From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 8 Nov 2011 10:01:38 -0500
Subject: [refpolicy] [PATCH 1/3] Introduce vde domain
In-Reply-To: <20111023140825.GB14481@siphos.be>
References: <20111023140743.GA14481@siphos.be>
	<20111023140825.GB14481@siphos.be>
Message-ID: <4EB94452.9010009@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/23/11 10:08, Sven Vermeulen wrote:
> 
> VDE, or Virtual Distributed Ethernet, is a process that simulates a
> hub/switch within a virtual network. It can be used to provide both
> simple and complex network environments within a virtual scope.
> 
> We introduce the vde_t domain (and related types) here, and will later
> patch qemu to (optionally) use VDE
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  vde.fc |   21 ++++++++++++++++++++
>  vde.if |   65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  vde.te |   60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 146 insertions(+), 0 deletions(-)
>  create mode 100644 vde.fc
>  create mode 100644 vde.if
>  create mode 100644 vde.te
> 

> diff --git a/vde.if b/vde.if
> new file mode 100644
> index 0000000..987a8c2
> --- /dev/null
> +++ b/vde.if
> @@ -0,0 +1,65 @@
> +## <summary>Virtual Distributed Ethernet switch service</summary>
> +
> +########################################
> +## <summary>
> +##   The rules needed to manage the VDE switches
> +## </summary>
> +## <param name="role">
> +##	<summary>
> +##	The role to be allowed to manage the vde domain.
> +##	</summary>
> +## </param>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`vde_role',`
> +	gen_require(`
> +		type vde_t, vde_tmp_t;
> +		type vde_conf_t, vde_var_run_t;
> +		type vde_initrc_exec_t, vde_exec_t;
> +	')
> +
> +	role $1 types vde_t;
> +
> +	allow $2 vde_t:process { ptrace signal_perms };
> +	allow vde_t $2:process { sigchld signull };
> +	allow vde_t $2:fd use;
> +	allow vde_t $2:tun_socket { relabelfrom };
> +	allow vde_t self:tun_socket { relabelfrom relabelto };
> +	ps_process_pattern($2, vde_t)
> +
> +	domain_auto_trans($2, vde_exec_t, vde_t)
> +')
> +
> +########################################
> +## <summary>
> +##   Allow communication with the VDE service 
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`vde_connect',`
> +	gen_require(`
> +		type vde_t, vde_var_run_t, vde_tmp_t;
> +	')
> +	
> +	allow $1 vde_var_run_t:sock_file write_sock_file_perms;
> +	allow $1 vde_t:unix_stream_socket { connectto };
> +	allow $1 vde_t:unix_dgram_socket { sendto };
> +	allow vde_t $1:unix_dgram_socket { sendto };
> +
> +	allow $1 vde_tmp_t:sock_file manage_sock_file_perms;
> +	files_tmp_filetrans($1, vde_tmp_t, sock_file)
> +
> +	tunable_policy(`gentoo_try_dontaudit',`
> +		dontaudit $1 vde_var_run_t:sock_file { setattr };
> +	')

Remember to remove these testing rules.  Its also unnecessary to have the braces for single permissions.

> +')
> diff --git a/vde.te b/vde.te
> new file mode 100644
> index 0000000..af00640
> --- /dev/null
> +++ b/vde.te
> @@ -0,0 +1,60 @@
> +policy_module(vde, 0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type vde_t;
> +type vde_exec_t;
> +init_daemon_domain(vde_t, vde_exec_t)
> +
> +type vde_initrc_exec_t;
> +init_script_file(vde_initrc_exec_t)
> +
> +type vde_conf_t;
> +files_type(vde_conf_t);
> +
> +type vde_var_lib_t;
> +files_type(vde_var_lib_t)
> +
> +type vde_var_run_t;
> +files_pid_file(vde_var_run_t)
> +
> +type vde_tmp_t;
> +files_tmp_file(vde_tmp_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow vde_t self:process { signal_perms getcap setcap };
> +allow vde_t self:capability { chown net_admin dac_override fowner fsetid };
> +allow vde_t self:unix_stream_socket {  create_stream_socket_perms connectto };
> +allow vde_t self:unix_dgram_socket create_socket_perms;
> +allow vde_t vde_conf_t:dir list_dir_perms;
> +allow vde_t vde_tmp_t:sock_file manage_sock_file_perms;

Please move these down with the other rules.

> +
> +manage_dirs_pattern(vde_t, vde_var_run_t, vde_var_run_t)
> +manage_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
> +manage_sock_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
> +files_pid_filetrans(vde_t, vde_var_run_t, { dir file sock_file unix_dgram_socket })
> +
> +files_tmp_filetrans(vde_t, vde_tmp_t, sock_file)
> +
> +read_files_pattern(vde_t, vde_conf_t, vde_conf_t)
> +read_lnk_files_pattern(vde_t, vde_conf_t, vde_conf_t)
> +
> +corenet_rw_tun_tap_dev(vde_t)
> +
> +domain_use_interactive_fds(vde_t)
> +
> +files_read_etc_files(vde_t)

I'm not clear why there is a need for vde_conf_t.  It appears that it is only ever read, so it seems that etc_t would be fine.

> +logging_send_syslog_msg(vde_t)
> +
> +miscfiles_read_localization(vde_t)
> +
> +userdom_use_user_terminals(vde_t)
> +


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com