2012-10-21 12:20:10

by dominick.grift

Subject: [refpolicy] [PATCH 00/10] Various virt requirements

These are required by the virt module

Dominick Grift (10):
For svirt_lxc_domain
For svirt_lxc_domain
For svirt_lxc_domain
For virtd lxc
For virtd_lxc
For virtd_lxc
For virtd lxc
For virtd lxc
For virtd
For virtd

policy/modules/kernel/devices.if | 18 +++++++++++
policy/modules/kernel/files.if | 57 ++++++++++++++++++++++++++++++++++-
policy/modules/kernel/filesystem.if | 36 ++++++++++++++++++++++
policy/modules/kernel/terminal.if | 19 +++++++++++
policy/modules/system/clock.if | 19 +++++++++++
policy/modules/system/sysnetwork.if | 19 +++++++++++
policy/modules/system/udev.if | 19 +++++++++++
7 files changed, 186 insertions(+), 1 deletions(-)

--
1.7.7.6

2012-10-21 12:20:11

by dominick.grift

Subject: [refpolicy] [PATCH 01/10] For svirt_lxc_domain

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/udev.if | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 77a13a5..9ccfd8a 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -224,6 +224,25 @@ interface(`udev_rw_db',`

########################################
## <summary>
+## Read udev pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_read_pid_files',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, udev_var_run_t, udev_var_run_t)
+')
+
+########################################
+## <summary>
## Search through udev pid content
## </summary>
## <param name="domain">
--
1.7.7.6

2012-10-21 12:20:12

by dominick.grift

Subject: [refpolicy] [PATCH 02/10] For svirt_lxc_domain

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/clock.if | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index e2f6d93..2734f43 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -82,6 +82,25 @@ interface(`clock_dontaudit_write_adjtime',`

########################################
## <summary>
+## Read clock drift adjustments.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clock_read_adjtime',`
+ gen_require(`
+ type adjtime_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 adjtime_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read and write clock drift adjustments.
## </summary>
## <param name="domain">
--
1.7.7.6

2012-10-21 12:20:13

by dominick.grift

Subject: [refpolicy] [PATCH 03/10] For svirt_lxc_domain

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/files.if | 21 ++++++++++++++++++++-
1 files changed, 20 insertions(+), 1 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index d1e42ac..e188a21 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2913,7 +2913,7 @@ interface(`files_delete_boot_flag',`
## </summary>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## Domain to not audit.
## </summary>
## </param>
#
@@ -2927,6 +2927,25 @@ interface(`files_dontaudit_setattr_etc_runtime_files',`

########################################
## <summary>
+## Do not audit attempts to write
+## etc runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_etc_runtime_files',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ dontaudit $1 etc_runtime_t:file write;
+')
+
+########################################
+## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
--
1.7.7.6

2012-10-21 12:20:14

by dominick.grift

Subject: [refpolicy] [PATCH 04/10] For virtd lxc

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/terminal.if | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 01dd2f1..771bce1 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -384,6 +384,25 @@ interface(`term_getattr_pty_fs',`

########################################
## <summary>
+## Relabel from and to pty filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_pty_fs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:filesystem { relabelto relabelfrom };
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the
## attributes of the /dev/pts directory.
## </summary>
--
1.7.7.6

2012-10-21 12:20:15

by dominick.grift

Subject: [refpolicy] [PATCH 05/10] For virtd_lxc

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 7c6b791..7463473 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3853,6 +3853,24 @@ interface(`fs_associate_tmpfs',`

########################################
## <summary>
+## Relabel from tmpfs filesystem.
+## </summary>
+## <param name="type">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
## Get the attributes of tmpfs directories.
## </summary>
## <param name="domain">
--
1.7.7.6

2012-10-21 12:20:16

by dominick.grift

Subject: [refpolicy] [PATCH 06/10] For virtd_lxc

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 7463473..8416beb 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3908,6 +3908,24 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`

########################################
## <summary>
+## Mount on tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mounton_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:dir mounton;
+')
+
+########################################
+## <summary>
## Set the attributes of tmpfs directories.
## </summary>
## <param name="domain">
--
1.7.7.6

2012-10-21 12:20:17

by dominick.grift

Subject: [refpolicy] [PATCH 07/10] For virtd lxc

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/files.if | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e188a21..96b91e0 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1874,6 +1874,24 @@ interface(`files_delete_root_dir_entry',`

########################################
## <summary>
+## Relabel to and from rootfs file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_rootfs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:filesystem { relabelto relabelfrom };
+')
+
+########################################
+## <summary>
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
--
1.7.7.6

2012-10-21 12:20:18

by dominick.grift

Subject: [refpolicy] [PATCH 08/10] For virtd lxc

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/files.if | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 96b91e0..5f61d5e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1874,6 +1874,24 @@ interface(`files_delete_root_dir_entry',`

########################################
## <summary>
+## Associate to root file system.
+## </summary>
+## <param name="file_type">
+## <summary>
+## Type of the file to associate.
+## </summary>
+## </param>
+#
+interface(`files_associate_rootfs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:filesystem associate;
+')
+
+########################################
+## <summary>
## Relabel to and from rootfs file system.
## </summary>
## <param name="domain">
--
1.7.7.6

2012-10-21 12:20:19

by dominick.grift

Subject: [refpolicy] [PATCH 09/10] For virtd

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/sysnetwork.if | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 41a1853..fcefe61 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -561,6 +561,25 @@ interface(`sysnet_signal_ifconfig',`

########################################
## <summary>
+## Send null signals to ifconfig.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_signull_ifconfig',`
+ gen_require(`
+ type ifconfig_t;
+ ')
+
+ allow $1 ifconfig_t:process signull;
+')
+
+########################################
+## <summary>
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
--
1.7.7.6

2012-10-30 18:18:23

by cpebenito

Subject: [refpolicy] [PATCH 00/10] Various virt requirements

On 10/21/12 08:20, Dominick Grift wrote:
> These are required by the virt module
>
> Dominick Grift (10):
> For svirt_lxc_domain
> For svirt_lxc_domain
> For svirt_lxc_domain
> For virtd lxc
> For virtd_lxc
> For virtd_lxc
> For virtd lxc
> For virtd lxc
> For virtd
> For virtd
>
> policy/modules/kernel/devices.if | 18 +++++++++++
> policy/modules/kernel/files.if | 57 ++++++++++++++++++++++++++++++++++-
> policy/modules/kernel/filesystem.if | 36 ++++++++++++++++++++++
> policy/modules/kernel/terminal.if | 19 +++++++++++
> policy/modules/system/clock.if | 19 +++++++++++
> policy/modules/system/sysnetwork.if | 19 +++++++++++
> policy/modules/system/udev.if | 19 +++++++++++
> 7 files changed, 186 insertions(+), 1 deletions(-)

1-9 merged, I never received 10.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com