---
virt.fc | 1 +
virt.te | 45 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 46 insertions(+)
diff --git a/virt.fc b/virt.fc
index f7e0ce8..7d9456a 100644
--- a/virt.fc
+++ b/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/virt.te b/virt.te
index 6e72a87..c625e12 100644
--- a/virt.te
+++ b/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -468,6 +480,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -554,6 +569,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1315,3 +1331,32 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+kernel_getattr_proc(virtlogd_t)
+kernel_search_proc(virtlogd_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_append_log(virtlogd_t)
+virt_read_config(virtlogd_t)
--
2.7.3
The allow rules on virtd_t are enough, it does not require the :process
class access.
---
virt.te | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/virt.te b/virt.te
index c625e12..8f052a7 100644
--- a/virt.te
+++ b/virt.te
@@ -1304,6 +1304,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1322,7 +1326,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
+kernel_getattr_proc(virtlockd_t)
+kernel_search_proc(virtlockd_t)
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
--
2.7.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 05/26/2016 02:05 PM, Jason Zaman wrote:
> The allow rules on virtd_t are enough, it does not require the
> :process class access. --- virt.te | 7 ++++++- 1 file changed, 6
> insertions(+), 1 deletion(-)
>
> diff --git a/virt.te b/virt.te index c625e12..8f052a7 100644 ---
> a/virt.te +++ b/virt.te @@ -1304,6 +1304,10 @@
> kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow
> virtlockd_t self:capability dac_override; allow virtlockd_t
> self:fifo_file rw_fifo_file_perms;
>
> +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t
> virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file
> read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir
> list_dir_perms; allow virtlockd_t virt_image_type:file
> rw_file_perms;
>
> @@ -1322,7 +1326,8 @@ files_pid_filetrans(virtlockd_t,
> virtlockd_run_t, file)
>
> can_exec(virtlockd_t, virtlockd_exec_t)
>
> -ps_process_pattern(virtlockd_t, virtd_t)
> +kernel_getattr_proc(virtlockd_t) +kernel_search_proc(virtlockd_t)
The kernel_search_proc() is redundant. Are you sure that it wants to
get attributes of the proc filesystem?
>
> files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
>
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJXRwamAAoJECV0jlU3+UdpVMIMAJE9naB/1QfwXKKbJyke2Nxz
UW6SR9Uy3aLjrtY0WQFJ+5AHyHXb/96k7vkkTgQU3eofuZGuu+TpaNHoMk8cFj8J
71k+X0Qn60cQWNyvHoXIcXk/02O5NsEPgpXth1vjhx5y5ItNHoKm6tZhzkp5Qx/8
PWdiGdmB7C124x0YayS76KgyFv34eIuJAwEGUQvSwxQJNf/IGydFhhEWt2kOYcmZ
O/Od6IjMkFP9ApSwd+js5YwNv7CQEcB8TW89bG0V/TRwv9qkoCBcqIE9P1oVs48w
ZkmdDs1L0Ql16Be+G2qzQRPI45pl3+e183JTs+R5MLvoGBBp7p5Tt64F1fcUwUiS
y4tkT96HARBs9mdyZpRp9OBxaOHqQHt5OuamdbN9e/mFt+8oBWPyZ0CFNDBPBJq7
rh7qk8PVY3ubxCu3Mft9anmb+h3PCusXAKEtrOnXUJSnElpDKz3oxWAUg8xVdIce
8nMCWDNeHO5NBwvr+EnvPqrmTtckWCzzKi/KoM/g2Q==
=bEAC
-----END PGP SIGNATURE-----