From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 12 Apr 2010 11:44:16 -0400 Subject: [refpolicy] [ virt patch 1/1] Various virt fixes. In-Reply-To: <20100304204947.GA11785@localhost.localdomain> References: <20100304204947.GA11785@localhost.localdomain> Message-ID: <1271087056.2815.209.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2010-03-04 at 21:49 +0100, Dominick Grift wrote: > Fix svirt networking for compatibility. > Fix indentation. > Fix virt_manage_log to allow domains to search /var/log to manage virt log objects. > Add file context specification for /var/run/libvirtd.pid. > Remove filetrans pattern for files in /var/lib/libvirt because files are managed in /var/lib/libvirt only. > Remove filetrans pattern for files in /var/log/libvirt because files are managed in /var/log/libvirt only. > Fix virt_manage_config to allow management of virt_etc_rw_t lnk_files. > Use admin patterns in virt_admin since virt not only owns file objects in those locations, and admin may need to manage these other objects as well. > Add admin patterns for virt_etc_t and virt_etc_rw_t to virt_admin. Needs to be rebased. Other comments inline > Signed-off-by: Dominick Grift > --- > :100644 100644 1116f4f... 093f33e... M policy/modules/services/virt.fc > :100644 100644 92b6ca4... 65a994d... M policy/modules/services/virt.if > :100644 100644 b02d62c... 04694f9... M policy/modules/services/virt.te > policy/modules/services/virt.fc | 2 ++ > policy/modules/services/virt.if | 22 ++++++++++++++++------ > policy/modules/services/virt.te | 10 ++++++---- > 3 files changed, 24 insertions(+), 10 deletions(-) > > diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc > index 1116f4f..093f33e 100644 > --- a/policy/modules/services/virt.fc > +++ b/policy/modules/services/virt.fc > @@ -19,6 +19,8 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t > /var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) > > /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) > + > +/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) > /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) > /var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) > > diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if > index 92b6ca4..65a994d 100644 > --- a/policy/modules/services/virt.if > +++ b/policy/modules/services/virt.if > @@ -175,13 +175,13 @@ interface(`virt_read_config',` > # > interface(`virt_manage_config',` > gen_require(` > - type virt_etc_t; > - type virt_etc_rw_t; > + type virt_etc_t, virt_etc_rw_t; > ') > > files_search_etc($1) > manage_files_pattern($1, virt_etc_t, virt_etc_t) > manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) > + manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) > ') > > ######################################## > @@ -370,6 +370,7 @@ interface(`virt_manage_log',` > type virt_log_t; > ') > > + logging_search_logs($1) > manage_dirs_pattern($1, virt_log_t, virt_log_t) > manage_files_pattern($1, virt_log_t, virt_log_t) > manage_lnk_files_pattern($1, virt_log_t, virt_log_t) > @@ -488,7 +489,9 @@ interface(`virt_manage_images',` > # > interface(`virt_admin',` > gen_require(` > - type virtd_t, virtd_initrc_exec_t; > + type virtd_t, virtd_initrc_exec_t, virt_log_t; > + type virt_var_lib_t, virt_var_run_t, virt_etc_t; > + type virt_etc_rw_t; > ') > > allow $1 virtd_t:process { ptrace signal_perms }; > @@ -499,9 +502,16 @@ interface(`virt_admin',` > role_transition $2 virtd_initrc_exec_t system_r; > allow $2 system_r; > > - virt_manage_pid_files($1) > + files_search_etc($1) > + admin_pattern($1, virt_etc_t) > + admin_pattern($1, virt_etc_rw_t) > > - virt_manage_lib_files($1) > + files_search_pids($1) > + admin_pattern($1, virt_var_run_t) > + > + files_search_var_lib($1) > + admin_pattern($1, virt_var_lib_t) > > - virt_manage_log($1) > + logging_search_logs($1) > + admin_pattern($1, virt_log_t) > ') > diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te > index b02d62c..04694f9 100644 > --- a/policy/modules/services/virt.te > +++ b/policy/modules/services/virt.te > @@ -113,6 +113,8 @@ read_files_pattern(svirt_t, virt_content_t, virt_content_t) > dontaudit svirt_t virt_content_t:file write_file_perms; > dontaudit svirt_t virt_content_t:dir write; > > +corenet_all_recvfrom_unlabeled(svirt_t) > +corenet_all_recvfrom_netlabel(svirt_t) > corenet_udp_sendrecv_generic_if(svirt_t) > corenet_udp_sendrecv_generic_node(svirt_t) > corenet_udp_sendrecv_all_ports(svirt_t) > @@ -189,17 +191,17 @@ allow virtd_t virt_image_type:blk_file { relabelfrom relabelto }; > > manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) > manage_files_pattern(virtd_t, virt_log_t, virt_log_t) > -logging_log_filetrans(virtd_t, virt_log_t, { file dir }) > +logging_log_filetrans(virtd_t, virt_log_t, dir) > > manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) > manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) > manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) > -files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) > +files_var_lib_filetrans(virtd_t, virt_var_lib_t, dir) > > manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) > manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) > manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) > -files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) > +files_pid_filetrans(virtd_t, virt_var_run_t, { dir file }) Please don't make unnecessary changes like this. > kernel_read_system_state(virtd_t) > kernel_read_network_state(virtd_t) > @@ -332,7 +334,7 @@ optional_policy(` > ') > > optional_policy(` > - policykit_dbus_chat(virtd_t) > + policykit_dbus_chat(virtd_t) > policykit_domtrans_auth(virtd_t) > policykit_domtrans_resolve(virtd_t) > policykit_read_lib(virtd_t) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150