From: domg472@gmail.com (Dominick Grift)
Date: Thu, 4 Mar 2010 21:49:50 +0100
Subject: [refpolicy] [ virt patch 1/1] Various virt fixes.
Message-ID: <20100304204947.GA11785@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Fix svirt networking for compatibility.
Fix indentation.
Fix virt_manage_log to allow domains to search /var/log to manage virt log objects.
Add file context specification for /var/run/libvirtd.pid.
Remove filetrans pattern for files in /var/lib/libvirt because files are managed in /var/lib/libvirt only.
Remove filetrans pattern for files in /var/log/libvirt because files are managed in /var/log/libvirt only.
Fix virt_manage_config to allow management of virt_etc_rw_t lnk_files.
Use admin patterns in virt_admin since virt not only owns file objects in those locations, and admin may need to manage these other objects as well.
Add admin patterns for virt_etc_t and virt_etc_rw_t to virt_admin.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 1116f4f... 093f33e... M	policy/modules/services/virt.fc
:100644 100644 92b6ca4... 65a994d... M	policy/modules/services/virt.if
:100644 100644 b02d62c... 04694f9... M	policy/modules/services/virt.te
 policy/modules/services/virt.fc |    2 ++
 policy/modules/services/virt.if |   22 ++++++++++++++++------
 policy/modules/services/virt.te |   10 ++++++----
 3 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
index 1116f4f..093f33e 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -19,6 +19,8 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
 /var/lib/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
 
 /var/log/libvirt(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
+
+/var/run/libvirtd\.pid	--	gen_context(system_u:object_r:virt_var_run_t,s0)
 /var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 /var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
 
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 92b6ca4..65a994d 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -175,13 +175,13 @@ interface(`virt_read_config',`
 #
 interface(`virt_manage_config',`
 	gen_require(`
-		type virt_etc_t;
-		type virt_etc_rw_t;
+		type virt_etc_t, virt_etc_rw_t;
 	')
 
 	files_search_etc($1)
 	manage_files_pattern($1, virt_etc_t, virt_etc_t)
 	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+	manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
 ')
 
 ########################################
@@ -370,6 +370,7 @@ interface(`virt_manage_log',`
 		type virt_log_t;
 	')
 
+	logging_search_logs($1)
 	manage_dirs_pattern($1, virt_log_t, virt_log_t)
 	manage_files_pattern($1, virt_log_t, virt_log_t)
 	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
@@ -488,7 +489,9 @@ interface(`virt_manage_images',`
 #
 interface(`virt_admin',`
 	gen_require(`
-		type virtd_t, virtd_initrc_exec_t;
+		type virtd_t, virtd_initrc_exec_t, virt_log_t;
+		type virt_var_lib_t, virt_var_run_t, virt_etc_t;
+		type virt_etc_rw_t;
 	')
 
 	allow $1 virtd_t:process { ptrace signal_perms };
@@ -499,9 +502,16 @@ interface(`virt_admin',`
 	role_transition $2 virtd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	virt_manage_pid_files($1)
+	files_search_etc($1)
+	admin_pattern($1, virt_etc_t)
+	admin_pattern($1, virt_etc_rw_t)
 
-	virt_manage_lib_files($1)
+	files_search_pids($1)
+	admin_pattern($1, virt_var_run_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, virt_var_lib_t)
 
-	virt_manage_log($1)
+	logging_search_logs($1)
+	admin_pattern($1, virt_log_t)
 ')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index b02d62c..04694f9 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -113,6 +113,8 @@ read_files_pattern(svirt_t, virt_content_t, virt_content_t)
 dontaudit svirt_t virt_content_t:file write_file_perms;
 dontaudit svirt_t virt_content_t:dir write;
 
+corenet_all_recvfrom_unlabeled(svirt_t)
+corenet_all_recvfrom_netlabel(svirt_t)
 corenet_udp_sendrecv_generic_if(svirt_t)
 corenet_udp_sendrecv_generic_node(svirt_t)
 corenet_udp_sendrecv_all_ports(svirt_t)
@@ -189,17 +191,17 @@ allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
 
 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
 manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+logging_log_filetrans(virtd_t, virt_log_t, dir)
 
 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
 manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
 manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
+files_var_lib_filetrans(virtd_t, virt_var_lib_t, dir)
 
 manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
 manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
-files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+files_pid_filetrans(virtd_t, virt_var_run_t, { dir file })
 
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
@@ -332,7 +334,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-        policykit_dbus_chat(virtd_t)
+	policykit_dbus_chat(virtd_t)
 	policykit_domtrans_auth(virtd_t)
 	policykit_domtrans_resolve(virtd_t)
 	policykit_read_lib(virtd_t)
-- 
1.6.6.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100304/7eeff615/attachment-0001.bin