rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
9dc3cd1635
selinux-policy/policy/modules/services/virt.if
Paul Moore 9dc3cd1635 refpol: Policy for the new TUN driver access controls 
Add policy for the new TUN driver access controls which allow policy to
control which domains have the ability to create and attach to TUN/TAP
devices.  The policy rules for creating and attaching to a device are as
shown below:

  # create a new device
  allow domain_t self:tun_socket { create };

  # attach to a persistent device (created by tunlbl_t)
  allow domain_t tunlbl_t:tun_socket { relabelfrom };
  allow domain_t self:tun_socket { relabelto };

Further discussion can be found on this thread:

 * http://marc.info/?t=125080850900002&r=1&w=2

Signed-off-by: Paul Moore <paul.moore@hp.com>
2009-08-31 08:36:06 -04:00

349 lines
6.7 KiB
Plaintext
Raw Blame History

## <summary>Libvirt virtualization API</summary>
########################################
## <summary>
## Make the specified type usable as a virt image
## </summary>
## <param name="type">
## <summary>
## Type to be used as a virtual image
## </summary>
## </param>
#
interface(`virt_image',`
gen_require(`
attribute virt_image_type;
')
typeattribute $1 virt_image_type;
files_type($1)
# virt images can be assigned to blk devices
dev_node($1)
')
########################################
## <summary>
## Execute a domain transition to run virt.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`virt_domtrans',`
gen_require(`
type virtd_t, virtd_exec_t;
')
domtrans_pattern($1, virtd_exec_t, virtd_t)
')
#######################################
## <summary>
## Connect to virt over an unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_stream_connect',`
gen_require(`
type virtd_t, virt_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
')
########################################
## <summary>
## Read virt config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_read_config',`
gen_require(`
type virt_etc_t;
type virt_etc_rw_t;
')
files_search_etc($1)
read_files_pattern($1, virt_etc_t, virt_etc_t)
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
')
########################################
## <summary>
## manage virt config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_manage_config',`
gen_require(`
type virt_etc_t;
type virt_etc_rw_t;
')
files_search_etc($1)
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
')
########################################
## <summary>
## Read virt PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_read_pid_files',`
gen_require(`
type virt_var_run_t;
')
files_search_pids($1)
allow $1 virt_var_run_t:file read_file_perms;
')
########################################
## <summary>
## Manage virt pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_manage_pid_files',`
gen_require(`
type virt_var_run_t;
')
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
########################################
## <summary>
## Search virt lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_search_lib',`
gen_require(`
type virt_var_lib_t;
')
allow $1 virt_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Read virt lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_read_lib_files',`
gen_require(`
type virt_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete
## virt lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_manage_lib_files',`
gen_require(`
type virt_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
')
########################################
## <summary>
## Allow the specified domain to read virt's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`virt_read_log',`
gen_require(`
type virt_log_t;
')
logging_search_logs($1)
read_files_pattern($1, virt_log_t, virt_log_t)
')
########################################
## <summary>
## Allow the specified domain to append
## virt log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`virt_append_log',`
gen_require(`
type virt_log_t;
')
logging_search_logs($1)
append_files_pattern($1, virt_log_t, virt_log_t)
')
########################################
## <summary>
## Allow domain to manage virt log files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`virt_manage_log',`
gen_require(`
type virt_log_t;
')
manage_dirs_pattern($1, virt_log_t, virt_log_t)
manage_files_pattern($1, virt_log_t, virt_log_t)
manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
')
########################################
## <summary>
## Allow domain to manage virt image files
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`virt_manage_images',`
gen_require(`
type virt_image_t, virt_var_lib_t;
')
virt_search_lib($1)
allow $1 virt_image_t:dir list_dir_perms;
manage_dirs_pattern($1, virt_image_t, virt_image_t)
manage_files_pattern($1, virt_image_t, virt_image_t)
read_lnk_files_pattern($1, virt_image_t, virt_image_t)
rw_blk_files_pattern($1, virt_image_t, virt_image_t)
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
fs_manage_nfs_files($1)
fs_read_nfs_symlinks($1)
')
tunable_policy(`virt_use_samba',`
fs_manage_nfs_files($1)
fs_manage_cifs_files($1)
fs_read_cifs_symlinks($1)
')
')
########################################
## <summary>
## All of the rules required to administrate
## an virt environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
')
allow $1 virtd_t:process { ptrace signal_perms };
ps_process_pattern($1, virtd_t)
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 virtd_initrc_exec_t system_r;
allow $2 system_r;
virt_manage_pid_files($1)
virt_manage_lib_files($1)
virt_manage_log($1)
')
########################################
## <summary>
## Allow domain to attach to virt TUN devices
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_attach_tun_iface',`
gen_require(`
type virtd_t;
')
allow $1 virtd_t:tun_socket relabelfrom;
allow $1 self:tun_socket relabelto;
')
Reference in New Issue View Git Blame Copy Permalink