Fix svirt networking for compatibility.
Fix indentation.
Fix virt_manage_log to allow domains to search /var/log to manage virt log objects.
Add file context specification for /var/run/libvirtd.pid.
Remove filetrans pattern for files in /var/lib/libvirt because files are managed in /var/lib/libvirt only.
Remove filetrans pattern for files in /var/log/libvirt because files are managed in /var/log/libvirt only.
Fix virt_manage_config to allow management of virt_etc_rw_t lnk_files.
Use admin patterns in virt_admin since virt not only owns file objects in those locations, and admin may need to manage these other objects as well.
Add admin patterns for virt_etc_t and virt_etc_rw_t to virt_admin.
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 1116f4f... 093f33e... M policy/modules/services/virt.fc
:100644 100644 92b6ca4... 65a994d... M policy/modules/services/virt.if
:100644 100644 b02d62c... 04694f9... M policy/modules/services/virt.te
policy/modules/services/virt.fc | 2 ++
policy/modules/services/virt.if | 22 ++++++++++++++++------
policy/modules/services/virt.te | 10 ++++++----
3 files changed, 24 insertions(+), 10 deletions(-)
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
index 1116f4f..093f33e 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -19,6 +19,8 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+
+/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 92b6ca4..65a994d 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -175,13 +175,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
- type virt_etc_t;
- type virt_etc_rw_t;
+ type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+ manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
')
########################################
@@ -370,6 +370,7 @@ interface(`virt_manage_log',`
type virt_log_t;
')
+ logging_search_logs($1)
manage_dirs_pattern($1, virt_log_t, virt_log_t)
manage_files_pattern($1, virt_log_t, virt_log_t)
manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
@@ -488,7 +489,9 @@ interface(`virt_manage_images',`
#
interface(`virt_admin',`
gen_require(`
- type virtd_t, virtd_initrc_exec_t;
+ type virtd_t, virtd_initrc_exec_t, virt_log_t;
+ type virt_var_lib_t, virt_var_run_t, virt_etc_t;
+ type virt_etc_rw_t;
')
allow $1 virtd_t:process { ptrace signal_perms };
@@ -499,9 +502,16 @@ interface(`virt_admin',`
role_transition $2 virtd_initrc_exec_t system_r;
allow $2 system_r;
- virt_manage_pid_files($1)
+ files_search_etc($1)
+ admin_pattern($1, virt_etc_t)
+ admin_pattern($1, virt_etc_rw_t)
- virt_manage_lib_files($1)
+ files_search_pids($1)
+ admin_pattern($1, virt_var_run_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, virt_var_lib_t)
- virt_manage_log($1)
+ logging_search_logs($1)
+ admin_pattern($1, virt_log_t)
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index b02d62c..04694f9 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -113,6 +113,8 @@ read_files_pattern(svirt_t, virt_content_t, virt_content_t)
dontaudit svirt_t virt_content_t:file write_file_perms;
dontaudit svirt_t virt_content_t:dir write;
+corenet_all_recvfrom_unlabeled(svirt_t)
+corenet_all_recvfrom_netlabel(svirt_t)
corenet_udp_sendrecv_generic_if(svirt_t)
corenet_udp_sendrecv_generic_node(svirt_t)
corenet_udp_sendrecv_all_ports(svirt_t)
@@ -189,17 +191,17 @@ allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+logging_log_filetrans(virtd_t, virt_log_t, dir)
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
+files_var_lib_filetrans(virtd_t, virt_var_lib_t, dir)
manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
-files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+files_pid_filetrans(virtd_t, virt_var_run_t, { dir file })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -332,7 +334,7 @@ optional_policy(`
')
optional_policy(`
- policykit_dbus_chat(virtd_t)
+ policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
policykit_read_lib(virtd_t)
--
1.6.6.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100304/7eeff615/attachment-0001.bin
On Thu, 2010-03-04 at 21:49 +0100, Dominick Grift wrote:
> Fix svirt networking for compatibility.
> Fix indentation.
> Fix virt_manage_log to allow domains to search /var/log to manage virt log objects.
> Add file context specification for /var/run/libvirtd.pid.
> Remove filetrans pattern for files in /var/lib/libvirt because files are managed in /var/lib/libvirt only.
> Remove filetrans pattern for files in /var/log/libvirt because files are managed in /var/log/libvirt only.
> Fix virt_manage_config to allow management of virt_etc_rw_t lnk_files.
> Use admin patterns in virt_admin since virt not only owns file objects in those locations, and admin may need to manage these other objects as well.
> Add admin patterns for virt_etc_t and virt_etc_rw_t to virt_admin.
Needs to be rebased. Other comments inline
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 1116f4f... 093f33e... M policy/modules/services/virt.fc
> :100644 100644 92b6ca4... 65a994d... M policy/modules/services/virt.if
> :100644 100644 b02d62c... 04694f9... M policy/modules/services/virt.te
> policy/modules/services/virt.fc | 2 ++
> policy/modules/services/virt.if | 22 ++++++++++++++++------
> policy/modules/services/virt.te | 10 ++++++----
> 3 files changed, 24 insertions(+), 10 deletions(-)
>
> diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
> index 1116f4f..093f33e 100644
> --- a/policy/modules/services/virt.fc
> +++ b/policy/modules/services/virt.fc
> @@ -19,6 +19,8 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
> /var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
>
> /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
> +
> +/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
> /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
> /var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
>
> diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
> index 92b6ca4..65a994d 100644
> --- a/policy/modules/services/virt.if
> +++ b/policy/modules/services/virt.if
> @@ -175,13 +175,13 @@ interface(`virt_read_config',`
> #
> interface(`virt_manage_config',`
> gen_require(`
> - type virt_etc_t;
> - type virt_etc_rw_t;
> + type virt_etc_t, virt_etc_rw_t;
> ')
>
> files_search_etc($1)
> manage_files_pattern($1, virt_etc_t, virt_etc_t)
> manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
> + manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
> ')
>
> ########################################
> @@ -370,6 +370,7 @@ interface(`virt_manage_log',`
> type virt_log_t;
> ')
>
> + logging_search_logs($1)
> manage_dirs_pattern($1, virt_log_t, virt_log_t)
> manage_files_pattern($1, virt_log_t, virt_log_t)
> manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
> @@ -488,7 +489,9 @@ interface(`virt_manage_images',`
> #
> interface(`virt_admin',`
> gen_require(`
> - type virtd_t, virtd_initrc_exec_t;
> + type virtd_t, virtd_initrc_exec_t, virt_log_t;
> + type virt_var_lib_t, virt_var_run_t, virt_etc_t;
> + type virt_etc_rw_t;
> ')
>
> allow $1 virtd_t:process { ptrace signal_perms };
> @@ -499,9 +502,16 @@ interface(`virt_admin',`
> role_transition $2 virtd_initrc_exec_t system_r;
> allow $2 system_r;
>
> - virt_manage_pid_files($1)
> + files_search_etc($1)
> + admin_pattern($1, virt_etc_t)
> + admin_pattern($1, virt_etc_rw_t)
>
> - virt_manage_lib_files($1)
> + files_search_pids($1)
> + admin_pattern($1, virt_var_run_t)
> +
> + files_search_var_lib($1)
> + admin_pattern($1, virt_var_lib_t)
>
> - virt_manage_log($1)
> + logging_search_logs($1)
> + admin_pattern($1, virt_log_t)
> ')
> diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
> index b02d62c..04694f9 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -113,6 +113,8 @@ read_files_pattern(svirt_t, virt_content_t, virt_content_t)
> dontaudit svirt_t virt_content_t:file write_file_perms;
> dontaudit svirt_t virt_content_t:dir write;
>
> +corenet_all_recvfrom_unlabeled(svirt_t)
> +corenet_all_recvfrom_netlabel(svirt_t)
> corenet_udp_sendrecv_generic_if(svirt_t)
> corenet_udp_sendrecv_generic_node(svirt_t)
> corenet_udp_sendrecv_all_ports(svirt_t)
> @@ -189,17 +191,17 @@ allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
>
> manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
> manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
> -logging_log_filetrans(virtd_t, virt_log_t, { file dir })
> +logging_log_filetrans(virtd_t, virt_log_t, dir)
>
> manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
> manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
> manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
> -files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
> +files_var_lib_filetrans(virtd_t, virt_var_lib_t, dir)
>
> manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
> manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
> manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
> -files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
> +files_pid_filetrans(virtd_t, virt_var_run_t, { dir file })
Please don't make unnecessary changes like this.
> kernel_read_system_state(virtd_t)
> kernel_read_network_state(virtd_t)
> @@ -332,7 +334,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - policykit_dbus_chat(virtd_t)
> + policykit_dbus_chat(virtd_t)
> policykit_domtrans_auth(virtd_t)
> policykit_domtrans_resolve(virtd_t)
> policykit_read_lib(virtd_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150