From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 23 Feb 2017 20:32:27 -0500
Subject: [refpolicy] [PATCH] xen and qemu patch
In-Reply-To: <20170221083238.27ktbzjcs53ouiqq@athena.coker.com.au>
References: <20170221083238.27ktbzjcs53ouiqq@athena.coker.com.au>
Message-ID: <17fafca9-22ab-7396-a10d-30be68e86bbc@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/21/17 03:32, Russell Coker via refpolicy wrote:
> As an aside I no longer use xen and don't have a test environment for it.
>
> If there are any disagreements with the xen policy I'll just remove the
> disputed rules and add them again when someone who uses xen has a problem.
>
> Regardless of the inability to test current changes, the policy has worked
> well for me for years and I think it should be included.

Merged, though I made a few minor changes.


> Description: xen and qemu patches
> Author: Russell Coker <russell@coker.com.au>
> Last-Update: 2017-02-21
>
> Index: refpolicy-2.20170221/policy/modules/contrib/xen.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/xen.te
> +++ refpolicy-2.20170221/policy/modules/contrib/xen.te
> @@ -85,6 +85,9 @@ files_mountpoint(xend_var_lib_t)
>  type xend_var_log_t;
>  logging_log_file(xend_var_log_t)
>
> +type xen_lock_t;
> +files_lock_file(xen_lock_t)
> +
>  type xend_var_run_t;
>  files_pid_file(xend_var_run_t)
>  files_mountpoint(xend_var_run_t)
> @@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t)
>  kernel_read_xen_state(xend_t)
>  kernel_rw_net_sysctls(xend_t)
>  kernel_read_network_state(xend_t)
> +kernel_read_vm_sysctls(xend_t)
>
>  corecmd_exec_bin(xend_t)
>  corecmd_exec_shell(xend_t)
> @@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t)
>  fs_manage_xenfs_files(xend_t)
>
>  storage_read_scsi_generic(xend_t)
> +# for lsscsi
> +storage_getattr_fixed_disk_dev(xend_t)
>
>  term_setattr_generic_ptys(xend_t)
>  term_getattr_all_ptys(xend_t)
> @@ -444,6 +450,7 @@ stream_connect_pattern(xenstored_t, evtc
>  kernel_write_xen_state(xenstored_t)
>  kernel_read_xen_state(xenstored_t)
>
> +corecmd_search_bin(xenstored_t)
>  dev_filetrans_xen(xenstored_t)
>  dev_rw_xen(xenstored_t)
>  dev_read_sysfs(xenstored_t)
> @@ -470,12 +477,19 @@ xen_append_log(xenstored_t)
>  # xm local policy
>  #
>
> -allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
> -allow xm_t self:process { getcap getsched setsched setcap signal };
> +allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config };
> +allow xm_t self:process { getcap getsched setsched setcap signal sigkill };
>  allow xm_t self:fifo_file rw_fifo_file_perms;
>  allow xm_t self:unix_stream_socket { accept connectto listen };
>  allow xm_t self:tcp_socket { accept listen };
>
> +allow xm_t xend_var_run_t:dir rw_dir_perms;
> +
> +files_lock_filetrans(xm_t, xen_lock_t, file)
> +allow xm_t xen_lock_t:file manage_file_perms;
> +
> +manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t)
> +
>  manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
>  manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
>  manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
> @@ -494,6 +508,8 @@ xen_stream_connect_xenstore(xm_t)
>
>  can_exec(xm_t, xm_exec_t)
>
> +kernel_load_module(xm_t)
> +kernel_request_load_module(xm_t)
>  kernel_read_system_state(xm_t)
>  kernel_read_network_state(xm_t)
>  kernel_read_kernel_sysctls(xm_t)
> @@ -517,8 +533,11 @@ dev_read_rand(xm_t)
>  dev_read_urand(xm_t)
>  dev_read_sysfs(xm_t)
>
> +domain_use_interactive_fds(xm_t)
> +
>  files_read_etc_runtime_files(xm_t)
>  files_read_etc_files(xm_t)
> +files_read_kernel_img(xm_t)
>  files_read_usr_files(xm_t)
>  files_search_pids(xm_t)
>  files_search_var_lib(xm_t)
> @@ -530,19 +549,24 @@ fs_manage_xenfs_dirs(xm_t)
>  fs_manage_xenfs_files(xm_t)
>  fs_search_auto_mountpoints(xm_t)
>
> -storage_raw_read_fixed_disk(xm_t)
> -
> -term_use_all_terms(xm_t)
> -
>  init_stream_connect_script(xm_t)
>  init_rw_script_stream_sockets(xm_t)
>  init_use_fds(xm_t)
>
>  logging_send_syslog_msg(xm_t)
> -
>  miscfiles_read_localization(xm_t)
>
> +storage_raw_read_fixed_disk(xm_t)
>  sysnet_dns_name_resolve(xm_t)
> +sysnet_domtrans_ifconfig(xm_t)
> +
> +term_use_all_terms(xm_t)
> +
> +# for vif-bridge to write to /run/xen-hotplug/iptables
> +# maybe we need a different label for /run/xen-hotplug
> +udev_manage_pid_files(xm_t)
> +
> +userdom_dontaudit_search_user_home_content(xm_t)
>
>  tunable_policy(`xen_use_fusefs',`
>  	fs_manage_fusefs_dirs(xm_t)
> @@ -563,6 +587,21 @@ tunable_policy(`xen_use_samba',`
>  ')
>
>  optional_policy(`
> +	unconfined_run_to(xm_t, xm_exec_t)
> +')
> +
> +optional_policy(`
> +	qemu_domtrans(xm_t)
> +	qemu_signal(xm_t)
> +	qemu_stream_connect(xm_t)
> +	qemu_unlink_socket(xm_t)
> +')
> +
> +optional_policy(`
> +	iptables_domtrans(xm_t)
> +')
> +
> +optional_policy(`
>  	cron_system_entry(xm_t, xm_exec_t)
>  ')
>
> Index: refpolicy-2.20170221/policy/modules/contrib/xen.fc
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/xen.fc
> +++ refpolicy-2.20170221/policy/modules/contrib/xen.fc
> @@ -14,7 +14,7 @@
>  /usr/sbin/xenstored	--	gen_context(system_u:object_r:xenstored_exec_t,s0)
>  /usr/sbin/xl	--	gen_context(system_u:object_r:xm_exec_t,s0)
>  /usr/sbin/xm	--	gen_context(system_u:object_r:xm_exec_t,s0)
> -
> +/usr/lib/xen-.*/xl --	gen_context(system_u:object_r:xm_exec_t,s0)
>  /var/lib/xen(/.*)?	gen_context(system_u:object_r:xend_var_lib_t,s0)
>  /var/lib/xen/images(/.*)?	gen_context(system_u:object_r:xen_image_t,s0)
>  /var/lib/xend(/.*)?	gen_context(system_u:object_r:xend_var_lib_t,s0)
> @@ -25,11 +25,13 @@
>  /var/log/xen-hotplug\.log.*	--	gen_context(system_u:object_r:xend_var_log_t,s0)
>  /var/log/xend\.log.*	--	gen_context(system_u:object_r:xend_var_log_t,s0)
>  /var/log/xend-debug\.log.*	--	gen_context(system_u:object_r:xend_var_log_t,s0)
> +/var/lock/xl	--	gen_context(system_u:object_r:xen_lock_t,s0)
>
>  /run/evtchnd	-s	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
>  /run/evtchnd\.pid	--	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
>  /run/xenconsoled\.pid	--	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
>  /run/xend(/.*)?	gen_context(system_u:object_r:xend_var_run_t,s0)
> +/var/run/xen		-d	gen_context(system_u:object_r:xend_var_run_t,s0)
>  /run/xend\.pid	--	gen_context(system_u:object_r:xend_var_run_t,s0)
>  /run/xenner(/.*)?	gen_context(system_u:object_r:xend_var_run_t,s0)
>  /run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
> Index: refpolicy-2.20170221/policy/modules/contrib/xen.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/xen.if
> +++ refpolicy-2.20170221/policy/modules/contrib/xen.if
> @@ -259,6 +259,34 @@ interface(`xen_stream_connect',`
>
>  ########################################
>  ## <summary>
> +##	Create in a xend_var_run_t directory
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="private type">
> +##      <summary>
> +##      The type of the object to be created.
> +##      </summary>
> +## </param>
> +## <param name="object">
> +##      <summary>
> +##      The object class of the object being created.
> +##      </summary>
> +## </param>
> +#
> +interface(`create_in_xend_var_run',`
> +	gen_require(`
> +		type xend_var_run_t;
> +	')
> +
> +	filetrans_pattern($1, xend_var_run_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute a domain transition to run xm.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20170221/policy/modules/contrib/qemu.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.te
> +++ refpolicy-2.20170221/policy/modules/contrib/qemu.te
> @@ -25,11 +25,20 @@ role qemu_roles types qemu_t;
>  type qemu_unit_t;
>  init_unit_file(qemu_unit_t)
>
> +type qemu_var_run_t;
> +files_pid_file(qemu_var_run_t);
> +files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
> +allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms;
> +
>  ########################################
>  #
>  # Local policy
>  #
>
> +kernel_read_crypto_sysctls(qemu_t)
> +
> +dev_read_sysfs(qemu_t)
> +
>  tunable_policy(`qemu_full_network',`
>  	corenet_udp_sendrecv_generic_if(qemu_t)
>  	corenet_udp_sendrecv_generic_node(qemu_t)
> @@ -41,6 +50,16 @@ tunable_policy(`qemu_full_network',`
>  ')
>
>  optional_policy(`
> +	fs_manage_xenfs_files(qemu_t)
> +	xen_stream_connect_xenstore(qemu_t)
> +	dev_rw_xen(qemu_t)
> +	xen_append_log(qemu_t)
> +	create_in_xend_var_run(qemu_t, qemu_var_run_t, sock_file)
> +')
> +optional_policy(`
> +	permit_in_unconfined_r(qemu_t)
> +')
> +optional_policy(`
>  	xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
>  ')
>
> Index: refpolicy-2.20170221/policy/modules/contrib/qemu.fc
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.fc
> +++ refpolicy-2.20170221/policy/modules/contrib/qemu.fc
> @@ -6,3 +6,4 @@
>  /usr/lib/systemd/system/[^/]*qemu-guest-agent.*	--	gen_context(system_u:object_r:qemu_unit_t,s0)
>
>  /usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
> +/var/run/xen/qmp.*	--	gen_context(system_u:object_r:qemu_var_run_t,s0)
> Index: refpolicy-2.20170221/policy/modules/contrib/qemu.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.if
> +++ refpolicy-2.20170221/policy/modules/contrib/qemu.if
> @@ -374,3 +374,41 @@ interface(`qemu_entry_type',`
>
>  	domain_entry_file($1, qemu_exec_t)
>  ')
> +
> +########################################
> +## <summary>
> +##	Connect to qemu with a unix
> +##	domain stream socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`qemu_stream_connect',`
> +	gen_require(`
> +		type qemu_t, qemu_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Unlink qemu socket
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`qemu_unlink_socket',`
> +	gen_require(`
> +		type qemu_t, qemu_var_run_t;
> +	')
> +
> +	allow $1 qemu_var_run_t:sock_file unlink;
> +')
> Index: refpolicy-2.20170221/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20170221/policy/modules/system/unconfined.if
> @@ -319,6 +319,24 @@ interface(`unconfined_run_to',`
>
>  ########################################
>  ## <summary>
> +##     Allow the specified domain to be in the unconfined role
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain to permit in unconfined_r
> +##     </summary>
> +## </param>
> +#
> +interface(`permit_in_unconfined_r',`
> +	gen_require(`
> +		role unconfined_r;
> +	')
> +
> +	role unconfined_r types $1;
> +')
> +
> +########################################
> +## <summary>
>  ##	Inherit file descriptors from the unconfined domain.
>  ## </summary>
>  ## <param name="domain">
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito