]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/services/virt.te
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge upstream
[people/stevee/selinux-policy.git] / policy / modules / services / virt.te
CommitLineData
29af4c13 1policy_module(virt, 1.4.0)
eb421639
CP		 2
3########################################
4#
5# Declarations
6#
3eaa9939 7attribute virsh_transition_domain;
eb421639 8
3079cbce
CP		 9## <desc>
10## <p>
11## Allow virt to use serial/parallell communication ports
12## </p>
13## </desc>
14gen_tunable(virt_use_comm, false)
15
7630200e
CP		 16## <desc>
17## <p>
18## Allow virt to read fuse files
19## </p>
20## </desc>
21gen_tunable(virt_use_fusefs, false)
22
eb421639
CP		 23## <desc>
24## <p>
25## Allow virt to manage nfs files
26## </p>
27## </desc>
28gen_tunable(virt_use_nfs, false)
29
30## <desc>
31## <p>
32## Allow virt to manage cifs files
33## </p>
34## </desc>
35gen_tunable(virt_use_samba, false)
36
3079cbce
CP		 37## <desc>
38## <p>
39## Allow virt to manage device configuration, (pci)
40## </p>
41## </desc>
42gen_tunable(virt_use_sysfs, false)
43
a75a591e
DW		 44## <desc>
45## <p>
46## Allow virtual machine to interact with the xserver
47## </p>
48## </desc>
49gen_tunable(virt_use_xserver, false)
50
3079cbce
CP		 51## <desc>
52## <p>
53## Allow virt to use usb devices
54## </p>
55## </desc>
56gen_tunable(virt_use_usb, true)
57
58virt_domain_template(svirt)
59role system_r types svirt_t;
60
3079cbce 61attribute virt_domain;
fb4826f4
CP		 62attribute virt_image_type;
63
3eaa9939
DW		 64type virt_cache_t alias svirt_cache_t;
65files_type(virt_cache_t)
66
eb421639
CP		 67type virt_etc_t;
68files_config_file(virt_etc_t)
69
70type virt_etc_rw_t;
71files_type(virt_etc_rw_t)
72
73# virt Image files
3079cbce 74type virt_image_t; # customizable
fb4826f4 75virt_image(virt_image_t)
3eaa9939 76files_mountpoint(virt_image_t)
eb421639 77
3079cbce
CP		 78# virt Image files
79type virt_content_t; # customizable
80virt_image(virt_content_t)
81userdom_user_home_content(virt_content_t)
82
3eaa9939
DW		 83type virt_tmp_t;
84files_tmp_file(virt_tmp_t)
85
eb421639
CP		 86type virt_log_t;
87logging_log_file(virt_log_t)
3eaa9939 88mls_trusted_object(virt_log_t)
eb421639
CP		 89
90type virt_var_run_t;
91files_pid_file(virt_var_run_t)
92
93type virt_var_lib_t;
3eaa9939 94files_mountpoint(virt_var_lib_t)
eb421639
CP		 95
96type virtd_t;
97type virtd_exec_t;
98init_daemon_domain(virtd_t, virtd_exec_t)
3079cbce
CP		 99domain_obj_id_change_exemption(virtd_t)
100domain_subj_id_change_exemption(virtd_t)
eb421639 101
fb4826f4
CP		 102type virtd_initrc_exec_t;
103init_script_file(virtd_initrc_exec_t)
104
3eaa9939
DW		 105type qemu_var_run_t;
106typealias qemu_var_run_t alias svirt_var_run_t;
107files_pid_file(qemu_var_run_t)
108mls_trusted_object(qemu_var_run_t)
109
3079cbce 110ifdef(`enable_mcs',`
7630200e 111 init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
3079cbce
CP		 112')
113
114ifdef(`enable_mls',`
7630200e 115 init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
3079cbce
CP		 116')
117
118########################################
119#
120# svirt local policy
121#
122
123allow svirt_t self:udp_socket create_socket_perms;
124
3079cbce
CP		 125read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
126
127allow svirt_t svirt_image_t:dir search_dir_perms;
128manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
129manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
3eaa9939 130manage_fifo_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
7630200e 131fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
3079cbce
CP		 132
133list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
134read_files_pattern(svirt_t, virt_content_t, virt_content_t)
135dontaudit svirt_t virt_content_t:file write_file_perms;
136dontaudit svirt_t virt_content_t:dir write;
137
138corenet_udp_sendrecv_generic_if(svirt_t)
139corenet_udp_sendrecv_generic_node(svirt_t)
140corenet_udp_sendrecv_all_ports(svirt_t)
141corenet_udp_bind_generic_node(svirt_t)
142corenet_udp_bind_all_ports(svirt_t)
7630200e
CP		 143corenet_tcp_bind_all_ports(svirt_t)
144corenet_tcp_connect_all_ports(svirt_t)
3079cbce
CP		 145
146dev_list_sysfs(svirt_t)
147
148userdom_search_user_home_content(svirt_t)
7630200e 149userdom_read_user_home_content_symlinks(svirt_t)
3079cbce
CP		 150userdom_read_all_users_state(svirt_t)
151
152tunable_policy(`virt_use_comm',`
153 term_use_unallocated_ttys(svirt_t)
154 dev_rw_printer(svirt_t)
155')
156
7630200e
CP		 157tunable_policy(`virt_use_fusefs',`
158 fs_read_fusefs_files(svirt_t)
159 fs_read_fusefs_symlinks(svirt_t)
160')
161
3079cbce
CP		 162tunable_policy(`virt_use_nfs',`
163 fs_manage_nfs_dirs(svirt_t)
164 fs_manage_nfs_files(svirt_t)
3eaa9939
DW		 165 fs_manage_nfs_named_sockets(svirt_t)
166 fs_read_nfs_symlinks(svirt_t)
3079cbce
CP		 167')
168
169tunable_policy(`virt_use_samba',`
170 fs_manage_cifs_dirs(svirt_t)
171 fs_manage_cifs_files(svirt_t)
3eaa9939
DW		 172 fs_manage_cifs_named_sockets(svirt_t)
173 fs_read_cifs_symlinks(virtd_t)
3079cbce
CP		 174')
175
176tunable_policy(`virt_use_sysfs',`
177 dev_rw_sysfs(svirt_t)
178')
179
180tunable_policy(`virt_use_usb',`
181 dev_rw_usbfs(svirt_t)
3eaa9939 182 dev_read_sysfs(svirt_t)
3079cbce
CP		 183 fs_manage_dos_dirs(svirt_t)
184 fs_manage_dos_files(svirt_t)
185')
186
a75a591e
DW		 187optional_policy(`
188 tunable_policy(`virt_use_xserver',`
189 xserver_stream_connect(svirt_t)
190 ')
191')
192
3079cbce
CP		 193optional_policy(`
194 xen_rw_image_files(svirt_t)
195')
196
3eaa9939
DW		 197optional_policy(`
198 xen_rw_image_files(svirt_t)
199')
200
eb421639
CP		 201########################################
202#
203# virtd local policy
204#
205
3079cbce 206allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
3eaa9939 207allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
3079cbce
CP		 208
209allow virtd_t self:fifo_file rw_fifo_file_perms;
eb421639
CP		 210allow virtd_t self:unix_stream_socket create_stream_socket_perms;
211allow virtd_t self:tcp_socket create_stream_socket_perms;
3079cbce 212allow virtd_t self:tun_socket create_socket_perms;
3eaa9939 213allow virtd_t self:rawip_socket create_socket_perms;
7630200e 214allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
3079cbce 215
3eaa9939
DW		 216manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
217manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
3079cbce
CP		 218
219manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
220manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
221
222allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
eb421639 223
3eaa9939
DW		 224allow virtd_t qemu_var_run_t:file relabel_file_perms;
225manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
226manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
227manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
228stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
229
eb421639
CP		 230read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
231read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
232
233manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
234manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
235manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
236filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
237
fb4826f4 238manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
3079cbce 239manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
3eaa9939 240manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
83029ff3
DG		 241allow virtd_t virt_image_type:file relabel_file_perms;
242allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
eb421639 243
3eaa9939
DW		 244manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
245manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
246files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
247can_exec(virtd_t, virt_tmp_t)
248
eb421639
CP		 249manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
250manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
251logging_log_filetrans(virtd_t, virt_log_t, { file dir })
252
253manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
254manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
3079cbce 255manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
eb421639
CP		 256files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
257
258manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
259manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
260manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
261files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
262
263kernel_read_system_state(virtd_t)
264kernel_read_network_state(virtd_t)
265kernel_rw_net_sysctls(virtd_t)
3eaa9939 266kernel_read_kernel_sysctls(virtd_t)
3079cbce
CP		 267kernel_request_load_module(virtd_t)
268kernel_search_debugfs(virtd_t)
eb421639
CP		 269
270corecmd_exec_bin(virtd_t)
271corecmd_exec_shell(virtd_t)
272
273corenet_all_recvfrom_unlabeled(virtd_t)
274corenet_all_recvfrom_netlabel(virtd_t)
668b3093 275corenet_tcp_sendrecv_generic_if(virtd_t)
c1262146 276corenet_tcp_sendrecv_generic_node(virtd_t)
eb421639 277corenet_tcp_sendrecv_all_ports(virtd_t)
c1262146 278corenet_tcp_bind_generic_node(virtd_t)
3079cbce 279corenet_tcp_bind_virt_port(virtd_t)
eb421639
CP		 280corenet_tcp_bind_vnc_port(virtd_t)
281corenet_tcp_connect_vnc_port(virtd_t)
282corenet_tcp_connect_soundd_port(virtd_t)
283corenet_rw_tun_tap_dev(virtd_t)
284
3079cbce 285dev_rw_sysfs(virtd_t)
eb421639 286dev_read_rand(virtd_t)
3079cbce
CP		 287dev_rw_kvm(virtd_t)
288dev_getattr_all_chr_files(virtd_t)
7630200e 289dev_rw_mtrr(virtd_t)
3eaa9939 290dev_rw_vhost(virtd_t)
eb421639
CP		 291
292# Init script handling
293domain_use_interactive_fds(virtd_t)
3079cbce 294domain_read_all_domains_state(virtd_t)
3eaa9939 295domain_read_all_domains_state(virtd_t)
eb421639
CP		 296
297files_read_usr_files(virtd_t)
298files_read_etc_files(virtd_t)
3eaa9939 299files_read_usr_files(virtd_t)
eb421639
CP		 300files_read_etc_runtime_files(virtd_t)
301files_search_all(virtd_t)
3079cbce
CP		 302files_read_kernel_modules(virtd_t)
303files_read_usr_src_files(virtd_t)
4765a595
DW		 304files_relabelto_system_conf_files(virtd_t)
305files_relabelfrom_system_conf_files(virtd_t)
3eaa9939
DW		 306
307# Manages /etc/sysconfig/system-config-firewall
308files_manage_system_conf_files(virtd_t)
309files_manage_system_conf_files(virtd_t)
310files_etc_filetrans_system_conf(virtd_t)
eb421639
CP		 311
312fs_list_auto_mountpoints(virtd_t)
3079cbce
CP		 313fs_getattr_xattr_fs(virtd_t)
314fs_rw_anon_inodefs_files(virtd_t)
315fs_list_inotifyfs(virtd_t)
7630200e
CP		 316fs_manage_cgroup_dirs(virtd_t)
317fs_rw_cgroup_files(virtd_t)
3eaa9939
DW		 318fs_manage_hugetlbfs_dirs(virtd_t)
319fs_rw_hugetlbfs_files(virtd_t)
320
321mls_fd_share_all_levels(virtd_t)
322mls_file_read_to_clearance(virtd_t)
323mls_file_write_to_clearance(virtd_t)
9461b606 324mls_process_read_to_clearance(virtd_t)
3eaa9939
DW		 325mls_process_write_to_clearance(virtd_t)
326mls_net_write_within_range(virtd_t)
327mls_socket_write_to_clearance(virtd_t)
328mls_socket_read_to_clearance(virtd_t)
329mls_rangetrans_source(virtd_t)
3079cbce
CP		 330
331mcs_process_set_categories(virtd_t)
eb421639 332
3079cbce
CP		 333storage_manage_fixed_disk(virtd_t)
334storage_relabel_fixed_disk(virtd_t)
eb421639
CP		 335storage_raw_write_removable_device(virtd_t)
336storage_raw_read_removable_device(virtd_t)
337
338term_getattr_pty_fs(virtd_t)
3079cbce 339term_use_generic_ptys(virtd_t)
eb421639
CP		 340term_use_ptmx(virtd_t)
341
342auth_use_nsswitch(virtd_t)
343
eb421639 344miscfiles_read_localization(virtd_t)
83406219 345miscfiles_read_generic_certs(virtd_t)
7630200e 346miscfiles_read_hwdata(virtd_t)
eb421639 347
3079cbce 348modutils_read_module_deps(virtd_t)
7630200e 349modutils_read_module_config(virtd_t)
3079cbce
CP		 350modutils_manage_module_config(virtd_t)
351
eb421639
CP		 352logging_send_syslog_msg(virtd_t)
353
3eaa9939
DW		 354selinux_validate_context(virtd_t)
355
356seutil_read_config(virtd_t)
3079cbce 357seutil_read_default_contexts(virtd_t)
3eaa9939 358seutil_read_file_contexts(virtd_t)
3079cbce
CP		 359
360sysnet_domtrans_ifconfig(virtd_t)
361sysnet_read_config(virtd_t)
362
3eaa9939 363userdom_list_admin_dir(virtd_t)
3079cbce
CP		 364userdom_getattr_all_users(virtd_t)
365userdom_list_user_home_content(virtd_t)
eb421639 366userdom_read_all_users_state(virtd_t)
3079cbce 367userdom_read_user_home_content_files(virtd_t)
3eaa9939
DW		 368userdom_relabel_user_home_files(virtd_t)
369userdom_setattr_user_home_content_files(virtd_t)
eb421639 370
9561b0ab
DW		 371consoletype_exec(virtd_t)
372
eb421639
CP		 373tunable_policy(`virt_use_nfs',`
374 fs_manage_nfs_dirs(virtd_t)
375 fs_manage_nfs_files(virtd_t)
376 fs_read_nfs_symlinks(virtd_t)
377')
378
379tunable_policy(`virt_use_samba',`
380 fs_manage_nfs_files(virtd_t)
381 fs_manage_cifs_files(virtd_t)
382 fs_read_cifs_symlinks(virtd_t)
383')
384
385optional_policy(`
386 brctl_domtrans(virtd_t)
387')
388
389optional_policy(`
296273a7 390 dbus_system_bus_client(virtd_t)
eb421639
CP		 391
392 optional_policy(`
393 avahi_dbus_chat(virtd_t)
394 ')
395
396 optional_policy(`
397 consolekit_dbus_chat(virtd_t)
398 ')
399
400 optional_policy(`
401 hal_dbus_chat(virtd_t)
402 ')
403')
404
fb4826f4
CP		 405optional_policy(`
406 dnsmasq_domtrans(virtd_t)
407 dnsmasq_signal(virtd_t)
408 dnsmasq_kill(virtd_t)
3079cbce
CP		 409 dnsmasq_read_pid_files(virtd_t)
410 dnsmasq_signull(virtd_t)
fb4826f4 411')
eb421639
CP		 412
413optional_policy(`
414 iptables_domtrans(virtd_t)
3079cbce
CP		 415 iptables_initrc_domtrans(virtd_t)
416
417 # Manages /etc/sysconfig/system-config-firewall
418 iptables_manage_config(virtd_t)
eb421639
CP		 419')
420
3079cbce
CP		 421optional_policy(`
422 kerberos_keytab_template(virtd, virtd_t)
423')
424
425optional_policy(`
426 lvm_domtrans(virtd_t)
427')
428
429optional_policy(`
7630200e 430 policykit_dbus_chat(virtd_t)
3079cbce
CP		 431 policykit_domtrans_auth(virtd_t)
432 policykit_domtrans_resolve(virtd_t)
433 policykit_read_lib(virtd_t)
434')
eb421639
CP		 435
436optional_policy(`
437 qemu_domtrans(virtd_t)
438 qemu_read_state(virtd_t)
439 qemu_signal(virtd_t)
440 qemu_kill(virtd_t)
7630200e 441 qemu_setsched(virtd_t)
3eaa9939 442 qemu_entry_type(virt_domain)
a75a591e 443 qemu_exec(virt_domain)
eb421639
CP		 444')
445
446optional_policy(`
447 sasl_connect(virtd_t)
448')
449
450optional_policy(`
451 kernel_read_xen_state(virtd_t)
452 kernel_write_xen_state(virtd_t)
453
454 xen_stream_connect(virtd_t)
455 xen_stream_connect_xenstore(virtd_t)
3079cbce
CP		 456 xen_read_image_files(virtd_t)
457')
458
459optional_policy(`
460 udev_domtrans(virtd_t)
7630200e 461 udev_read_db(virtd_t)
eb421639 462')
fb4826f4
CP		 463
464optional_policy(`
465 unconfined_domain(virtd_t)
466')
3079cbce
CP		 467
468########################################
469#
470# virtual domains common policy
471#
472
7630200e
CP		 473allow virt_domain self:capability { dac_read_search dac_override kill };
474allow virt_domain self:process { execmem execstack signal getsched signull };
3079cbce
CP		 475allow virt_domain self:fifo_file rw_file_perms;
476allow virt_domain self:shm create_shm_perms;
477allow virt_domain self:unix_stream_socket create_stream_socket_perms;
478allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
479allow virt_domain self:tcp_socket create_stream_socket_perms;
480
3eaa9939
DW		 481manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
482manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
483files_var_filetrans(virt_domain, virt_cache_t, { file dir })
484
485manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
486manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
487manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
488manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
489files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file })
490stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
491
492dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
493
3079cbce
CP		 494append_files_pattern(virt_domain, virt_log_t, virt_log_t)
495
496append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
497
498kernel_read_system_state(virt_domain)
499
500corecmd_exec_bin(virt_domain)
501corecmd_exec_shell(virt_domain)
502
503corenet_all_recvfrom_unlabeled(virt_domain)
504corenet_all_recvfrom_netlabel(virt_domain)
505corenet_tcp_sendrecv_generic_if(virt_domain)
506corenet_tcp_sendrecv_generic_node(virt_domain)
507corenet_tcp_sendrecv_all_ports(virt_domain)
508corenet_tcp_bind_generic_node(virt_domain)
509corenet_tcp_bind_vnc_port(virt_domain)
510corenet_rw_tun_tap_dev(virt_domain)
511corenet_tcp_bind_virt_migration_port(virt_domain)
512corenet_tcp_connect_virt_migration_port(virt_domain)
513
3eaa9939 514dev_read_generic_symlinks(virt_domain)
7630200e 515dev_read_rand(virt_domain)
3079cbce 516dev_read_sound(virt_domain)
7630200e 517dev_read_urand(virt_domain)
3079cbce
CP		 518dev_write_sound(virt_domain)
519dev_rw_ksm(virt_domain)
520dev_rw_kvm(virt_domain)
521dev_rw_qemu(virt_domain)
3eaa9939 522dev_rw_vhost(virt_domain)
3079cbce
CP		 523
524domain_use_interactive_fds(virt_domain)
525
526files_read_etc_files(virt_domain)
3eaa9939 527files_read_mnt_symlinks(virt_domain)
3079cbce
CP		 528files_read_usr_files(virt_domain)
529files_read_var_files(virt_domain)
7630200e 530files_search_all(virt_domain)
3079cbce
CP		 531
532fs_getattr_tmpfs(virt_domain)
533fs_rw_anon_inodefs_files(virt_domain)
534fs_rw_tmpfs_files(virt_domain)
3eaa9939
DW		 535fs_getattr_hugetlbfs(virt_domain)
536
537# I think we need these for now.
538miscfiles_read_public_files(virt_domain)
539storage_raw_read_removable_device(virt_domain)
3079cbce 540
7630200e
CP		 541term_use_all_terms(virt_domain)
542term_getattr_pty_fs(virt_domain)
543term_use_generic_ptys(virt_domain)
544term_use_ptmx(virt_domain)
545
3079cbce
CP		 546auth_use_nsswitch(virt_domain)
547
548logging_send_syslog_msg(virt_domain)
549
550miscfiles_read_localization(virt_domain)
551
552optional_policy(`
553 ptchown_domtrans(virt_domain)
554')
555
3eaa9939
DW		 556optional_policy(`
557 pulseaudio_dontaudit_exec(virt_domain)
558')
559
3079cbce
CP		 560optional_policy(`
561 virt_read_config(virt_domain)
562 virt_read_lib_files(virt_domain)
563 virt_read_content(virt_domain)
564 virt_stream_connect(virt_domain)
565')
3eaa9939
DW		 566
567########################################
568#
569# xm local policy
570#
571type virsh_t;
572type virsh_exec_t;
573domain_type(virsh_t)
574init_system_domain(virsh_t, virsh_exec_t)
575typealias virsh_t alias xm_t;
576typealias virsh_exec_t alias xm_exec_t;
577
578allow virsh_t self:capability { dac_override ipc_lock sys_tty_config };
579allow virsh_t self:process { getcap getsched setcap signal };
580
581# internal communication is often done using fifo and unix sockets.
582allow virsh_t self:fifo_file rw_fifo_file_perms;
583allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
584allow virsh_t self:tcp_socket create_stream_socket_perms;
585
586manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
587manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
588manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
589
590dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
591
592kernel_read_system_state(virsh_t)
593kernel_read_network_state(virsh_t)
594kernel_read_kernel_sysctls(virsh_t)
595kernel_read_sysctl(virsh_t)
596kernel_read_xen_state(virsh_t)
597kernel_write_xen_state(virsh_t)
598
599corecmd_exec_bin(virsh_t)
600corecmd_exec_shell(virsh_t)
601
602corenet_tcp_sendrecv_generic_if(virsh_t)
603corenet_tcp_sendrecv_generic_node(virsh_t)
604corenet_tcp_connect_soundd_port(virsh_t)
605
606dev_read_urand(virsh_t)
607dev_read_sysfs(virsh_t)
608
609files_read_etc_runtime_files(virsh_t)
610files_read_usr_files(virsh_t)
611files_list_mnt(virsh_t)
612# Some common macros (you might be able to remove some)
613files_read_etc_files(virsh_t)
614
615fs_getattr_all_fs(virsh_t)
616fs_manage_xenfs_dirs(virsh_t)
617fs_manage_xenfs_files(virsh_t)
618fs_search_auto_mountpoints(virsh_t)
619
620storage_raw_read_fixed_disk(virsh_t)
621
622term_use_all_terms(virsh_t)
623
624init_stream_connect_script(virsh_t)
625init_rw_script_stream_sockets(virsh_t)
626init_use_fds(virsh_t)
627
628miscfiles_read_localization(virsh_t)
629
630sysnet_dns_name_resolve(virsh_t)
631
632optional_policy(`
633 xen_manage_image_dirs(virsh_t)
634 xen_append_log(virsh_t)
635 xen_stream_connect(virsh_t)
636 xen_stream_connect_xenstore(virsh_t)
637')
638
639optional_policy(`
640 dbus_system_bus_client(virsh_t)
641
642 optional_policy(`
643 hal_dbus_chat(virsh_t)
644 ')
645')
646
647optional_policy(`
648 vhostmd_rw_tmpfs_files(virsh_t)
649 vhostmd_stream_connect(virsh_t)
650 vhostmd_dontaudit_rw_stream_connect(virsh_t)
651')
652
653optional_policy(`
654 virt_domtrans(virsh_t)
655 virt_manage_images(virsh_t)
656 virt_manage_config(virsh_t)
657 virt_stream_connect(virsh_t)
658')
659
660optional_policy(`
661 ssh_basic_client_template(virsh, virsh_t, system_r)
662
663 kernel_read_xen_state(virsh_ssh_t)
664 kernel_write_xen_state(virsh_ssh_t)
665
666 dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms;
667 files_search_tmp(virsh_ssh_t)
668
669 fs_manage_xenfs_dirs(virsh_ssh_t)
670 fs_manage_xenfs_files(virsh_ssh_t)
671
672 userdom_search_admin_dir(virsh_ssh_t)
673')
674
The IPFire selinux policy.