From: dac.override@gmail.com (Dominick Grift)
Date: Sun, 12 Jul 2015 18:52:51 +0200
Subject: [refpolicy] [PATCH 1/2] virt: virtlockd fcontext and re-exec
	perm
In-Reply-To: <1436606203-7027-1-git-send-email-jason@perfinion.com>
References: <1436606203-7027-1-git-send-email-jason@perfinion.com>
Message-ID: <20150712165250.GA8841@x250>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, Jul 11, 2015 at 01:16:42PM +0400, Jason Zaman wrote:
> virtlockd can re-exec itself to upgrade and keep its locks open.

I personally would prefer that this process is not associated with the virtd_t type

> 
> path="/usr/sbin/virtlockd" dev="zfs" ino=153197
> scontext=system_u:system_r:virtd_t
> tcontext=system_u:object_r:virtd_exec_t tclass=file
> ---
>  virt.fc | 1 +
>  virt.te | 1 +
>  2 files changed, 2 insertions(+)
> 
> diff --git a/virt.fc b/virt.fc
> index b38007b..a2facc9 100644
> --- a/virt.fc
> +++ b/virt.fc
> @@ -27,6 +27,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_context(system_u:object_r:virt_content_t
>  /usr/sbin/fence_virtd	--	gen_context(system_u:object_r:virsh_exec_t,s0)
>  /usr/sbin/libvirt-qmf	--	gen_context(system_u:object_r:virt_qmf_exec_t,s0)
>  /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
> +/usr/sbin/virtlockd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
>  
>  /var/cache/libvirt(/.*)?	gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
>  
> diff --git a/virt.te b/virt.te
> index f8a59e4..ab8440d 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -524,6 +524,7 @@ stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_
>  stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
>  
>  can_exec(virtd_t, virt_tmp_t)
> +can_exec(virtd_t, virtd_exec_t)
>  
>  kernel_read_crypto_sysctls(virtd_t)
>  kernel_read_system_state(virtd_t)
> -- 
> 2.3.6
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150712/74cbaec2/attachment.bin