From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sun, 23 Oct 2011 16:08:25 +0200
Subject: [refpolicy] [PATCH 1/3] Introduce vde domain
In-Reply-To: <20111023140743.GA14481@siphos.be>
References: <20111023140743.GA14481@siphos.be>
Message-ID: <20111023140825.GB14481@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


VDE, or Virtual Distributed Ethernet, is a process that simulates a
hub/switch within a virtual network. It can be used to provide both
simple and complex network environments within a virtual scope.

We introduce the vde_t domain (and related types) here, and will later
patch qemu to (optionally) use VDE

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 vde.fc |   21 ++++++++++++++++++++
 vde.if |   65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 vde.te |   60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 146 insertions(+), 0 deletions(-)
 create mode 100644 vde.fc
 create mode 100644 vde.if
 create mode 100644 vde.te

diff --git a/vde.fc b/vde.fc
new file mode 100644
index 0000000..00e7e36
--- /dev/null
+++ b/vde.fc
@@ -0,0 +1,21 @@
+#
+# /etc
+#
+/etc/init.d/vde		--	gen_context(system_u:object_r:vde_initrc_exec_t,s0)
+/etc/vde2(/.*)?			gen_context(system_u:object_r:vde_conf_t,s0)
+
+#
+# /usr
+#
+/usr/bin/vde_switch	--	gen_context(system_u:object_r:vde_exec_t,s0)
+/usr/sbin/vde_tunctl	--	gen_context(system_u:object_r:vde_exec_t,s0)
+
+#
+# /var
+#
+/var/run/vde\.ctl(/.*)?		gen_context(system_u:object_r:vde_var_run_t,s0)
+
+#
+# /tmp
+#
+/tmp/vde.[0-9-]*	-s	gen_context(system_u:object_r:vde_tmp_t,s0)
diff --git a/vde.if b/vde.if
new file mode 100644
index 0000000..987a8c2
--- /dev/null
+++ b/vde.if
@@ -0,0 +1,65 @@
+## <summary>Virtual Distributed Ethernet switch service</summary>
+
+########################################
+## <summary>
+##   The rules needed to manage the VDE switches
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the vde domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vde_role',`
+	gen_require(`
+		type vde_t, vde_tmp_t;
+		type vde_conf_t, vde_var_run_t;
+		type vde_initrc_exec_t, vde_exec_t;
+	')
+
+	role $1 types vde_t;
+
+	allow $2 vde_t:process { ptrace signal_perms };
+	allow vde_t $2:process { sigchld signull };
+	allow vde_t $2:fd use;
+	allow vde_t $2:tun_socket { relabelfrom };
+	allow vde_t self:tun_socket { relabelfrom relabelto };
+	ps_process_pattern($2, vde_t)
+
+	domain_auto_trans($2, vde_exec_t, vde_t)
+')
+
+########################################
+## <summary>
+##   Allow communication with the VDE service 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vde_connect',`
+	gen_require(`
+		type vde_t, vde_var_run_t, vde_tmp_t;
+	')
+	
+	allow $1 vde_var_run_t:sock_file write_sock_file_perms;
+	allow $1 vde_t:unix_stream_socket { connectto };
+	allow $1 vde_t:unix_dgram_socket { sendto };
+	allow vde_t $1:unix_dgram_socket { sendto };
+
+	allow $1 vde_tmp_t:sock_file manage_sock_file_perms;
+	files_tmp_filetrans($1, vde_tmp_t, sock_file)
+
+	tunable_policy(`gentoo_try_dontaudit',`
+		dontaudit $1 vde_var_run_t:sock_file { setattr };
+	')
+')
diff --git a/vde.te b/vde.te
new file mode 100644
index 0000000..af00640
--- /dev/null
+++ b/vde.te
@@ -0,0 +1,60 @@
+policy_module(vde, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type vde_t;
+type vde_exec_t;
+init_daemon_domain(vde_t, vde_exec_t)
+
+type vde_initrc_exec_t;
+init_script_file(vde_initrc_exec_t)
+
+type vde_conf_t;
+files_type(vde_conf_t);
+
+type vde_var_lib_t;
+files_type(vde_var_lib_t)
+
+type vde_var_run_t;
+files_pid_file(vde_var_run_t)
+
+type vde_tmp_t;
+files_tmp_file(vde_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vde_t self:process { signal_perms getcap setcap };
+allow vde_t self:capability { chown net_admin dac_override fowner fsetid };
+allow vde_t self:unix_stream_socket {  create_stream_socket_perms connectto };
+allow vde_t self:unix_dgram_socket create_socket_perms;
+allow vde_t vde_conf_t:dir list_dir_perms;
+allow vde_t vde_tmp_t:sock_file manage_sock_file_perms;
+
+manage_dirs_pattern(vde_t, vde_var_run_t, vde_var_run_t)
+manage_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
+manage_sock_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
+files_pid_filetrans(vde_t, vde_var_run_t, { dir file sock_file unix_dgram_socket })
+
+files_tmp_filetrans(vde_t, vde_tmp_t, sock_file)
+
+read_files_pattern(vde_t, vde_conf_t, vde_conf_t)
+read_lnk_files_pattern(vde_t, vde_conf_t, vde_conf_t)
+
+corenet_rw_tun_tap_dev(vde_t)
+
+domain_use_interactive_fds(vde_t)
+
+files_read_etc_files(vde_t)
+
+logging_send_syslog_msg(vde_t)
+
+miscfiles_read_localization(vde_t)
+
+userdom_use_user_terminals(vde_t)
+
-- 
1.7.3.4