* Thu Sep 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-285
- Allow svirt_t read userdomain state
This commit is contained in:
Lukas Vrabec
parent
7177126bc6
commit
6551841efc
Binary file not shown.
@ -116956,10 +116956,10 @@ index facdee8b3..2a619ba9e 100644
|
||||
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
|
||||
')
|
||||
diff --git a/virt.te b/virt.te
|
||||
index f03dcf567..5ce41db0d 100644
|
||||
index f03dcf567..529ae6612 100644
|
||||
--- a/virt.te
|
||||
+++ b/virt.te
|
||||
@@ -1,451 +1,422 @@
|
||||
@@ -1,451 +1,424 @@
|
||||
-policy_module(virt, 1.7.4)
|
||||
+policy_module(virt, 1.5.0)
|
||||
|
||||
@ -117125,7 +117125,8 @@ index f03dcf567..5ce41db0d 100644
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(virt_use_usb, true)
|
||||
+
|
||||
|
||||
-attribute svirt_lxc_domain;
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow confined virtual guests to use smartcards
|
||||
@ -117154,8 +117155,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(virt_sandbox_use_sys_admin, false)
|
||||
|
||||
-attribute svirt_lxc_domain;
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow sandbox containers to use mknod system calls
|
||||
@ -117194,11 +117194,11 @@ index f03dcf567..5ce41db0d 100644
|
||||
-virt_domain_template(svirt_prot_exec)
|
||||
+role system_r types svirt_t;
|
||||
+typealias svirt_t alias qemu_t;
|
||||
+
|
||||
+virt_domain_template(svirt_tcg)
|
||||
+role system_r types svirt_tcg_t;
|
||||
|
||||
-type virt_cache_t alias svirt_cache_t;
|
||||
+virt_domain_template(svirt_tcg)
|
||||
+role system_r types svirt_tcg_t;
|
||||
+
|
||||
+type qemu_exec_t, virt_file_type;
|
||||
+
|
||||
+type virt_cache_t alias svirt_cache_t, virt_file_type;
|
||||
@ -117561,10 +117561,13 @@ index f03dcf567..5ce41db0d 100644
|
||||
|
||||
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
|
||||
-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
|
||||
-
|
||||
+allow svirt_t self:process ptrace;
|
||||
|
||||
-dontaudit svirt_t virt_content_t:file write_file_perms;
|
||||
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
|
||||
-
|
||||
+# it was a part of auth_use_nsswitch
|
||||
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
|
||||
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
||||
@ -117573,15 +117576,12 @@ index f03dcf567..5ce41db0d 100644
|
||||
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
|
||||
-
|
||||
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
|
||||
+allow svirt_t self:process ptrace;
|
||||
|
||||
-
|
||||
-corenet_udp_sendrecv_generic_if(svirt_t)
|
||||
-corenet_udp_sendrecv_generic_node(svirt_t)
|
||||
-corenet_udp_sendrecv_all_ports(svirt_t)
|
||||
-corenet_udp_bind_generic_node(svirt_t)
|
||||
+# it was a part of auth_use_nsswitch
|
||||
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
-
|
||||
-corenet_all_recvfrom_unlabeled(svirt_t)
|
||||
-corenet_all_recvfrom_netlabel(svirt_t)
|
||||
-corenet_tcp_sendrecv_generic_if(svirt_t)
|
||||
@ -117606,6 +117606,8 @@ index f03dcf567..5ce41db0d 100644
|
||||
+
|
||||
+storage_raw_read_fixed_disk(svirt_t)
|
||||
+
|
||||
+userdom_read_all_users_state(svirt_t)
|
||||
+
|
||||
+#######################################
|
||||
+#
|
||||
+# svirt_prot_exec local policy
|
||||
@ -117692,7 +117694,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
|
||||
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
||||
@@ -455,42 +426,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
@@ -455,42 +428,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
||||
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
||||
|
||||
@ -117739,22 +117741,22 @@ index f03dcf567..5ce41db0d 100644
|
||||
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
|
||||
@@ -503,23 +461,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||
@@ -503,23 +463,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
||||
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
|
||||
|
||||
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
||||
-
|
||||
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
||||
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
||||
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
||||
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
||||
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
|
||||
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
|
||||
|
||||
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
||||
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
||||
-
|
||||
-can_exec(virtd_t, virt_tmp_t)
|
||||
+# libvirtd is permitted to talk to virtlogd
|
||||
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t)
|
||||
@ -117773,7 +117775,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
|
||||
corecmd_exec_bin(virtd_t)
|
||||
corecmd_exec_shell(virtd_t)
|
||||
@@ -527,24 +486,16 @@ corecmd_exec_shell(virtd_t)
|
||||
@@ -527,24 +488,16 @@ corecmd_exec_shell(virtd_t)
|
||||
corenet_all_recvfrom_netlabel(virtd_t)
|
||||
corenet_tcp_sendrecv_generic_if(virtd_t)
|
||||
corenet_tcp_sendrecv_generic_node(virtd_t)
|
||||
@ -117801,7 +117803,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
dev_rw_sysfs(virtd_t)
|
||||
dev_read_urand(virtd_t)
|
||||
dev_read_rand(virtd_t)
|
||||
@@ -555,20 +506,26 @@ dev_rw_vhost(virtd_t)
|
||||
@@ -555,20 +508,26 @@ dev_rw_vhost(virtd_t)
|
||||
dev_setattr_generic_usb_dev(virtd_t)
|
||||
dev_relabel_generic_usb_dev(virtd_t)
|
||||
|
||||
@ -117832,7 +117834,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
fs_list_auto_mountpoints(virtd_t)
|
||||
fs_getattr_all_fs(virtd_t)
|
||||
fs_rw_anon_inodefs_files(virtd_t)
|
||||
@@ -601,15 +558,18 @@ term_use_ptmx(virtd_t)
|
||||
@@ -601,15 +560,18 @@ term_use_ptmx(virtd_t)
|
||||
|
||||
auth_use_nsswitch(virtd_t)
|
||||
|
||||
@ -117852,19 +117854,29 @@ index f03dcf567..5ce41db0d 100644
|
||||
|
||||
selinux_validate_context(virtd_t)
|
||||
|
||||
@@ -620,27 +580,35 @@ seutil_read_file_contexts(virtd_t)
|
||||
@@ -620,18 +582,26 @@ seutil_read_file_contexts(virtd_t)
|
||||
sysnet_signull_ifconfig(virtd_t)
|
||||
sysnet_signal_ifconfig(virtd_t)
|
||||
sysnet_domtrans_ifconfig(virtd_t)
|
||||
+sysnet_read_config(virtd_t)
|
||||
|
||||
-userdom_read_all_users_state(virtd_t)
|
||||
+systemd_dbus_chat_logind(virtd_t)
|
||||
+systemd_write_inhibit_pipes(virtd_t)
|
||||
+
|
||||
|
||||
-ifdef(`hide_broken_symptoms',`
|
||||
- dontaudit virtd_t self:capability { sys_module sys_ptrace };
|
||||
-')
|
||||
-
|
||||
-tunable_policy(`virt_use_fusefs',`
|
||||
- fs_manage_fusefs_dirs(virtd_t)
|
||||
- fs_manage_fusefs_files(virtd_t)
|
||||
- fs_read_fusefs_symlinks(virtd_t)
|
||||
-')
|
||||
+userdom_list_admin_dir(virtd_t)
|
||||
+userdom_getattr_all_users(virtd_t)
|
||||
+userdom_list_user_home_content(virtd_t)
|
||||
userdom_read_all_users_state(virtd_t)
|
||||
+userdom_read_all_users_state(virtd_t)
|
||||
+userdom_read_user_home_content_files(virtd_t)
|
||||
+userdom_relabel_user_tmp_files(virtd_t)
|
||||
+userdom_setattr_user_tmp_files(virtd_t)
|
||||
@ -117877,24 +117889,9 @@ index f03dcf567..5ce41db0d 100644
|
||||
+#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
|
||||
+virt_filetrans_home_content(virtd_t)
|
||||
|
||||
-ifdef(`hide_broken_symptoms',`
|
||||
- dontaudit virtd_t self:capability { sys_module sys_ptrace };
|
||||
-')
|
||||
-
|
||||
-tunable_policy(`virt_use_fusefs',`
|
||||
- fs_manage_fusefs_dirs(virtd_t)
|
||||
- fs_manage_fusefs_files(virtd_t)
|
||||
- fs_read_fusefs_symlinks(virtd_t)
|
||||
-')
|
||||
-
|
||||
-tunable_policy(`virt_use_nfs',`
|
||||
- fs_manage_nfs_dirs(virtd_t)
|
||||
- fs_manage_nfs_files(virtd_t)
|
||||
- fs_read_nfs_symlinks(virtd_t)
|
||||
+tunable_policy(`virt_use_nfs',`
|
||||
+ fs_manage_nfs_dirs(virtd_t)
|
||||
+ fs_manage_nfs_files(virtd_t)
|
||||
+ fs_read_nfs_symlinks(virtd_t)
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virtd_t)
|
||||
@@ -640,7 +610,7 @@ tunable_policy(`virt_use_nfs',`
|
||||
')
|
||||
|
||||
tunable_policy(`virt_use_samba',`
|
||||
@ -117903,7 +117900,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
fs_manage_cifs_files(virtd_t)
|
||||
fs_read_cifs_symlinks(virtd_t)
|
||||
')
|
||||
@@ -665,20 +633,12 @@ optional_policy(`
|
||||
@@ -665,20 +635,12 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -117924,7 +117921,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -691,20 +651,26 @@ optional_policy(`
|
||||
@@ -691,99 +653,432 @@ optional_policy(`
|
||||
dnsmasq_kill(virtd_t)
|
||||
dnsmasq_signull(virtd_t)
|
||||
dnsmasq_create_pid_dirs(virtd_t)
|
||||
@ -117952,113 +117949,103 @@ index f03dcf567..5ce41db0d 100644
|
||||
- kerberos_use(virtd_t)
|
||||
+ kerberos_read_keytab(virtd_t)
|
||||
+ kerberos_use(virtd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -712,11 +678,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ lvm_domtrans(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ # Run mount in the mount_t domain.
|
||||
mount_domtrans(virtd_t)
|
||||
mount_signal(virtd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ mount_domtrans(virtd_t)
|
||||
+ mount_signal(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ numad_domtrans(virtd_t)
|
||||
+ numad_dbus_chat(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ policykit_dbus_chat(virtd_t)
|
||||
policykit_domtrans_auth(virtd_t)
|
||||
policykit_domtrans_resolve(virtd_t)
|
||||
policykit_read_lib(virtd_t)
|
||||
@@ -727,10 +700,18 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ policykit_domtrans_auth(virtd_t)
|
||||
+ policykit_domtrans_resolve(virtd_t)
|
||||
+ policykit_read_lib(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ qemu_exec(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ sanlock_stream_connect(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
sasl_connect(virtd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ sasl_connect(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ setrans_manage_pid_files(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
kernel_read_xen_state(virtd_t)
|
||||
kernel_write_xen_state(virtd_t)
|
||||
|
||||
@@ -746,44 +727,356 @@ optional_policy(`
|
||||
udev_read_pid_files(virtd_t)
|
||||
')
|
||||
|
||||
+ kernel_read_xen_state(virtd_t)
|
||||
+ kernel_write_xen_state(virtd_t)
|
||||
+
|
||||
+ xen_exec(virtd_t)
|
||||
+ xen_stream_connect(virtd_t)
|
||||
+ xen_stream_connect_xenstore(virtd_t)
|
||||
+ xen_read_image_files(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ udev_domtrans(virtd_t)
|
||||
+ udev_read_db(virtd_t)
|
||||
+ udev_read_pid_files(virtd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_domain(virtd_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
-# Virsh local policy
|
||||
+########################################
|
||||
+#
|
||||
+# virtlogd local policy
|
||||
#
|
||||
|
||||
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
|
||||
-allow virsh_t self:process { getcap getsched setsched setcap signal };
|
||||
-allow virsh_t self:fifo_file rw_fifo_file_perms;
|
||||
-allow virsh_t self:unix_stream_socket { accept connectto listen };
|
||||
-allow virsh_t self:tcp_socket { accept listen };
|
||||
+#
|
||||
+
|
||||
+# virtlogd is allowed to manage files it creates in /var/run/libvirt
|
||||
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
|
||||
|
||||
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
+
|
||||
+# virtlogd needs to read /etc/libvirt/virtlogd.conf only
|
||||
+allow virtlogd_t virtlogd_etc_t:file read_file_perms;
|
||||
+files_search_etc(virtlogd_t)
|
||||
+allow virtlogd_t virt_etc_t:dir search;
|
||||
|
||||
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
+
|
||||
+# virtlogd creates /var/run/libvirt/virtlogd-sock with isolated
|
||||
+# context from other stuff in /var/run/libvirt
|
||||
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file })
|
||||
+# This lets systemd create the socket itself too
|
||||
|
||||
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
||||
+
|
||||
+# virtlogd creates a /var/run/virtlogd.pid file
|
||||
+allow virtlogd_t virtlogd_var_run_t:file manage_file_perms;
|
||||
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
|
||||
+files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file)
|
||||
|
||||
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
|
||||
+
|
||||
+manage_dirs_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
|
||||
+manage_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
|
||||
+manage_lnk_files_pattern(virtlogd_t, svirt_tmp_t, svirt_tmp_t)
|
||||
+files_tmp_filetrans(virtlogd_t, svirt_tmp_t, { file dir lnk_file })
|
||||
|
||||
-allow virsh_t svirt_lxc_domain:process transition;
|
||||
+
|
||||
+kernel_read_network_state(virtlogd_t)
|
||||
|
||||
-can_exec(virsh_t, virsh_exec_t)
|
||||
+
|
||||
+allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
+
|
||||
+# Allow virtlogd_t to execute itself.
|
||||
+allow virtlogd_t virtlogd_exec_t:file execute_no_trans;
|
||||
+
|
||||
+dev_read_sysfs(virtlogd_t)
|
||||
|
||||
+
|
||||
+logging_send_syslog_msg(virtlogd_t)
|
||||
+
|
||||
+auth_use_nsswitch(virtlogd_t)
|
||||
@ -118264,30 +118251,40 @@ index f03dcf567..5ce41db0d 100644
|
||||
+ fs_manage_fusefs_files(virt_domain)
|
||||
+ fs_read_fusefs_symlinks(virt_domain)
|
||||
+ fs_getattr_fusefs(virt_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- lvm_domtrans(virtd_t)
|
||||
+ tunable_policy(`virt_use_glusterd',`
|
||||
+ glusterd_manage_pid(virt_domain)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- mount_domtrans(virtd_t)
|
||||
- mount_signal(virtd_t)
|
||||
+tunable_policy(`virt_use_nfs',`
|
||||
+ fs_manage_nfs_dirs(virt_domain)
|
||||
+ fs_manage_nfs_files(virt_domain)
|
||||
+ fs_manage_nfs_named_sockets(virt_domain)
|
||||
+ fs_read_nfs_symlinks(virt_domain)
|
||||
+ fs_getattr_nfs(virt_domain)
|
||||
+')
|
||||
+
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- policykit_domtrans_auth(virtd_t)
|
||||
- policykit_domtrans_resolve(virtd_t)
|
||||
- policykit_read_lib(virtd_t)
|
||||
+tunable_policy(`virt_use_samba',`
|
||||
+ fs_manage_cifs_dirs(virt_domain)
|
||||
+ fs_manage_cifs_files(virt_domain)
|
||||
+ fs_manage_cifs_named_sockets(virt_domain)
|
||||
+ fs_read_cifs_symlinks(virt_domain)
|
||||
+ fs_getattr_cifs(virt_domain)
|
||||
+')
|
||||
+
|
||||
')
|
||||
|
||||
-optional_policy(`
|
||||
- qemu_exec(virtd_t)
|
||||
+tunable_policy(`virt_use_usb',`
|
||||
+ dev_rw_usbfs(virt_domain)
|
||||
+ dev_read_sysfs(virt_domain)
|
||||
@ -118295,49 +118292,83 @@ index f03dcf567..5ce41db0d 100644
|
||||
+ fs_manage_dos_dirs(virt_domain)
|
||||
+ fs_manage_dos_files(virt_domain)
|
||||
+ udev_read_db(virt_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- sasl_connect(virtd_t)
|
||||
+ tunable_policy(`virt_use_pcscd',`
|
||||
+ pcscd_stream_connect(virt_domain)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- kernel_read_xen_state(virtd_t)
|
||||
- kernel_write_xen_state(virtd_t)
|
||||
+ tunable_policy(`virt_use_sanlock',`
|
||||
+ sanlock_stream_connect(virt_domain)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
|
||||
- xen_exec(virtd_t)
|
||||
- xen_stream_connect(virtd_t)
|
||||
- xen_stream_connect_xenstore(virtd_t)
|
||||
- xen_read_image_files(virtd_t)
|
||||
+tunable_policy(`virt_use_rawip',`
|
||||
+ allow virt_domain self:rawip_socket create_socket_perms;
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- udev_domtrans(virtd_t)
|
||||
- udev_read_db(virtd_t)
|
||||
- udev_read_pid_files(virtd_t)
|
||||
+ tunable_policy(`virt_use_xserver',`
|
||||
+ xserver_stream_connect(virt_domain)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+#
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
-# Virsh local policy
|
||||
+# xm local policy
|
||||
+#
|
||||
#
|
||||
+type virsh_t, virt_system_domain;
|
||||
+type virsh_exec_t, virt_file_type;
|
||||
+init_system_domain(virsh_t, virsh_exec_t)
|
||||
+typealias virsh_t alias xm_t;
|
||||
+typealias virsh_exec_t alias xm_exec_t;
|
||||
+
|
||||
|
||||
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
|
||||
-allow virsh_t self:process { getcap getsched setsched setcap signal };
|
||||
+allow virsh_t self:capability { setpcap dac_read_search dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
|
||||
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
|
||||
+allow virsh_t self:fifo_file rw_fifo_file_perms;
|
||||
allow virsh_t self:fifo_file rw_fifo_file_perms;
|
||||
-allow virsh_t self:unix_stream_socket { accept connectto listen };
|
||||
-allow virsh_t self:tcp_socket { accept listen };
|
||||
-
|
||||
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
||||
-
|
||||
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
||||
-
|
||||
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
||||
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
||||
-
|
||||
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
|
||||
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
+allow virsh_t self:tcp_socket create_stream_socket_perms;
|
||||
+
|
||||
|
||||
-allow virsh_t svirt_lxc_domain:process transition;
|
||||
+ps_process_pattern(virsh_t, svirt_sandbox_domain)
|
||||
+
|
||||
+can_exec(virsh_t, virsh_exec_t)
|
||||
|
||||
can_exec(virsh_t, virsh_exec_t)
|
||||
-
|
||||
virt_domtrans(virsh_t)
|
||||
virt_manage_images(virsh_t)
|
||||
virt_manage_config(virsh_t)
|
||||
@ -118372,7 +118403,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
kernel_read_system_state(virsh_t)
|
||||
kernel_read_network_state(virsh_t)
|
||||
kernel_read_kernel_sysctls(virsh_t)
|
||||
@@ -794,25 +1087,18 @@ kernel_write_xen_state(virsh_t)
|
||||
@@ -794,25 +1089,18 @@ kernel_write_xen_state(virsh_t)
|
||||
corecmd_exec_bin(virsh_t)
|
||||
corecmd_exec_shell(virsh_t)
|
||||
|
||||
@ -118399,7 +118430,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
|
||||
fs_getattr_all_fs(virsh_t)
|
||||
fs_manage_xenfs_dirs(virsh_t)
|
||||
@@ -821,23 +1107,25 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
@@ -821,23 +1109,25 @@ fs_search_auto_mountpoints(virsh_t)
|
||||
|
||||
storage_raw_read_fixed_disk(virsh_t)
|
||||
|
||||
@ -118416,10 +118447,10 @@ index f03dcf567..5ce41db0d 100644
|
||||
|
||||
-logging_send_syslog_msg(virsh_t)
|
||||
+systemd_exec_systemctl(virsh_t)
|
||||
+
|
||||
+auth_read_passwd(virsh_t)
|
||||
|
||||
-miscfiles_read_localization(virsh_t)
|
||||
+auth_read_passwd(virsh_t)
|
||||
+
|
||||
+logging_send_syslog_msg(virsh_t)
|
||||
|
||||
sysnet_dns_name_resolve(virsh_t)
|
||||
@ -118433,7 +118464,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
|
||||
tunable_policy(`virt_use_nfs',`
|
||||
fs_manage_nfs_dirs(virsh_t)
|
||||
@@ -856,14 +1144,20 @@ optional_policy(`
|
||||
@@ -856,14 +1146,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -118455,7 +118486,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
xen_stream_connect(virsh_t)
|
||||
xen_stream_connect_xenstore(virsh_t)
|
||||
')
|
||||
@@ -888,49 +1182,66 @@ optional_policy(`
|
||||
@@ -888,49 +1184,66 @@ optional_policy(`
|
||||
kernel_read_xen_state(virsh_ssh_t)
|
||||
kernel_write_xen_state(virsh_ssh_t)
|
||||
|
||||
@ -118540,7 +118571,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
|
||||
corecmd_exec_bin(virtd_lxc_t)
|
||||
corecmd_exec_shell(virtd_lxc_t)
|
||||
@@ -942,17 +1253,16 @@ dev_read_urand(virtd_lxc_t)
|
||||
@@ -942,17 +1255,16 @@ dev_read_urand(virtd_lxc_t)
|
||||
|
||||
domain_use_interactive_fds(virtd_lxc_t)
|
||||
|
||||
@ -118560,7 +118591,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
fs_getattr_all_fs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
||||
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
||||
@@ -964,8 +1274,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
@@ -964,8 +1276,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
||||
fs_unmount_all_fs(virtd_lxc_t)
|
||||
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
||||
|
||||
@ -118584,7 +118615,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
selinux_get_enforce_mode(virtd_lxc_t)
|
||||
selinux_get_fs_mount(virtd_lxc_t)
|
||||
selinux_validate_context(virtd_lxc_t)
|
||||
@@ -974,194 +1299,296 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
@@ -974,194 +1301,296 @@ selinux_compute_create_context(virtd_lxc_t)
|
||||
selinux_compute_relabel_context(virtd_lxc_t)
|
||||
selinux_compute_user_contexts(virtd_lxc_t)
|
||||
|
||||
@ -118611,7 +118642,8 @@ index f03dcf567..5ce41db0d 100644
|
||||
+ hal_dbus_chat(virtd_lxc_t)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
|
||||
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
||||
+optional_policy(`
|
||||
+ container_exec_lib(virtd_lxc_t)
|
||||
+')
|
||||
@ -118623,8 +118655,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
+optional_policy(`
|
||||
+ setrans_manage_pid_files(virtd_lxc_t)
|
||||
+')
|
||||
|
||||
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ unconfined_domain(virtd_lxc_t)
|
||||
+')
|
||||
@ -118843,14 +118874,14 @@ index f03dcf567..5ce41db0d 100644
|
||||
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
||||
+optional_policy(`
|
||||
+ ssh_use_ptys(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ udev_read_pid_files(svirt_sandbox_domain)
|
||||
+')
|
||||
|
||||
optional_policy(`
|
||||
- udev_read_pid_files(svirt_lxc_domain)
|
||||
+ udev_read_pid_files(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
|
||||
+')
|
||||
+
|
||||
@ -119000,8 +119031,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
+fs_manage_cgroup_files(svirt_qemu_net_t)
|
||||
+
|
||||
+term_pty(container_file_t)
|
||||
|
||||
-allow svirt_prot_exec_t self:process { execmem execstack };
|
||||
+
|
||||
+auth_use_nsswitch(svirt_qemu_net_t)
|
||||
+
|
||||
+rpm_read_db(svirt_qemu_net_t)
|
||||
@ -119011,7 +119041,8 @@ index f03dcf567..5ce41db0d 100644
|
||||
+tunable_policy(`virt_sandbox_use_audit',`
|
||||
+ logging_send_audit_msgs(svirt_qemu_net_t)
|
||||
+')
|
||||
+
|
||||
|
||||
-allow svirt_prot_exec_t self:process { execmem execstack };
|
||||
+userdom_use_user_ptys(svirt_qemu_net_t)
|
||||
|
||||
########################################
|
||||
@ -119028,7 +119059,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
@@ -1174,12 +1601,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
@@ -1174,12 +1603,12 @@ dev_read_sysfs(virt_qmf_t)
|
||||
dev_read_rand(virt_qmf_t)
|
||||
dev_read_urand(virt_qmf_t)
|
||||
|
||||
@ -119043,7 +119074,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
sysnet_read_config(virt_qmf_t)
|
||||
|
||||
optional_policy(`
|
||||
@@ -1192,7 +1619,7 @@ optional_policy(`
|
||||
@@ -1192,7 +1621,7 @@ optional_policy(`
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -119052,7 +119083,7 @@ index f03dcf567..5ce41db0d 100644
|
||||
#
|
||||
|
||||
allow virt_bridgehelper_t self:process { setcap getcap };
|
||||
@@ -1201,11 +1628,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -1201,11 +1630,264 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
||||
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
|
||||
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 284%{?dist}
|
||||
Release: 285%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -682,6 +682,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Sep 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-285
|
||||
- Allow svirt_t read userdomain state
|
||||
|
||||
* Thu Sep 14 2017 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-284
|
||||
- Allow mozilla_plugins_t domain mmap mozilla_plugin_tmpfs_t files
|
||||
- Allow automount domain to manage mount pid files
|
||||
|
||||
Loading…
Reference in New Issue
Block a user