As an aside I no longer use xen and don't have a test environment for it.
If there are any disagreements with the xen policy I'll just remove the
disputed rules and add them again when someone who uses xen has a problem.
Regardless of the inability to test current changes, the policy has worked
well for me for years and I think it should be included.
Description: xen and qemu patches
Author: Russell Coker <[email protected]>
Last-Update: 2017-02-21
Index: refpolicy-2.20170221/policy/modules/contrib/xen.te
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/xen.te
+++ refpolicy-2.20170221/policy/modules/contrib/xen.te
@@ -85,6 +85,9 @@ files_mountpoint(xend_var_lib_t)
type xend_var_log_t;
logging_log_file(xend_var_log_t)
+type xen_lock_t;
+files_lock_file(xen_lock_t)
+
type xend_var_run_t;
files_pid_file(xend_var_run_t)
files_mountpoint(xend_var_run_t)
@@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t)
kernel_read_xen_state(xend_t)
kernel_rw_net_sysctls(xend_t)
kernel_read_network_state(xend_t)
+kernel_read_vm_sysctls(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
@@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t)
fs_manage_xenfs_files(xend_t)
storage_read_scsi_generic(xend_t)
+# for lsscsi
+storage_getattr_fixed_disk_dev(xend_t)
term_setattr_generic_ptys(xend_t)
term_getattr_all_ptys(xend_t)
@@ -444,6 +450,7 @@ stream_connect_pattern(xenstored_t, evtc
kernel_write_xen_state(xenstored_t)
kernel_read_xen_state(xenstored_t)
+corecmd_search_bin(xenstored_t)
dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
dev_read_sysfs(xenstored_t)
@@ -470,12 +477,19 @@ xen_append_log(xenstored_t)
# xm local policy
#
-allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
-allow xm_t self:process { getcap getsched setsched setcap signal };
+allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config };
+allow xm_t self:process { getcap getsched setsched setcap signal sigkill };
allow xm_t self:fifo_file rw_fifo_file_perms;
allow xm_t self:unix_stream_socket { accept connectto listen };
allow xm_t self:tcp_socket { accept listen };
+allow xm_t xend_var_run_t:dir rw_dir_perms;
+
+files_lock_filetrans(xm_t, xen_lock_t, file)
+allow xm_t xen_lock_t:file manage_file_perms;
+
+manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t)
+
manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
@@ -494,6 +508,8 @@ xen_stream_connect_xenstore(xm_t)
can_exec(xm_t, xm_exec_t)
+kernel_load_module(xm_t)
+kernel_request_load_module(xm_t)
kernel_read_system_state(xm_t)
kernel_read_network_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
@@ -517,8 +533,11 @@ dev_read_rand(xm_t)
dev_read_urand(xm_t)
dev_read_sysfs(xm_t)
+domain_use_interactive_fds(xm_t)
+
files_read_etc_runtime_files(xm_t)
files_read_etc_files(xm_t)
+files_read_kernel_img(xm_t)
files_read_usr_files(xm_t)
files_search_pids(xm_t)
files_search_var_lib(xm_t)
@@ -530,19 +549,24 @@ fs_manage_xenfs_dirs(xm_t)
fs_manage_xenfs_files(xm_t)
fs_search_auto_mountpoints(xm_t)
-storage_raw_read_fixed_disk(xm_t)
-
-term_use_all_terms(xm_t)
-
init_stream_connect_script(xm_t)
init_rw_script_stream_sockets(xm_t)
init_use_fds(xm_t)
logging_send_syslog_msg(xm_t)
-
miscfiles_read_localization(xm_t)
+storage_raw_read_fixed_disk(xm_t)
sysnet_dns_name_resolve(xm_t)
+sysnet_domtrans_ifconfig(xm_t)
+
+term_use_all_terms(xm_t)
+
+# for vif-bridge to write to /run/xen-hotplug/iptables
+# maybe we need a different label for /run/xen-hotplug
+udev_manage_pid_files(xm_t)
+
+userdom_dontaudit_search_user_home_content(xm_t)
tunable_policy(`xen_use_fusefs',`
fs_manage_fusefs_dirs(xm_t)
@@ -563,6 +587,21 @@ tunable_policy(`xen_use_samba',`
')
optional_policy(`
+ unconfined_run_to(xm_t, xm_exec_t)
+')
+
+optional_policy(`
+ qemu_domtrans(xm_t)
+ qemu_signal(xm_t)
+ qemu_stream_connect(xm_t)
+ qemu_unlink_socket(xm_t)
+')
+
+optional_policy(`
+ iptables_domtrans(xm_t)
+')
+
+optional_policy(`
cron_system_entry(xm_t, xm_exec_t)
')
Index: refpolicy-2.20170221/policy/modules/contrib/xen.fc
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/xen.fc
+++ refpolicy-2.20170221/policy/modules/contrib/xen.fc
@@ -14,7 +14,7 @@
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
-
+/usr/lib/xen-.*/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
@@ -25,11 +25,13 @@
/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
+/var/lock/xl -- gen_context(system_u:object_r:xen_lock_t,s0)
/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xen -d gen_context(system_u:object_r:xend_var_run_t,s0)
/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
Index: refpolicy-2.20170221/policy/modules/contrib/xen.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/xen.if
+++ refpolicy-2.20170221/policy/modules/contrib/xen.if
@@ -259,6 +259,34 @@ interface(`xen_stream_connect',`
########################################
## <summary>
+## Create in a xend_var_run_t directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+#
+interface(`create_in_xend_var_run',`
+ gen_require(`
+ type xend_var_run_t;
+ ')
+
+ filetrans_pattern($1, xend_var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
## Execute a domain transition to run xm.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170221/policy/modules/contrib/qemu.te
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.te
+++ refpolicy-2.20170221/policy/modules/contrib/qemu.te
@@ -25,11 +25,20 @@ role qemu_roles types qemu_t;
type qemu_unit_t;
init_unit_file(qemu_unit_t)
+type qemu_var_run_t;
+files_pid_file(qemu_var_run_t);
+files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms;
+
########################################
#
# Local policy
#
+kernel_read_crypto_sysctls(qemu_t)
+
+dev_read_sysfs(qemu_t)
+
tunable_policy(`qemu_full_network',`
corenet_udp_sendrecv_generic_if(qemu_t)
corenet_udp_sendrecv_generic_node(qemu_t)
@@ -41,6 +50,16 @@ tunable_policy(`qemu_full_network',`
')
optional_policy(`
+ fs_manage_xenfs_files(qemu_t)
+ xen_stream_connect_xenstore(qemu_t)
+ dev_rw_xen(qemu_t)
+ xen_append_log(qemu_t)
+ create_in_xend_var_run(qemu_t, qemu_var_run_t, sock_file)
+')
+optional_policy(`
+ permit_in_unconfined_r(qemu_t)
+')
+optional_policy(`
xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
')
Index: refpolicy-2.20170221/policy/modules/contrib/qemu.fc
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.fc
+++ refpolicy-2.20170221/policy/modules/contrib/qemu.fc
@@ -6,3 +6,4 @@
/usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0)
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
Index: refpolicy-2.20170221/policy/modules/contrib/qemu.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.if
+++ refpolicy-2.20170221/policy/modules/contrib/qemu.if
@@ -374,3 +374,41 @@ interface(`qemu_entry_type',`
domain_entry_file($1, qemu_exec_t)
')
+
+########################################
+## <summary>
+## Connect to qemu with a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_stream_connect',`
+ gen_require(`
+ type qemu_t, qemu_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t)
+')
+
+########################################
+## <summary>
+## Unlink qemu socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_unlink_socket',`
+ gen_require(`
+ type qemu_t, qemu_var_run_t;
+ ')
+
+ allow $1 qemu_var_run_t:sock_file unlink;
+')
Index: refpolicy-2.20170221/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20170221.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20170221/policy/modules/system/unconfined.if
@@ -319,6 +319,24 @@ interface(`unconfined_run_to',`
########################################
## <summary>
+## Allow the specified domain to be in the unconfined role
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to permit in unconfined_r
+## </summary>
+## </param>
+#
+interface(`permit_in_unconfined_r',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ role unconfined_r types $1;
+')
+
+########################################
+## <summary>
## Inherit file descriptors from the unconfined domain.
## </summary>
## <param name="domain">
On 02/21/17 03:32, Russell Coker via refpolicy wrote:
> As an aside I no longer use xen and don't have a test environment for it.
>
> If there are any disagreements with the xen policy I'll just remove the
> disputed rules and add them again when someone who uses xen has a problem.
>
> Regardless of the inability to test current changes, the policy has worked
> well for me for years and I think it should be included.
Merged, though I made a few minor changes.
> Description: xen and qemu patches
> Author: Russell Coker <[email protected]>
> Last-Update: 2017-02-21
>
> Index: refpolicy-2.20170221/policy/modules/contrib/xen.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/xen.te
> +++ refpolicy-2.20170221/policy/modules/contrib/xen.te
> @@ -85,6 +85,9 @@ files_mountpoint(xend_var_lib_t)
> type xend_var_log_t;
> logging_log_file(xend_var_log_t)
>
> +type xen_lock_t;
> +files_lock_file(xen_lock_t)
> +
> type xend_var_run_t;
> files_pid_file(xend_var_run_t)
> files_mountpoint(xend_var_run_t)
> @@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t)
> kernel_read_xen_state(xend_t)
> kernel_rw_net_sysctls(xend_t)
> kernel_read_network_state(xend_t)
> +kernel_read_vm_sysctls(xend_t)
>
> corecmd_exec_bin(xend_t)
> corecmd_exec_shell(xend_t)
> @@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t)
> fs_manage_xenfs_files(xend_t)
>
> storage_read_scsi_generic(xend_t)
> +# for lsscsi
> +storage_getattr_fixed_disk_dev(xend_t)
>
> term_setattr_generic_ptys(xend_t)
> term_getattr_all_ptys(xend_t)
> @@ -444,6 +450,7 @@ stream_connect_pattern(xenstored_t, evtc
> kernel_write_xen_state(xenstored_t)
> kernel_read_xen_state(xenstored_t)
>
> +corecmd_search_bin(xenstored_t)
> dev_filetrans_xen(xenstored_t)
> dev_rw_xen(xenstored_t)
> dev_read_sysfs(xenstored_t)
> @@ -470,12 +477,19 @@ xen_append_log(xenstored_t)
> # xm local policy
> #
>
> -allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
> -allow xm_t self:process { getcap getsched setsched setcap signal };
> +allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config };
> +allow xm_t self:process { getcap getsched setsched setcap signal sigkill };
> allow xm_t self:fifo_file rw_fifo_file_perms;
> allow xm_t self:unix_stream_socket { accept connectto listen };
> allow xm_t self:tcp_socket { accept listen };
>
> +allow xm_t xend_var_run_t:dir rw_dir_perms;
> +
> +files_lock_filetrans(xm_t, xen_lock_t, file)
> +allow xm_t xen_lock_t:file manage_file_perms;
> +
> +manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t)
> +
> manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
> manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
> manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
> @@ -494,6 +508,8 @@ xen_stream_connect_xenstore(xm_t)
>
> can_exec(xm_t, xm_exec_t)
>
> +kernel_load_module(xm_t)
> +kernel_request_load_module(xm_t)
> kernel_read_system_state(xm_t)
> kernel_read_network_state(xm_t)
> kernel_read_kernel_sysctls(xm_t)
> @@ -517,8 +533,11 @@ dev_read_rand(xm_t)
> dev_read_urand(xm_t)
> dev_read_sysfs(xm_t)
>
> +domain_use_interactive_fds(xm_t)
> +
> files_read_etc_runtime_files(xm_t)
> files_read_etc_files(xm_t)
> +files_read_kernel_img(xm_t)
> files_read_usr_files(xm_t)
> files_search_pids(xm_t)
> files_search_var_lib(xm_t)
> @@ -530,19 +549,24 @@ fs_manage_xenfs_dirs(xm_t)
> fs_manage_xenfs_files(xm_t)
> fs_search_auto_mountpoints(xm_t)
>
> -storage_raw_read_fixed_disk(xm_t)
> -
> -term_use_all_terms(xm_t)
> -
> init_stream_connect_script(xm_t)
> init_rw_script_stream_sockets(xm_t)
> init_use_fds(xm_t)
>
> logging_send_syslog_msg(xm_t)
> -
> miscfiles_read_localization(xm_t)
>
> +storage_raw_read_fixed_disk(xm_t)
> sysnet_dns_name_resolve(xm_t)
> +sysnet_domtrans_ifconfig(xm_t)
> +
> +term_use_all_terms(xm_t)
> +
> +# for vif-bridge to write to /run/xen-hotplug/iptables
> +# maybe we need a different label for /run/xen-hotplug
> +udev_manage_pid_files(xm_t)
> +
> +userdom_dontaudit_search_user_home_content(xm_t)
>
> tunable_policy(`xen_use_fusefs',`
> fs_manage_fusefs_dirs(xm_t)
> @@ -563,6 +587,21 @@ tunable_policy(`xen_use_samba',`
> ')
>
> optional_policy(`
> + unconfined_run_to(xm_t, xm_exec_t)
> +')
> +
> +optional_policy(`
> + qemu_domtrans(xm_t)
> + qemu_signal(xm_t)
> + qemu_stream_connect(xm_t)
> + qemu_unlink_socket(xm_t)
> +')
> +
> +optional_policy(`
> + iptables_domtrans(xm_t)
> +')
> +
> +optional_policy(`
> cron_system_entry(xm_t, xm_exec_t)
> ')
>
> Index: refpolicy-2.20170221/policy/modules/contrib/xen.fc
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/xen.fc
> +++ refpolicy-2.20170221/policy/modules/contrib/xen.fc
> @@ -14,7 +14,7 @@
> /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
> /usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
> /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
> -
> +/usr/lib/xen-.*/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
> /var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
> /var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
> /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
> @@ -25,11 +25,13 @@
> /var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
> /var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
> /var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
> +/var/lock/xl -- gen_context(system_u:object_r:xen_lock_t,s0)
>
> /run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
> /run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
> /run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
> /run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
> +/var/run/xen -d gen_context(system_u:object_r:xend_var_run_t,s0)
> /run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
> /run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
> /run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
> Index: refpolicy-2.20170221/policy/modules/contrib/xen.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/xen.if
> +++ refpolicy-2.20170221/policy/modules/contrib/xen.if
> @@ -259,6 +259,34 @@ interface(`xen_stream_connect',`
>
> ########################################
> ## <summary>
> +## Create in a xend_var_run_t directory
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="private type">
> +## <summary>
> +## The type of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="object">
> +## <summary>
> +## The object class of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`create_in_xend_var_run',`
> + gen_require(`
> + type xend_var_run_t;
> + ')
> +
> + filetrans_pattern($1, xend_var_run_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> ## Execute a domain transition to run xm.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170221/policy/modules/contrib/qemu.te
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.te
> +++ refpolicy-2.20170221/policy/modules/contrib/qemu.te
> @@ -25,11 +25,20 @@ role qemu_roles types qemu_t;
> type qemu_unit_t;
> init_unit_file(qemu_unit_t)
>
> +type qemu_var_run_t;
> +files_pid_file(qemu_var_run_t);
> +files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
> +allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms;
> +
> ########################################
> #
> # Local policy
> #
>
> +kernel_read_crypto_sysctls(qemu_t)
> +
> +dev_read_sysfs(qemu_t)
> +
> tunable_policy(`qemu_full_network',`
> corenet_udp_sendrecv_generic_if(qemu_t)
> corenet_udp_sendrecv_generic_node(qemu_t)
> @@ -41,6 +50,16 @@ tunable_policy(`qemu_full_network',`
> ')
>
> optional_policy(`
> + fs_manage_xenfs_files(qemu_t)
> + xen_stream_connect_xenstore(qemu_t)
> + dev_rw_xen(qemu_t)
> + xen_append_log(qemu_t)
> + create_in_xend_var_run(qemu_t, qemu_var_run_t, sock_file)
> +')
> +optional_policy(`
> + permit_in_unconfined_r(qemu_t)
> +')
> +optional_policy(`
> xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
> ')
>
> Index: refpolicy-2.20170221/policy/modules/contrib/qemu.fc
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.fc
> +++ refpolicy-2.20170221/policy/modules/contrib/qemu.fc
> @@ -6,3 +6,4 @@
> /usr/lib/systemd/system/[^/]*qemu-guest-agent.* -- gen_context(system_u:object_r:qemu_unit_t,s0)
>
> /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
> +/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
> Index: refpolicy-2.20170221/policy/modules/contrib/qemu.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/contrib/qemu.if
> +++ refpolicy-2.20170221/policy/modules/contrib/qemu.if
> @@ -374,3 +374,41 @@ interface(`qemu_entry_type',`
>
> domain_entry_file($1, qemu_exec_t)
> ')
> +
> +########################################
> +## <summary>
> +## Connect to qemu with a unix
> +## domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`qemu_stream_connect',`
> + gen_require(`
> + type qemu_t, qemu_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t)
> +')
> +
> +########################################
> +## <summary>
> +## Unlink qemu socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`qemu_unlink_socket',`
> + gen_require(`
> + type qemu_t, qemu_var_run_t;
> + ')
> +
> + allow $1 qemu_var_run_t:sock_file unlink;
> +')
> Index: refpolicy-2.20170221/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20170221.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20170221/policy/modules/system/unconfined.if
> @@ -319,6 +319,24 @@ interface(`unconfined_run_to',`
>
> ########################################
> ## <summary>
> +## Allow the specified domain to be in the unconfined role
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to permit in unconfined_r
> +## </summary>
> +## </param>
> +#
> +interface(`permit_in_unconfined_r',`
> + gen_require(`
> + role unconfined_r;
> + ')
> +
> + role unconfined_r types $1;
> +')
> +
> +########################################
> +## <summary>
> ## Inherit file descriptors from the unconfined domain.
> ## </summary>
> ## <param name="domain">
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito