 +21443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_list_auto_mountpoints(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
+fs_rw_anon_inodefs_files(virtd_t)
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
@ -21451,19 +21455,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_getattr_pty_fs(virtd_t)
term_use_ptmx(virtd_t)
@@ -129,6 +176,11 @@
@@ -129,6 +176,13 @@
logging_send_syslog_msg(virtd_t)
+sysnet_domtrans_ifconfig(virtd_t)
+
+virtual_transition(virtd_t)
+
+userdom_dontaudit_list_admin_dir(virtd_t)
+userdom_getattr_all_users(virtd_t)
+userdom_search_user_home_content(virtd_t)
userdom_read_all_users_state(virtd_t)
tunable_policy(`virt_use_nfs',`
@@ -167,22 +219,34 @@
@@ -167,22 +221,34 @@
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
@ -21481,14 +21487,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#')
+optional_policy(`
+ kerberos_keytab_template(virtd, virtd_t)
+')
+
+optional_policy(`
+ lvm_domtrans(virtd_t)
+')
optional_policy(`
- qemu_domtrans(virtd_t)
+ lvm_domtrans(virtd_t)
+')
+
+optional_policy(`
+ polkit_domtrans_auth(virtd_t)
+ polkit_domtrans_resolve(virtd_t)
+ polkit_read_lib(virtd_t)
@ -21503,7 +21509,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -198,5 +262,76 @@
@@ -198,5 +264,74 @@
')
optional_policy(`
@ -21524,8 +21530,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+# svirt local policy
+#
+domain_user_exemption_target(svirt_t)
+allow virtd_t svirt_t:process { setsched transition signal signull sigkill };
+
+manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
@ -29350,8 +29354,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# No application file contexts.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-24 09:03:48.000000000 -0400
@@ -0,0 +1,118 @@
+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-26 14:24:01.000000000 -0400
@@ -0,0 +1,110 @@
+## <summary>Virtual machine emulator and virtualizer</summary>
+
+########################################
@ -29385,32 +29389,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+## <summary>
+## Make the specified type a virtual domain
+## </summary>
+## <desc>
+## <p>
+## Make the specified type a virtual domain
+## </p>
+## <p>
+## Gives the basic access required for a virtual operatins system
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type granted access
+## </summary>
+## </param>
+#
+interface(`virtual_separated_domain',`
+ gen_require(`
+ attribute virtualseparateddomain;
+ ')
+
+ typeattribute $1 virtualseparateddomain;
+')
+
+########################################
+## <summary>
+## Make the specified type usable as a virtual os image
+## </summary>
+## <param name="type">
@ -29470,10 +29448,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ allow $1 virtual_image_type:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Allow domain to transition and control virtualdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`virtual_transition',`
+ gen_require(`
+ attribute virtualdomain;
+ ')
+
+ allow $1 virtualdomain:process { setsched transition signal signull sigkill };
+')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.10/policy/modules/system/virtual.te
--- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-24 09:03:48.000000000 -0400
@@ -0,0 +1,80 @@
+++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-26 14:21:16.000000000 -0400
@@ -0,0 +1,81 @@
+
+policy_module(virtualization, 1.1.2)
+
@ -29517,6 +29513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+dev_rw_qemu(virtualdomain)
+
+domain_use_interactive_fds(virtualdomain)
+domain_user_exemption_target(virtualdomain)
+
+files_read_etc_files(virtualdomain)
+files_read_usr_files(virtualdomain)

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.10
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -444,6 +444,9 @@ exit 0
%endif
%changelog
* Thu Mar 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-3
- Fixes for svirt
* Thu Mar 19 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-2
- Fixes to allow svirt read iso files in homedir