This is a set of small patches related to libvirt support.
First, we add in some context description files.
Next, we allow virt to write out and execute its tmp files.
Third, we provide initrc/sysadm with the rights to execute virsh.
Finally, we allow qemu to execute itself (which seems to be needed when
using libvirt for qemu-based virtualizatoion.
Wkr,
Sven Vermeulen
The libvirt infrastructure requires the availability of the context files.
In this patch, we add the defaults to the three predefined application
contexts (mls/mcs/standard).
Signed-off-by: Sven Vermeulen <[email protected]>
---
Makefile | 2 +-
config/appconfig-mcs/virtual_domain_context | 1 +
config/appconfig-mcs/virtual_image_context | 2 ++
config/appconfig-mls/virtual_domain_context | 1 +
config/appconfig-mls/virtual_image_context | 2 ++
config/appconfig-standard/virtual_domain_context | 1 +
config/appconfig-standard/virtual_image_context | 2 ++
7 files changed, 10 insertions(+), 1 deletions(-)
create mode 100644 config/appconfig-mcs/virtual_domain_context
create mode 100644 config/appconfig-mcs/virtual_image_context
create mode 100644 config/appconfig-mls/virtual_domain_context
create mode 100644 config/appconfig-mls/virtual_image_context
create mode 100644 config/appconfig-standard/virtual_domain_context
create mode 100644 config/appconfig-standard/virtual_image_context
diff --git a/Makefile b/Makefile
index 5a43919..39a3d40 100644
--- a/Makefile
+++ b/Makefile
@@ -249,7 +249,7 @@ seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
new file mode 100644
index 0000000..d387b42
--- /dev/null
+++ b/config/appconfig-mcs/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mcs/virtual_image_context b/config/appconfig-mcs/virtual_image_context
new file mode 100644
index 0000000..8ab1e27
--- /dev/null
+++ b/config/appconfig-mcs/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-mls/virtual_domain_context b/config/appconfig-mls/virtual_domain_context
new file mode 100644
index 0000000..d387b42
--- /dev/null
+++ b/config/appconfig-mls/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mls/virtual_image_context b/config/appconfig-mls/virtual_image_context
new file mode 100644
index 0000000..8ab1e27
--- /dev/null
+++ b/config/appconfig-mls/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
new file mode 100644
index 0000000..c049e10
--- /dev/null
+++ b/config/appconfig-standard/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t
diff --git a/config/appconfig-standard/virtual_image_context b/config/appconfig-standard/virtual_image_context
new file mode 100644
index 0000000..fca6046
--- /dev/null
+++ b/config/appconfig-standard/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t
+system_u:object_r:virt_content_t
--
1.7.3.4
During startup of guests, libvirt needs to create temporary files and execute them (part of setting up the necessary
environment of the guests).
Signed-off-by: Sven Vermeulen <[email protected]>
---
virt.te | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/virt.te b/virt.te
index 3eca020..a427c3f 100644
--- a/virt.te
+++ b/virt.te
@@ -74,6 +74,9 @@ userdom_user_home_content(virt_content_t)
type virt_log_t;
logging_log_file(virt_log_t)
+type virt_tmp_t;
+files_tmp_file(virt_tmp_t)
+
type virt_var_run_t;
files_pid_file(virt_var_run_t)
@@ -207,6 +210,11 @@ manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+can_exec(virtd_t, virt_tmp_t)
+
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
--
1.7.3.4
When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
administrator).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/system/init.te | 1 +
2 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7d25414..e08c71f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -394,6 +394,10 @@ optional_policy(`
')
optional_policy(`
+ virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
vmware_role(sysadm_r, sysadm_t)
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b7fcbe3..79a306e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -822,6 +822,7 @@ optional_policy(`
')
optional_policy(`
+ virt_stream_connect(initrc_t)
virt_manage_svirt_cache(initrc_t)
')
--
1.7.3.4
When using libvirt as the virtualization framework, using qemu as the virtualization environment itself, launching guests
requires the qemu domain to have exec rights on its own binaries.
Signed-off-by: Sven Vermeulen <[email protected]>
---
qemu.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/qemu.te b/qemu.te
index 9cf9992..0bbccb5 100644
--- a/qemu.te
+++ b/qemu.te
@@ -50,6 +50,8 @@ role system_r types qemu_t;
# qemu local policy
#
+can_exec(qemu_t, qemu_exec_t)
+
storage_raw_write_removable_device(qemu_t)
storage_raw_read_removable_device(qemu_t)
--
1.7.3.4
On 04/11/12 14:34, Sven Vermeulen wrote:
> The libvirt infrastructure requires the availability of the context files.
>
> In this patch, we add the defaults to the three predefined application
> contexts (mls/mcs/standard).
Merged.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> Makefile | 2 +-
> config/appconfig-mcs/virtual_domain_context | 1 +
> config/appconfig-mcs/virtual_image_context | 2 ++
> config/appconfig-mls/virtual_domain_context | 1 +
> config/appconfig-mls/virtual_image_context | 2 ++
> config/appconfig-standard/virtual_domain_context | 1 +
> config/appconfig-standard/virtual_image_context | 2 ++
> 7 files changed, 10 insertions(+), 1 deletions(-)
> create mode 100644 config/appconfig-mcs/virtual_domain_context
> create mode 100644 config/appconfig-mcs/virtual_image_context
> create mode 100644 config/appconfig-mls/virtual_domain_context
> create mode 100644 config/appconfig-mls/virtual_image_context
> create mode 100644 config/appconfig-standard/virtual_domain_context
> create mode 100644 config/appconfig-standard/virtual_image_context
>
> diff --git a/Makefile b/Makefile
> index 5a43919..39a3d40 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -249,7 +249,7 @@ seusers := $(appconf)/seusers
> appdir := $(contextpath)
> user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
> user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
> -appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
> +appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
> net_contexts := $(builddir)net_contexts
>
> all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
> diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
> new file mode 100644
> index 0000000..d387b42
> --- /dev/null
> +++ b/config/appconfig-mcs/virtual_domain_context
> @@ -0,0 +1 @@
> +system_u:system_r:svirt_t:s0
> diff --git a/config/appconfig-mcs/virtual_image_context b/config/appconfig-mcs/virtual_image_context
> new file mode 100644
> index 0000000..8ab1e27
> --- /dev/null
> +++ b/config/appconfig-mcs/virtual_image_context
> @@ -0,0 +1,2 @@
> +system_u:object_r:svirt_image_t:s0
> +system_u:object_r:virt_content_t:s0
> diff --git a/config/appconfig-mls/virtual_domain_context b/config/appconfig-mls/virtual_domain_context
> new file mode 100644
> index 0000000..d387b42
> --- /dev/null
> +++ b/config/appconfig-mls/virtual_domain_context
> @@ -0,0 +1 @@
> +system_u:system_r:svirt_t:s0
> diff --git a/config/appconfig-mls/virtual_image_context b/config/appconfig-mls/virtual_image_context
> new file mode 100644
> index 0000000..8ab1e27
> --- /dev/null
> +++ b/config/appconfig-mls/virtual_image_context
> @@ -0,0 +1,2 @@
> +system_u:object_r:svirt_image_t:s0
> +system_u:object_r:virt_content_t:s0
> diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
> new file mode 100644
> index 0000000..c049e10
> --- /dev/null
> +++ b/config/appconfig-standard/virtual_domain_context
> @@ -0,0 +1 @@
> +system_u:system_r:svirt_t
> diff --git a/config/appconfig-standard/virtual_image_context b/config/appconfig-standard/virtual_image_context
> new file mode 100644
> index 0000000..fca6046
> --- /dev/null
> +++ b/config/appconfig-standard/virtual_image_context
> @@ -0,0 +1,2 @@
> +system_u:object_r:svirt_image_t
> +system_u:object_r:virt_content_t
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 04/11/12 14:35, Sven Vermeulen wrote:
> During startup of guests, libvirt needs to create temporary files and execute them (part of setting up the necessary
> environment of the guests).
Merged.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> virt.te | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/virt.te b/virt.te
> index 3eca020..a427c3f 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -74,6 +74,9 @@ userdom_user_home_content(virt_content_t)
> type virt_log_t;
> logging_log_file(virt_log_t)
>
> +type virt_tmp_t;
> +files_tmp_file(virt_tmp_t)
> +
> type virt_var_run_t;
> files_pid_file(virt_var_run_t)
>
> @@ -207,6 +210,11 @@ manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
> manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
> logging_log_filetrans(virtd_t, virt_log_t, { file dir })
>
> +manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
> +manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
> +files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
> +can_exec(virtd_t, virt_tmp_t)
> +
> manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
> manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
> manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 04/11/12 14:35, Sven Vermeulen wrote:
> When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
> domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
> administrator).
Merged.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/roles/sysadm.te | 4 ++++
> policy/modules/system/init.te | 1 +
> 2 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 7d25414..e08c71f 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -394,6 +394,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + virt_stream_connect(sysadm_t)
> +')
> +
> +optional_policy(`
> vmware_role(sysadm_r, sysadm_t)
> ')
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index b7fcbe3..79a306e 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -822,6 +822,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + virt_stream_connect(initrc_t)
> virt_manage_svirt_cache(initrc_t)
> ')
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 04/11/12 14:36, Sven Vermeulen wrote:
> When using libvirt as the virtualization framework, using qemu as the virtualization environment itself, launching guests
> requires the qemu domain to have exec rights on its own binaries.
Merged.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> qemu.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/qemu.te b/qemu.te
> index 9cf9992..0bbccb5 100644
> --- a/qemu.te
> +++ b/qemu.te
> @@ -50,6 +50,8 @@ role system_r types qemu_t;
> # qemu local policy
> #
>
> +can_exec(qemu_t, qemu_exec_t)
> +
> storage_raw_write_removable_device(qemu_t)
> storage_raw_read_removable_device(qemu_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com