---
virt.fc | 2 ++
virt.te | 46 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+)
diff --git a/virt.fc b/virt.fc
index b1f9b1c..eb5ff0d 100644
--- a/virt.fc
+++ b/virt.fc
@@ -30,6 +30,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/bin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/bin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/bin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -37,6 +38,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
diff --git a/virt.te b/virt.te
index 364d7ca..e0605e0 100644
--- a/virt.te
+++ b/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
type virtlockd_var_lib_t;
files_type(virtlockd_var_lib_t)
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
')
ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
')
########################################
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
allow virt_domain virtd_t:process sigchld;
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -468,6 +480,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
allow virtd_t svirt_lxc_domain:process signal_perms;
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
allow virtd_t virtd_lxc_t:process { signal signull sigkill };
domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -554,6 +569,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
can_exec(virtd_t, virt_tmp_t)
@@ -1315,3 +1331,33 @@ miscfiles_read_localization(virtlockd_t)
virt_append_log(virtlockd_t)
virt_read_config(virtlockd_t)
+
+########################################
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+kernel_read_system_state(virtlogd_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+sysnet_dns_name_resolve(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)
--
2.13.6
virtlockd doesnt need ps_process_pattern
need to relabel to set categories and allow mount root in slave mode
allow mounting devfs in run
Already has dac_override so read_search is harmless
libvirt errors:
libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to switch root mount into slave mode: Permission denied
Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to mount devfs on /var/run/libvirt/qemu/selinux.dev type tmpfs (mode=755,size=65536): Permission denied
Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to mount devfs on /var/run/libvirt/qemu/selinux.dev type tmpfs (mode=755,size=65536): Permission denied
Error starting domain: internal error: Process exited prior to exec: libvirt: QEMU Driver error : Failed to make device /var/run/libvirt/qemu/selinux.dev/null: Permission denied
Error starting domain: internal error: Process exited prior to exec: libvirt: QEMU Driver error : Unable to set SELinux label on /var/run/libvirt/qemu/selinux.dev/null: Permission denied
avc denials:
avc: denied { mounton } for pid=11279 comm="libvirtd" path="/run/libvirt/qemu/selinux.dev" dev="tmpfs" ino=4428609 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_var_run_t:s0 tclass=dir permissive=0
avc: denied { mount } for pid=17844 comm="libvirtd" name="/" dev="tmpfs" ino=4436959 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
avc: denied { create } for pid=24198 comm="libvirtd" name="null" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_tmpfs_t:s0 tclass=chr_file permissive=0
avc: denied { relabelfrom } for pid=539 comm="libvirtd" name="null" dev="tmpfs" ino=4452253 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_tmpfs_t:s0 tclass=chr_file permissive=0
---
virt.te | 33 +++++++++++++++++++++++++--------
1 file changed, 25 insertions(+), 8 deletions(-)
diff --git a/virt.te b/virt.te
index e0605e0..726b989 100644
--- a/virt.te
+++ b/virt.te
@@ -463,8 +463,8 @@ tunable_policy(`virt_use_vfio',`
# virtd local policy
#
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -474,7 +474,7 @@ allow virtd_t self:packet_socket create_socket_perms;
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow virtd_t self:netlink_route_socket nlmsg_write;
-allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+allow virtd_t virt_domain:process { getattr getsched setsched transition rlimitinh signal signull sigkill };
dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
@@ -497,6 +497,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
allow virtd_t virtd_keytab_t:file read_file_perms;
allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir { mounton relabel_dir_perms };
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
@@ -525,9 +526,10 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
+allow virtd_t virt_image_type:sock_file manage_sock_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -537,7 +539,14 @@ files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+relabel_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+relabel_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+relabel_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
+allow virtd_t virt_tmpfs_t:dir mounton;
# This needs a file context specification
manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
@@ -567,7 +576,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -616,6 +625,9 @@ dev_rw_mtrr(virtd_t)
dev_rw_vhost(virtd_t)
dev_setattr_generic_usb_dev(virtd_t)
dev_relabel_generic_usb_dev(virtd_t)
+dev_relabel_all_dev_nodes(virtd_t)
+dev_relabel_generic_symlinks(virtd_t)
+dev_mounton(virtd_t)
domain_use_interactive_fds(virtd_t)
domain_read_all_domains_state(virtd_t)
@@ -625,6 +637,7 @@ files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
files_read_kernel_modules(virtd_t)
files_read_usr_src_files(virtd_t)
+files_mounton_root(virtd_t)
# Manages /etc/sysconfig/system-config-firewall
# files_relabelto_system_conf_files(virtd_t)
@@ -639,6 +652,8 @@ fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
fs_manage_hugetlbfs_dirs(virtd_t)
fs_rw_hugetlbfs_files(virtd_t)
+fs_read_nsfs_files(virtd_t)
+fs_mount_tmpfs(virtd_t)
mls_fd_share_all_levels(virtd_t)
mls_file_read_to_clearance(virtd_t)
@@ -709,8 +724,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
- allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
@@ -1304,6 +1317,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
allow virtlockd_t self:capability dac_override;
allow virtlockd_t self:fifo_file rw_fifo_file_perms;
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
allow virtlockd_t virt_image_type:dir list_dir_perms;
allow virtlockd_t virt_image_type:file rw_file_perms;
@@ -1322,7 +1339,7 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
can_exec(virtlockd_t, virtlockd_exec_t)
-ps_process_pattern(virtlockd_t, virtd_t)
+kernel_read_system_state(virtlockd_t)
files_read_etc_files(virtlockd_t)
files_list_var_lib(virtlockd_t)
--
2.13.6
On 10/30/2017 02:38 AM, Jason Zaman wrote:
> ---
> virt.fc | 2 ++
> virt.te | 46 ++++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 48 insertions(+)
>
> diff --git a/virt.fc b/virt.fc
> index b1f9b1c..eb5ff0d 100644
> --- a/virt.fc
> +++ b/virt.fc
> @@ -30,6 +30,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
> /usr/bin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
> /usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
> /usr/bin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
> +/usr/bin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
> /usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
>
> /usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
> @@ -37,6 +38,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
> /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
> /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
> /usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
> +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
>
> /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
>
> diff --git a/virt.te b/virt.te
> index 364d7ca..e0605e0 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
> type virtlockd_var_lib_t;
> files_type(virtlockd_var_lib_t)
>
> +type virtlogd_t;
> +type virtlogd_exec_t;
> +init_daemon_domain(virtlogd_t, virtlogd_exec_t)
> +
> +type virtlogd_run_t;
> +files_pid_file(virtlogd_run_t)
> +
> ifdef(`enable_mcs',`
> init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
> + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
> ')
>
> ifdef(`enable_mls',`
> init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
> + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
> ')
>
> ########################################
> @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
> allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
> allow virt_domain virtd_t:process sigchld;
>
> +allow virt_domain virtlogd_t:fd use;
> +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
> +
> dontaudit virt_domain virtd_t:unix_stream_socket { read write };
>
> manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
> @@ -468,6 +480,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
> allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
> allow virtd_t svirt_lxc_domain:process signal_perms;
>
> +allow virtd_t virtlogd_t:fd use;
> +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
> +
> allow virtd_t virtd_lxc_t:process { signal signull sigkill };
>
> domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
> @@ -554,6 +569,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
> stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
> stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
> stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
> +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
>
> can_exec(virtd_t, virt_tmp_t)
>
> @@ -1315,3 +1331,33 @@ miscfiles_read_localization(virtlockd_t)
>
> virt_append_log(virtlockd_t)
> virt_read_config(virtlockd_t)
> +
> +########################################
> +#
> +# Virtlogd local policy
> +#
> +
> +allow virtlogd_t self:fifo_file rw_fifo_file_perms;
> +
> +allow virtlogd_t virtd_t:dir list_dir_perms;
> +allow virtlogd_t virtd_t:file read_file_perms;
> +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
> +
> +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
> +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
> +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
> +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
> +
> +can_exec(virtlogd_t, virtlogd_exec_t)
> +
> +kernel_read_system_state(virtlogd_t)
> +
> +files_read_etc_files(virtlogd_t)
> +files_list_var_lib(virtlogd_t)
> +
> +miscfiles_read_localization(virtlogd_t)
> +
> +sysnet_dns_name_resolve(virtlogd_t)
> +
> +virt_manage_log(virtlogd_t)
> +virt_read_config(virtlogd_t)
Merged.
--
Chris PeBenito
On 10/30/2017 02:38 AM, Jason Zaman wrote:
> virtlockd doesnt need ps_process_pattern
> need to relabel to set categories and allow mount root in slave mode
> allow mounting devfs in run
> Already has dac_override so read_search is harmless
>
> libvirt errors:
> libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied
> Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to switch root mount into slave mode: Permission denied
> Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to mount devfs on /var/run/libvirt/qemu/selinux.dev type tmpfs (mode=755,size=65536): Permission denied
> Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to mount devfs on /var/run/libvirt/qemu/selinux.dev type tmpfs (mode=755,size=65536): Permission denied
> Error starting domain: internal error: Process exited prior to exec: libvirt: QEMU Driver error : Failed to make device /var/run/libvirt/qemu/selinux.dev/null: Permission denied
> Error starting domain: internal error: Process exited prior to exec: libvirt: QEMU Driver error : Unable to set SELinux label on /var/run/libvirt/qemu/selinux.dev/null: Permission denied
>
> avc denials:
> avc: denied { mounton } for pid=11279 comm="libvirtd" path="/run/libvirt/qemu/selinux.dev" dev="tmpfs" ino=4428609 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_var_run_t:s0 tclass=dir permissive=0
> avc: denied { mount } for pid=17844 comm="libvirtd" name="/" dev="tmpfs" ino=4436959 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
> avc: denied { create } for pid=24198 comm="libvirtd" name="null" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_tmpfs_t:s0 tclass=chr_file permissive=0
> avc: denied { relabelfrom } for pid=539 comm="libvirtd" name="null" dev="tmpfs" ino=4452253 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_tmpfs_t:s0 tclass=chr_file permissive=0
> ---
> virt.te | 33 +++++++++++++++++++++++++--------
> 1 file changed, 25 insertions(+), 8 deletions(-)
>
> diff --git a/virt.te b/virt.te
> index e0605e0..726b989 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -463,8 +463,8 @@ tunable_policy(`virt_use_vfio',`
> # virtd local policy
> #
>
> -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
> -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
> +allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace };
> +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
> allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
> allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
> allow virtd_t self:tcp_socket { accept listen };
> @@ -474,7 +474,7 @@ allow virtd_t self:packet_socket create_socket_perms;
> allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow virtd_t self:netlink_route_socket nlmsg_write;
>
> -allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
> +allow virtd_t virt_domain:process { getattr getsched setsched transition rlimitinh signal signull sigkill };
> dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
>
> allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
> @@ -497,6 +497,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
> allow virtd_t virtd_keytab_t:file read_file_perms;
>
> allow virtd_t svirt_var_run_t:file relabel_file_perms;
> +allow virtd_t svirt_var_run_t:dir { mounton relabel_dir_perms };
> manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
> manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
> manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
> @@ -525,9 +526,10 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
> manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
>
> allow virtd_t virt_image_type:file relabel_file_perms;
> +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
> allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
> allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
> -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
> +allow virtd_t virt_image_type:sock_file manage_sock_file_perms;
>
> allow virtd_t virt_ptynode:chr_file rw_term_perms;
>
> @@ -537,7 +539,14 @@ files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
>
> manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> +manage_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> +manage_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> +manage_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> +relabel_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> +relabel_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> +relabel_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
> +allow virtd_t virt_tmpfs_t:dir mounton;
>
> # This needs a file context specification
> manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
> @@ -567,7 +576,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
> filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
>
> stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
> -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
> +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
> stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
> stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
>
> @@ -616,6 +625,9 @@ dev_rw_mtrr(virtd_t)
> dev_rw_vhost(virtd_t)
> dev_setattr_generic_usb_dev(virtd_t)
> dev_relabel_generic_usb_dev(virtd_t)
> +dev_relabel_all_dev_nodes(virtd_t)
> +dev_relabel_generic_symlinks(virtd_t)
> +dev_mounton(virtd_t)
>
> domain_use_interactive_fds(virtd_t)
> domain_read_all_domains_state(virtd_t)
> @@ -625,6 +637,7 @@ files_read_etc_runtime_files(virtd_t)
> files_search_all(virtd_t)
> files_read_kernel_modules(virtd_t)
> files_read_usr_src_files(virtd_t)
> +files_mounton_root(virtd_t)
>
> # Manages /etc/sysconfig/system-config-firewall
> # files_relabelto_system_conf_files(virtd_t)
> @@ -639,6 +652,8 @@ fs_manage_cgroup_dirs(virtd_t)
> fs_rw_cgroup_files(virtd_t)
> fs_manage_hugetlbfs_dirs(virtd_t)
> fs_rw_hugetlbfs_files(virtd_t)
> +fs_read_nsfs_files(virtd_t)
> +fs_mount_tmpfs(virtd_t)
>
> mls_fd_share_all_levels(virtd_t)
> mls_file_read_to_clearance(virtd_t)
> @@ -709,8 +724,6 @@ tunable_policy(`virt_use_samba',`
>
> tunable_policy(`virt_use_vfio',`
> allow virtd_t self:capability sys_resource;
> - allow virtd_t self:process setrlimit;
> - allow virtd_t svirt_t:process rlimitinh;
> dev_relabelfrom_vfio_dev(virtd_t)
> ')
>
> @@ -1304,6 +1317,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
> allow virtlockd_t self:capability dac_override;
> allow virtlockd_t self:fifo_file rw_fifo_file_perms;
>
> +allow virtlockd_t virtd_t:dir list_dir_perms;
> +allow virtlockd_t virtd_t:file read_file_perms;
> +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
> +
> allow virtlockd_t virt_image_type:dir list_dir_perms;
> allow virtlockd_t virt_image_type:file rw_file_perms;
>
> @@ -1322,7 +1339,7 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
>
> can_exec(virtlockd_t, virtlockd_exec_t)
>
> -ps_process_pattern(virtlockd_t, virtd_t)
> +kernel_read_system_state(virtlockd_t)
>
> files_read_etc_files(virtlockd_t)
> files_list_var_lib(virtlockd_t)
Merged.
--
Chris PeBenito