From: dac.override@gmail.com (Dominick Grift) Date: Fri, 13 May 2016 21:30:47 +0200 Subject: [refpolicy] [PATCH 2/2] virt: add policy for virtlogd In-Reply-To: <1463144898-17748-2-git-send-email-jason@perfinion.com> References: <1463144898-17748-1-git-send-email-jason@perfinion.com> <1463144898-17748-2-git-send-email-jason@perfinion.com> Message-ID: <6a8e840c-b25f-d29d-40e0-da5a04211ea3@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/13/2016 03:08 PM, Jason Zaman wrote: > --- virt.fc | 1 + virt.te | 40 > ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 > insertions(+) > > diff --git a/virt.fc b/virt.fc index f7e0ce8..7d9456a 100644 --- > a/virt.fc +++ b/virt.fc @@ -32,6 +32,7 @@ > HOME_DIR/VirtualMachines/isos(/.*)? > gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf > -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) > /usr/sbin/libvirtd -- > gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd > -- gen_context(system_u:object_r:virtlockd_exec_t,s0) > +/usr/sbin/virtlogd -- > gen_context(system_u:object_r:virtlogd_exec_t,s0) > > /var/cache/libvirt(/.*)? > gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) > > diff --git a/virt.te b/virt.te index 6e72a87..a3b6472 100644 --- > a/virt.te +++ b/virt.te @@ -208,12 +208,21 @@ > files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; > files_type(virtlockd_var_lib_t) > > +type virtlogd_t; +type virtlogd_exec_t; > +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type > virtlogd_run_t; +files_pid_file(virtlogd_run_t) + > ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, > virtlockd_exec_t, s0 - mcs_systemhigh) + > init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - > mcs_systemhigh) ') > > ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, > virtlockd_exec_t, s0 - mls_systemhigh) + > init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - > mls_systemhigh) ') > > ######################################## @@ -234,6 +243,9 @@ allow > virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file > rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; > > +allow virt_domain virtlogd_t:fd use; +allow virt_domain > virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain > virtd_t:unix_stream_socket { read write }; > > manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ > -468,6 +480,9 @@ dontaudit virtd_t virt_domain:process { siginh > noatsecure rlimitinh }; allow virtd_t { virt_domain > svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms > connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; > > +allow virtd_t virtlogd_t:fd use; +allow virtd_t > virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t > virtd_lxc_t:process { signal signull sigkill }; > > domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -554,6 > +569,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, > virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, > virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) > stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, > virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, > virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, > virt_var_run_t, virtlogd_run_t, virtlogd_t) > > can_exec(virtd_t, virt_tmp_t) > > @@ -1315,3 +1331,27 @@ miscfiles_read_localization(virtlockd_t) > > virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + > +######################################## +# +# Virtlogd local > policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + > +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) > +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, > virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, > virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, > virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + > +ps_process_pattern(virtlogd_t, virtd_t) + This patter includes a "getattr process" and is therefore not suitable for this. Instead the following would be appropriate: allow virtlogd_t virtd_t:dir list_dir_perms; allow virtlogd_t virtd_t:file read_file_perms; allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; > +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) > + +miscfiles_read_localization(virtlogd_t) + > +virt_append_log(virtlogd_t) +virt_read_config(virtlogd_t) > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJXNitdAAoJECV0jlU3+UdpjzIL/2JIN2uhdDkGLom7Q5oVjK44 IAQTaJ6LDVEg6GeBxono3PmDW/98eCRKk0gDS/Dluls51BYQiRT0a3Y+bohfR/kJ qJp1tzNfjLai6P92oc4VWVaZTB5xPTopS/nv3ih7/klF0lQUc2Eb6DEYHsnrWHlk CbadWLmvbzBl2H3iFMuERC6yzP4Pvbwe1wKWVzL1g0sYwwvANK9WOaTdLxWi69Aw 3QY1b4kdtuAG1CCYp3KeC50G7q5SVI8Dk00NYMQ+ab9KFs9AgLYx8d2+FRQAnri5 oBpkD60jIry5NoaLI2/5Z9d5faCBuoTypINsQcZSIikcmXIkgfDwWXuUuzRQ05UR AGRVIBR79kmr3Ho1l7sdE8S0HWM/X6YU7KD7C61g5i2nDGWlMUon0Ur5NC2EMpUj BPJQR7fkZd4RXbQDsKTy+gnjMRKr/5NowdJBnZN64JvEF/JOunxHBYk+xx1R1lSp ABOdDRwLta8iFz8VMaZ3ZgrLCz9tBbYoz6s+vVqMJA== =FPnJ -----END PGP SIGNATURE-----