projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| a3cf80d8 | 1 | |
| 75beb950 | 2 | policy_module(xen,1.0.10) |
| a3cf80d8 CP |
3 | |
| 4 | ######################################## | |
| 5 | # | |
| 6 | # Declarations | |
| 7 | # | |
| 8 | ||
| 9 | # console ptys | |
| 10 | type xen_devpts_t; | |
| 11 | term_pty(xen_devpts_t); | |
| 12 | files_type(xen_devpts_t); | |
| 13 | ||
| 522b59bb CP |
14 | # Xen Image files |
| 15 | type xen_image_t; # customizable | |
| 16 | files_type(xen_image_t) | |
| 17 | ||
| a3cf80d8 CP |
18 | type xend_t; |
| 19 | type xend_exec_t; | |
| 20 | domain_type(xend_t) | |
| 21 | init_daemon_domain(xend_t, xend_exec_t) | |
| 22 | ||
| 23 | # var/lib files | |
| 24 | type xend_var_lib_t; | |
| 25 | files_type(xend_var_lib_t) | |
| cdc86ee5 CP |
26 | # for mounting an NFS store |
| 27 | files_mountpoint(xend_var_lib_t) | |
| a3cf80d8 CP |
28 | |
| 29 | # log files | |
| 30 | type xend_var_log_t; | |
| 31 | logging_log_file(xend_var_log_t) | |
| 32 | ||
| 33 | # pid files | |
| 34 | type xend_var_run_t; | |
| 35 | files_pid_file(xend_var_run_t) | |
| 36 | ||
| 37 | type xenstored_t; | |
| 38 | type xenstored_exec_t; | |
| 39 | domain_type(xenstored_t) | |
| 40 | domain_entry_file(xenstored_t,xenstored_exec_t) | |
| 41 | role system_r types xenstored_t; | |
| 42 | ||
| 43 | # var/lib files | |
| 44 | type xenstored_var_lib_t; | |
| 45 | files_type(xenstored_var_lib_t) | |
| 46 | ||
| 47 | # pid files | |
| 48 | type xenstored_var_run_t; | |
| 49 | files_pid_file(xenstored_var_run_t) | |
| 50 | ||
| 51 | type xenconsoled_t; | |
| 52 | type xenconsoled_exec_t; | |
| 53 | domain_type(xenconsoled_t) | |
| 54 | domain_entry_file(xenconsoled_t,xenconsoled_exec_t) | |
| 55 | role system_r types xenconsoled_t; | |
| 56 | ||
| 57 | # pid files | |
| 58 | type xenconsoled_var_run_t; | |
| 59 | files_pid_file(xenconsoled_var_run_t) | |
| 60 | ||
| e9935943 CP |
61 | type xm_t; |
| 62 | type xm_exec_t; | |
| 63 | domain_type(xm_t) | |
| 64 | init_daemon_domain(xm_t, xm_exec_t) | |
| 65 | ||
| a3cf80d8 CP |
66 | ######################################## |
| 67 | # | |
| 68 | # xend local policy | |
| 69 | # | |
| 70 | ||
| 123a990b | 71 | allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw }; |
| a5e2133b | 72 | dontaudit xend_t self:capability { sys_ptrace }; |
| a3cf80d8 | 73 | allow xend_t self:process { signal sigkill }; |
| a5e2133b | 74 | dontaudit xend_t self:process ptrace; |
| a3cf80d8 CP |
75 | # internal communication is often done using fifo and unix sockets. |
| 76 | allow xend_t self:fifo_file rw_file_perms; | |
| 77 | allow xend_t self:unix_stream_socket create_stream_socket_perms; | |
| 78 | allow xend_t self:unix_dgram_socket create_socket_perms; | |
| 79 | allow xend_t self:netlink_route_socket r_netlink_socket_perms; | |
| 80 | allow xend_t self:tcp_socket create_stream_socket_perms; | |
| 81 | allow xend_t self:packet_socket create_socket_perms; | |
| 82 | ||
| 522b59bb | 83 | allow xend_t xen_image_t:dir r_dir_perms; |
| a5e2133b | 84 | allow xend_t xen_image_t:file rw_file_perms; |
| 522b59bb | 85 | |
| a3cf80d8 CP |
86 | # pid file |
| 87 | allow xend_t xend_var_run_t:file manage_file_perms; | |
| 88 | allow xend_t xend_var_run_t:sock_file manage_file_perms; | |
| 87eb5c84 | 89 | allow xend_t xend_var_run_t:dir { setattr rw_dir_perms }; |
| a3cf80d8 CP |
90 | files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file }) |
| 91 | ||
| 92 | # log files | |
| 93 | allow xend_t xend_var_log_t:file create_file_perms; | |
| 94 | allow xend_t xend_var_log_t:sock_file create_file_perms; | |
| 95 | allow xend_t xend_var_log_t:dir { rw_dir_perms setattr }; | |
| 96 | logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir }) | |
| 97 | ||
| 98 | # var/lib files for xend | |
| 99 | allow xend_t xend_var_lib_t:file create_file_perms; | |
| 100 | allow xend_t xend_var_lib_t:sock_file create_file_perms; | |
| 522b59bb | 101 | allow xend_t xend_var_lib_t:fifo_file create_file_perms; |
| a3cf80d8 | 102 | allow xend_t xend_var_lib_t:dir create_dir_perms; |
| 522b59bb | 103 | files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir }) |
| a3cf80d8 CP |
104 | |
| 105 | # transition to store | |
| 106 | domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t) | |
| 107 | allow xenstored_t xend_t:fd use; | |
| 108 | allow xenstored_t xend_t:process sigchld; | |
| 109 | allow xenstored_t xend_t:fifo_file write; | |
| 110 | ||
| 111 | # transition to console | |
| 112 | domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t) | |
| 113 | allow xenconsoled_t xend_t:fd use; | |
| 114 | ||
| 115 | kernel_read_kernel_sysctls(xend_t) | |
| 116 | kernel_read_system_state(xend_t) | |
| 117 | kernel_write_xen_state(xend_t) | |
| 118 | kernel_read_xen_state(xend_t) | |
| 119 | kernel_rw_net_sysctls(xend_t) | |
| 120 | kernel_read_network_state(xend_t) | |
| 121 | ||
| 122 | corecmd_exec_sbin(xend_t) | |
| 123 | corecmd_exec_bin(xend_t) | |
| 124 | corecmd_exec_shell(xend_t) | |
| 125 | ||
| 35a4b349 | 126 | corenet_non_ipsec_sendrecv(xend_t) |
| a3cf80d8 CP |
127 | corenet_tcp_sendrecv_all_if(xend_t) |
| 128 | corenet_tcp_sendrecv_all_nodes(xend_t) | |
| 129 | corenet_tcp_sendrecv_all_ports(xend_t) | |
| 522b59bb | 130 | corenet_tcp_bind_all_nodes(xend_t) |
| a3cf80d8 CP |
131 | corenet_tcp_bind_xen_port(xend_t) |
| 132 | corenet_tcp_bind_soundd_port(xend_t) | |
| a5e2133b | 133 | corenet_tcp_bind_generic_port(xend_t) |
| 75beb950 | 134 | corenet_tcp_bind_vnc_port(xend_t) |
| 35a4b349 CP |
135 | corenet_sendrecv_xen_server_packets(xend_t) |
| 136 | corenet_sendrecv_soundd_server_packets(xend_t) | |
| a5e2133b | 137 | corenet_rw_tun_tap_dev(xend_t) |
| a3cf80d8 CP |
138 | |
| 139 | dev_read_urand(xend_t) | |
| 140 | dev_manage_xen(xend_t) | |
| 141 | dev_filetrans_xen(xend_t) | |
| 142 | dev_rw_sysfs(xend_t) | |
| 143 | ||
| 144 | domain_read_all_domains_state(xend_t) | |
| 145 | domain_dontaudit_read_all_domains_state(xend_t) | |
| a5e2133b | 146 | domain_dontaudit_ptrace_all_domains(xend_t) |
| a3cf80d8 CP |
147 | |
| 148 | files_read_etc_files(xend_t) | |
| cdc86ee5 | 149 | files_read_kernel_symbol_table(xend_t) |
| 0e1c461e | 150 | files_read_kernel_img(xend_t) |
| 522b59bb CP |
151 | files_manage_etc_runtime_files(xend_t) |
| 152 | files_etc_filetrans_etc_runtime(xend_t,file) | |
| a5e2133b | 153 | files_read_usr_files(xend_t) |
| a3cf80d8 CP |
154 | |
| 155 | storage_raw_read_fixed_disk(xend_t) | |
| 156 | ||
| a5e2133b CP |
157 | term_getattr_all_user_ptys(xend_t) |
| 158 | term_use_generic_ptys(xend_t) | |
| 159 | term_use_ptmx(xend_t) | |
| 160 | term_getattr_pty_fs(xend_t) | |
| a3cf80d8 CP |
161 | |
| 162 | init_use_fds(xend_t) | |
| a5e2133b | 163 | init_use_script_ptys(xend_t) |
| a3cf80d8 CP |
164 | |
| 165 | libs_use_ld_so(xend_t) | |
| 166 | libs_use_shared_libs(xend_t) | |
| 167 | ||
| 168 | logging_send_syslog_msg(xend_t) | |
| 169 | ||
| 170 | miscfiles_read_localization(xend_t) | |
| 171 | ||
| 172 | sysnet_domtrans_dhcpc(xend_t) | |
| 173 | sysnet_signal_dhcpc(xend_t) | |
| 174 | sysnet_domtrans_ifconfig(xend_t) | |
| 175 | sysnet_dns_name_resolve(xend_t) | |
| 176 | sysnet_delete_dhcpc_pid(xend_t) | |
| 177 | sysnet_read_dhcpc_pid(xend_t) | |
| 178 | ||
| 75beb950 CP |
179 | userdom_dontaudit_search_sysadm_home_dirs(xend_t) |
| 180 | ||
| a3cf80d8 CP |
181 | xen_stream_connect_xenstore(xend_t) |
| 182 | ||
| 123a990b CP |
183 | netutils_domtrans(xend_t) |
| 184 | ||
| 87eb5c84 | 185 | optional_policy(` |
| 46551033 | 186 | consoletype_exec(xend_t) |
| 87eb5c84 CP |
187 | ') |
| 188 | ||
| a3cf80d8 CP |
189 | ######################################## |
| 190 | # | |
| 191 | # Xen console local policy | |
| 192 | # | |
| 193 | ||
| 194 | allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; | |
| 195 | allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; | |
| 196 | allow xenconsoled_t self:fifo_file { read write }; | |
| 197 | ||
| 198 | allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; | |
| 199 | ||
| 200 | # pid file | |
| 201 | allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms; | |
| 202 | allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms; | |
| 203 | allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms; | |
| 204 | files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file }) | |
| 205 | ||
| 206 | kernel_read_kernel_sysctls(xenconsoled_t) | |
| 207 | kernel_write_xen_state(xenconsoled_t) | |
| 208 | kernel_read_xen_state(xenconsoled_t) | |
| 209 | ||
| a5e2133b CP |
210 | domain_dontaudit_ptrace_all_domains(xenconsoled_t) |
| 211 | ||
| a3cf80d8 | 212 | term_create_pty(xenconsoled_t,xen_devpts_t); |
| a5e2133b | 213 | term_use_generic_ptys(xenconsoled_t) |
| 87eb5c84 | 214 | term_use_console(xenconsoled_t) |
| a3cf80d8 CP |
215 | |
| 216 | init_use_fds(xenconsoled_t) | |
| a5e2133b | 217 | init_use_script_ptys(xenconsoled_t) |
| a3cf80d8 CP |
218 | |
| 219 | libs_use_ld_so(xenconsoled_t) | |
| 220 | libs_use_shared_libs(xenconsoled_t) | |
| 221 | ||
| 222 | miscfiles_read_localization(xenconsoled_t) | |
| 223 | ||
| 224 | xen_append_log(xenconsoled_t) | |
| 225 | xen_stream_connect_xenstore(xenconsoled_t) | |
| 226 | ||
| 227 | ######################################## | |
| 228 | # | |
| 229 | # Xen store local policy | |
| 230 | # | |
| 231 | ||
| 232 | allow xenstored_t self:capability { dac_override mknod ipc_lock }; | |
| 233 | allow xenstored_t self:unix_stream_socket create_stream_socket_perms; | |
| 87eb5c84 | 234 | allow xenstored_t self:unix_dgram_socket create_socket_perms; |
| a3cf80d8 CP |
235 | |
| 236 | # pid file | |
| 237 | allow xenstored_t xenstored_var_run_t:file manage_file_perms; | |
| 238 | allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms; | |
| 239 | allow xenstored_t xenstored_var_run_t:dir rw_dir_perms; | |
| 240 | files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file }) | |
| 241 | ||
| 242 | # var/lib files for xenstored | |
| 243 | allow xenstored_t xenstored_var_lib_t:file create_file_perms; | |
| 244 | allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms; | |
| 245 | allow xenstored_t xenstored_var_lib_t:dir create_dir_perms; | |
| 246 | files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file }) | |
| 247 | ||
| 248 | kernel_write_xen_state(xenstored_t) | |
| 249 | kernel_read_xen_state(xenstored_t) | |
| 250 | ||
| 251 | dev_create_generic_dirs(xenstored_t) | |
| 252 | dev_manage_xen(xenconsoled_t) | |
| 253 | dev_filetrans_xen(xenstored_t) | |
| cdc86ee5 | 254 | dev_rw_xen(xenstored_t) |
| a3cf80d8 | 255 | |
| a5e2133b CP |
256 | term_use_generic_ptys(xenstored_t) |
| 257 | term_use_console(xenconsoled_t) | |
| a3cf80d8 CP |
258 | |
| 259 | init_use_fds(xenstored_t) | |
| a5e2133b | 260 | init_use_script_ptys(xenstored_t) |
| a3cf80d8 CP |
261 | |
| 262 | libs_use_ld_so(xenstored_t) | |
| 263 | libs_use_shared_libs(xenstored_t) | |
| 264 | ||
| 87eb5c84 CP |
265 | logging_send_syslog_msg(xenstored_t) |
| 266 | ||
| a3cf80d8 CP |
267 | miscfiles_read_localization(xenstored_t) |
| 268 | ||
| 269 | xen_append_log(xenstored_t) | |
| e9935943 CP |
270 | |
| 271 | ######################################## | |
| 272 | # | |
| 273 | # xm local policy | |
| 274 | # | |
| 275 | ||
| 123a990b CP |
276 | allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; |
| 277 | ||
| e9935943 CP |
278 | # internal communication is often done using fifo and unix sockets. |
| 279 | allow xm_t self:fifo_file { read write }; | |
| 280 | allow xm_t self:unix_stream_socket create_stream_socket_perms; | |
| 281 | ||
| 522b59bb CP |
282 | allow xm_t xend_var_lib_t:dir rw_dir_perms; |
| 283 | allow xm_t xend_var_lib_t:fifo_file create_file_perms; | |
| 284 | allow xm_t xend_var_lib_t:file create_file_perms; | |
| 285 | files_search_var_lib(xm_t) | |
| 286 | ||
| 123a990b CP |
287 | allow xm_t xen_image_t:dir rw_dir_perms; |
| 288 | allow xm_t xen_image_t:file r_file_perms; | |
| 289 | ||
| e9935943 CP |
290 | kernel_read_system_state(xm_t) |
| 291 | kernel_read_kernel_sysctls(xm_t) | |
| 292 | kernel_read_xen_state(xm_t) | |
| 293 | kernel_write_xen_state(xm_t) | |
| 294 | ||
| 295 | corecmd_exec_bin(xm_t) | |
| 296 | corecmd_exec_sbin(xm_t) | |
| 297 | ||
| 298 | dev_read_urand(xm_t) | |
| 299 | ||
| 522b59bb CP |
300 | files_read_etc_runtime_files(xm_t) |
| 301 | files_read_usr_files(xm_t) | |
| 302 | files_list_mnt(xm_t) | |
| e9935943 CP |
303 | # Some common macros (you might be able to remove some) |
| 304 | files_read_etc_files(xm_t) | |
| 305 | ||
| 306 | term_use_all_terms(xm_t) | |
| 307 | ||
| 522b59bb | 308 | init_rw_script_stream_sockets(xm_t) |
| 123a990b | 309 | init_use_fds(xm_t) |
| 522b59bb | 310 | |
| e9935943 CP |
311 | libs_use_ld_so(xm_t) |
| 312 | libs_use_shared_libs(xm_t) | |
| 313 | ||
| 314 | miscfiles_read_localization(xm_t) | |
| 315 | ||
| 316 | xen_append_log(xm_t) | |
| 317 | xen_stream_connect(xm_t) | |
| 318 | xen_stream_connect_xenstore(xm_t) |