From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 23 Feb 2017 20:32:27 -0500 Subject: [refpolicy] [PATCH] xen and qemu patch In-Reply-To: <20170221083238.27ktbzjcs53ouiqq@athena.coker.com.au> References: <20170221083238.27ktbzjcs53ouiqq@athena.coker.com.au> Message-ID: <17fafca9-22ab-7396-a10d-30be68e86bbc@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/21/17 03:32, Russell Coker via refpolicy wrote: > As an aside I no longer use xen and don't have a test environment for it. > > If there are any disagreements with the xen policy I'll just remove the > disputed rules and add them again when someone who uses xen has a problem. > > Regardless of the inability to test current changes, the policy has worked > well for me for years and I think it should be included. Merged, though I made a few minor changes. > Description: xen and qemu patches > Author: Russell Coker > Last-Update: 2017-02-21 > > Index: refpolicy-2.20170221/policy/modules/contrib/xen.te > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/contrib/xen.te > +++ refpolicy-2.20170221/policy/modules/contrib/xen.te > @@ -85,6 +85,9 @@ files_mountpoint(xend_var_lib_t) > type xend_var_log_t; > logging_log_file(xend_var_log_t) > > +type xen_lock_t; > +files_lock_file(xen_lock_t) > + > type xend_var_run_t; > files_pid_file(xend_var_run_t) > files_mountpoint(xend_var_run_t) > @@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t) > kernel_read_xen_state(xend_t) > kernel_rw_net_sysctls(xend_t) > kernel_read_network_state(xend_t) > +kernel_read_vm_sysctls(xend_t) > > corecmd_exec_bin(xend_t) > corecmd_exec_shell(xend_t) > @@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t) > fs_manage_xenfs_files(xend_t) > > storage_read_scsi_generic(xend_t) > +# for lsscsi > +storage_getattr_fixed_disk_dev(xend_t) > > term_setattr_generic_ptys(xend_t) > term_getattr_all_ptys(xend_t) > @@ -444,6 +450,7 @@ stream_connect_pattern(xenstored_t, evtc > kernel_write_xen_state(xenstored_t) > kernel_read_xen_state(xenstored_t) > > +corecmd_search_bin(xenstored_t) > dev_filetrans_xen(xenstored_t) > dev_rw_xen(xenstored_t) > dev_read_sysfs(xenstored_t) > @@ -470,12 +477,19 @@ xen_append_log(xenstored_t) > # xm local policy > # > > -allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config }; > -allow xm_t self:process { getcap getsched setsched setcap signal }; > +allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config }; > +allow xm_t self:process { getcap getsched setsched setcap signal sigkill }; > allow xm_t self:fifo_file rw_fifo_file_perms; > allow xm_t self:unix_stream_socket { accept connectto listen }; > allow xm_t self:tcp_socket { accept listen }; > > +allow xm_t xend_var_run_t:dir rw_dir_perms; > + > +files_lock_filetrans(xm_t, xen_lock_t, file) > +allow xm_t xen_lock_t:file manage_file_perms; > + > +manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t) > + > manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) > manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) > manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) > @@ -494,6 +508,8 @@ xen_stream_connect_xenstore(xm_t) > > can_exec(xm_t, xm_exec_t) > > +kernel_load_module(xm_t) > +kernel_request_load_module(xm_t) > kernel_read_system_state(xm_t) > kernel_read_network_state(xm_t) > kernel_read_kernel_sysctls(xm_t) > @@ -517,8 +533,11 @@ dev_read_rand(xm_t) > dev_read_urand(xm_t) > dev_read_sysfs(xm_t) > > +domain_use_interactive_fds(xm_t) > + > files_read_etc_runtime_files(xm_t) > files_read_etc_files(xm_t) > +files_read_kernel_img(xm_t) > files_read_usr_files(xm_t) > files_search_pids(xm_t) > files_search_var_lib(xm_t) > @@ -530,19 +549,24 @@ fs_manage_xenfs_dirs(xm_t) > fs_manage_xenfs_files(xm_t) > fs_search_auto_mountpoints(xm_t) > > -storage_raw_read_fixed_disk(xm_t) > - > -term_use_all_terms(xm_t) > - > init_stream_connect_script(xm_t) > init_rw_script_stream_sockets(xm_t) > init_use_fds(xm_t) > > logging_send_syslog_msg(xm_t) > - > miscfiles_read_localization(xm_t) > > +storage_raw_read_fixed_disk(xm_t) > sysnet_dns_name_resolve(xm_t) > +sysnet_domtrans_ifconfig(xm_t) > + > +term_use_all_terms(xm_t) > + > +# for vif-bridge to write to /run/xen-hotplug/iptables > +# maybe we need a different label for /run/xen-hotplug > +udev_manage_pid_files(xm_t) > + > +userdom_dontaudit_search_user_home_content(xm_t) > > tunable_policy(`xen_use_fusefs',` > fs_manage_fusefs_dirs(xm_t) > @@ -563,6 +587,21 @@ tunable_policy(`xen_use_samba',` > ') > > optional_policy(` > + unconfined_run_to(xm_t, xm_exec_t) > +') > + > +optional_policy(` > + qemu_domtrans(xm_t) > + qemu_signal(xm_t) > + qemu_stream_connect(xm_t) > + qemu_unlink_socket(xm_t) > +') > + > +optional_policy(` > + iptables_domtrans(xm_t) > +') > + > +optional_policy(` > cron_system_entry(xm_t, xm_exec_t) > ') > > Index: refpolicy-2.20170221/policy/modules/contrib/xen.fc > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/contrib/xen.fc > +++ refpolicy-2.20170221/policy/modules/contrib/xen.fc > @@ -14,7 +14,7 @@ > /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) > /usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) > /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) > - > +/usr/lib/xen-.*/xl -- gen_context(system_u:object_r:xm_exec_t,s0) > /var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) > /var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) > /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) > @@ -25,11 +25,13 @@ > /var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) > /var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) > /var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) > +/var/lock/xl -- gen_context(system_u:object_r:xen_lock_t,s0) > > /run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) > /run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) > /run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) > /run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) > +/var/run/xen -d gen_context(system_u:object_r:xend_var_run_t,s0) > /run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) > /run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) > /run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) > Index: refpolicy-2.20170221/policy/modules/contrib/xen.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/contrib/xen.if > +++ refpolicy-2.20170221/policy/modules/contrib/xen.if > @@ -259,6 +259,34 @@ interface(`xen_stream_connect',` > > ######################################## > ## > +## Create in a xend_var_run_t directory > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of the object to be created. > +## > +## > +## > +## > +## The object class of the object being created. > +## > +## > +# > +interface(`create_in_xend_var_run',` > + gen_require(` > + type xend_var_run_t; > + ') > + > + filetrans_pattern($1, xend_var_run_t, $2, $3) > +') > + > +######################################## > +## > ## Execute a domain transition to run xm. > ## > ## > Index: refpolicy-2.20170221/policy/modules/contrib/qemu.te > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.te > +++ refpolicy-2.20170221/policy/modules/contrib/qemu.te > @@ -25,11 +25,20 @@ role qemu_roles types qemu_t; > type qemu_unit_t; > init_unit_file(qemu_unit_t) > > +type qemu_var_run_t; > +files_pid_file(qemu_var_run_t); > +files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) > +allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms; > + > ######################################## > # > # Local policy > # > > +kernel_read_crypto_sysctls(qemu_t) > + > +dev_read_sysfs(qemu_t) > + > tunable_policy(`qemu_full_network',` > corenet_udp_sendrecv_generic_if(qemu_t) > corenet_udp_sendrecv_generic_node(qemu_t) > @@ -41,6 +50,16 @@ tunable_policy(`qemu_full_network',` > ') > > optional_policy(` > + fs_manage_xenfs_files(qemu_t) > + xen_stream_connect_xenstore(qemu_t) > + dev_rw_xen(qemu_t) > + xen_append_log(qemu_t) > + create_in_xend_var_run(qemu_t, qemu_var_run_t, sock_file) > +') > +optional_policy(` > + permit_in_unconfined_r(qemu_t) > +') > +optional_policy(` > xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) > ') > > Index: refpolicy-2.20170221/policy/modules/contrib/qemu.fc > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.fc > +++ refpolicy-2.20170221/policy/modules/contrib/qemu.fc > @@ -6,3 +6,4 @@ > /usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0) > > /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) > +/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0) > Index: refpolicy-2.20170221/policy/modules/contrib/qemu.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.if > +++ refpolicy-2.20170221/policy/modules/contrib/qemu.if > @@ -374,3 +374,41 @@ interface(`qemu_entry_type',` > > domain_entry_file($1, qemu_exec_t) > ') > + > +######################################## > +## > +## Connect to qemu with a unix > +## domain stream socket. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`qemu_stream_connect',` > + gen_require(` > + type qemu_t, qemu_var_run_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t) > +') > + > +######################################## > +## > +## Unlink qemu socket > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`qemu_unlink_socket',` > + gen_require(` > + type qemu_t, qemu_var_run_t; > + ') > + > + allow $1 qemu_var_run_t:sock_file unlink; > +') > Index: refpolicy-2.20170221/policy/modules/system/unconfined.if > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/system/unconfined.if > +++ refpolicy-2.20170221/policy/modules/system/unconfined.if > @@ -319,6 +319,24 @@ interface(`unconfined_run_to',` > > ######################################## > ## > +## Allow the specified domain to be in the unconfined role > +## > +## > +## > +## Domain to permit in unconfined_r > +## > +## > +# > +interface(`permit_in_unconfined_r',` > + gen_require(` > + role unconfined_r; > + ') > + > + role unconfined_r types $1; > +') > + > +######################################## > +## > ## Inherit file descriptors from the unconfined domain. > ## > ## > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito