This patchset introduces VDE, the Virtual Distributed Ethernet application,
which allows administrators to create virtual networks for qemu.
Changes since first version:
- coding style fixes
- remove a test paragraph that was wrongly included
Wkr,
Sven Vermeulen
VDE, or Virtual Distributed Ethernet, is a process that simulates a
hub/switch within a virtual network. It can be used to provide both
simple and complex network environments within a virtual scope.
We introduce the vde_t domain (and related types) here, and will later
patch qemu to (optionally) use VDE
Signed-off-by: Sven Vermeulen <[email protected]>
---
vde.fc | 20 ++++++++++++++++++++
vde.if | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
vde.te | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 135 insertions(+), 0 deletions(-)
create mode 100644 vde.fc
create mode 100644 vde.if
create mode 100644 vde.te
diff --git a/vde.fc b/vde.fc
new file mode 100644
index 0000000..28b75dd
--- /dev/null
+++ b/vde.fc
@@ -0,0 +1,20 @@
+#
+# /etc
+#
+/etc/init.d/vde -- gen_context(system_u:object_r:vde_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/vde_switch -- gen_context(system_u:object_r:vde_exec_t,s0)
+/usr/sbin/vde_tunctl -- gen_context(system_u:object_r:vde_exec_t,s0)
+
+#
+# /var
+#
+/var/run/vde\.ctl(/.*)? gen_context(system_u:object_r:vde_var_run_t,s0)
+
+#
+# /tmp
+#
+/tmp/vde.[0-9-]* -s gen_context(system_u:object_r:vde_tmp_t,s0)
diff --git a/vde.if b/vde.if
new file mode 100644
index 0000000..f3dac26
--- /dev/null
+++ b/vde.if
@@ -0,0 +1,61 @@
+## <summary>Virtual Distributed Ethernet switch service</summary>
+
+########################################
+## <summary>
+## The rules needed to manage the VDE switches
+## </summary>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the vde domain.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`vde_role',`
+ gen_require(`
+ type vde_t, vde_tmp_t;
+ type vde_var_run_t;
+ type vde_initrc_exec_t, vde_exec_t;
+ ')
+
+ role $1 types vde_t;
+
+ allow $2 vde_t:process { ptrace signal_perms };
+ allow vde_t $2:process { sigchld signull };
+ allow vde_t $2:fd use;
+ allow vde_t $2:tun_socket { relabelfrom };
+ allow vde_t self:tun_socket { relabelfrom relabelto };
+ ps_process_pattern($2, vde_t)
+
+ domain_auto_trans($2, vde_exec_t, vde_t)
+')
+
+########################################
+## <summary>
+## Allow communication with the VDE service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`vde_connect',`
+ gen_require(`
+ type vde_t, vde_var_run_t, vde_tmp_t;
+ ')
+
+ allow $1 vde_var_run_t:sock_file write_sock_file_perms;
+ allow $1 vde_t:unix_stream_socket { connectto };
+ allow $1 vde_t:unix_dgram_socket { sendto };
+ allow vde_t $1:unix_dgram_socket { sendto };
+
+ allow $1 vde_tmp_t:sock_file manage_sock_file_perms;
+ files_tmp_filetrans($1, vde_tmp_t, sock_file)
+')
diff --git a/vde.te b/vde.te
new file mode 100644
index 0000000..6367210
--- /dev/null
+++ b/vde.te
@@ -0,0 +1,54 @@
+policy_module(vde, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type vde_t;
+type vde_exec_t;
+init_daemon_domain(vde_t, vde_exec_t)
+
+type vde_initrc_exec_t;
+init_script_file(vde_initrc_exec_t)
+
+type vde_var_lib_t;
+files_type(vde_var_lib_t)
+
+type vde_var_run_t;
+files_pid_file(vde_var_run_t)
+
+type vde_tmp_t;
+files_tmp_file(vde_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vde_t self:process { signal_perms getcap setcap };
+allow vde_t self:capability { chown net_admin dac_override fowner fsetid };
+allow vde_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow vde_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(vde_t, vde_var_run_t, vde_var_run_t)
+manage_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
+manage_sock_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
+files_pid_filetrans(vde_t, vde_var_run_t, { dir file sock_file unix_dgram_socket })
+
+allow vde_t vde_tmp_t:sock_file manage_sock_file_perms;
+
+files_tmp_filetrans(vde_t, vde_tmp_t, sock_file)
+
+corenet_rw_tun_tap_dev(vde_t)
+
+domain_use_interactive_fds(vde_t)
+
+files_read_etc_files(vde_t)
+
+logging_send_syslog_msg(vde_t)
+
+miscfiles_read_localization(vde_t)
+
+userdom_use_user_terminals(vde_t)
+
--
1.7.3.4
Optionally allow qemu to connect to the vde switch
Signed-off-by: Sven Vermeulen <[email protected]>
---
qemu.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/qemu.te b/qemu.te
index 9cf9992..f9abc5e 100644
--- a/qemu.te
+++ b/qemu.te
@@ -99,6 +99,10 @@ optional_policy(`
')
optional_policy(`
+ vde_connect(qemu_t)
+')
+
+optional_policy(`
virt_manage_images(qemu_t)
virt_append_log(qemu_t)
')
--
1.7.3.4
Assign the vde_role to sysadm_r so that the system administrator can
manage virtual distributed ethernet process(es).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/roles/sysadm.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 954417f..0e09153 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -386,6 +386,10 @@ optional_policy(`
')
optional_policy(`
+ vde_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
vmware_role(sysadm_r, sysadm_t)
')
--
1.7.3.4