[people/stevee/selinux-policy.git] / refpolicy / policy / modules / system / xen.te


policy_module(xen,1.0.1)

########################################
#
# Declarations
#

# console ptys
type xen_devpts_t;
term_pty(xen_devpts_t);
files_type(xen_devpts_t);

type xend_t;
type xend_exec_t;
domain_type(xend_t)
init_daemon_domain(xend_t, xend_exec_t)

# var/lib files
type xend_var_lib_t;
files_type(xend_var_lib_t)
# for mounting an NFS store
files_mountpoint(xend_var_lib_t)

# log files
type xend_var_log_t;
logging_log_file(xend_var_log_t)

# pid files
type xend_var_run_t;
files_pid_file(xend_var_run_t)

type xenstored_t;
type xenstored_exec_t;
domain_type(xenstored_t)
domain_entry_file(xenstored_t,xenstored_exec_t)
role system_r types xenstored_t;

# var/lib files
type xenstored_var_lib_t;
files_type(xenstored_var_lib_t)

# pid files
type xenstored_var_run_t;
files_pid_file(xenstored_var_run_t)

type xenconsoled_t;
type xenconsoled_exec_t;
domain_type(xenconsoled_t)
domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
role system_r types xenconsoled_t;

# pid files
type xenconsoled_var_run_t;
files_pid_file(xenconsoled_var_run_t)

########################################
#
# xend local policy
#

allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config };
allow xend_t self:process { signal sigkill };
# internal communication is often done using fifo and unix sockets.
allow xend_t self:fifo_file rw_file_perms;
allow xend_t self:unix_stream_socket create_stream_socket_perms;
allow xend_t self:unix_dgram_socket create_socket_perms;
allow xend_t self:netlink_route_socket r_netlink_socket_perms;
allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;

# pid file
allow xend_t xend_var_run_t:file manage_file_perms;
allow xend_t xend_var_run_t:sock_file manage_file_perms;
allow xend_t xend_var_run_t:dir rw_dir_perms;
files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })

# log files
allow xend_t xend_var_log_t:file create_file_perms;
allow xend_t xend_var_log_t:sock_file create_file_perms;
allow xend_t xend_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })

# var/lib files for xend
allow xend_t xend_var_lib_t:file create_file_perms;
allow xend_t xend_var_lib_t:sock_file create_file_perms;
allow xend_t xend_var_lib_t:dir create_dir_perms;
files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })

# transition to store
domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
allow xenstored_t xend_t:fd use;
allow xenstored_t xend_t:process sigchld;
allow xenstored_t xend_t:fifo_file write;

# transition to console
domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
allow xenconsoled_t xend_t:fd use;

kernel_read_kernel_sysctls(xend_t)
kernel_read_system_state(xend_t)
kernel_write_xen_state(xend_t)
kernel_read_xen_state(xend_t)
kernel_rw_net_sysctls(xend_t)
kernel_read_network_state(xend_t)

corecmd_exec_sbin(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)

corenet_tcp_sendrecv_all_if(xend_t)
corenet_tcp_sendrecv_all_nodes(xend_t)
corenet_tcp_sendrecv_all_ports(xend_t)
corenet_non_ipsec_sendrecv(xend_t)
corenet_tcp_bind_xen_port(xend_t)
corenet_tcp_bind_soundd_port(xend_t)

dev_read_urand(xend_t)
dev_manage_xen(xend_t)
dev_filetrans_xen(xend_t)
dev_rw_sysfs(xend_t)

domain_read_all_domains_state(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)

files_read_etc_files(xend_t)
files_read_kernel_symbol_table(xend_t)

storage_raw_read_fixed_disk(xend_t)

term_dontaudit_getattr_all_user_ptys(xend_t)
term_dontaudit_use_generic_ptys(xend_t)

init_use_fds(xend_t)

libs_use_ld_so(xend_t)
libs_use_shared_libs(xend_t)

logging_send_syslog_msg(xend_t)

miscfiles_read_localization(xend_t)

sysnet_domtrans_dhcpc(xend_t)
sysnet_signal_dhcpc(xend_t)
sysnet_domtrans_ifconfig(xend_t)
sysnet_dns_name_resolve(xend_t)
sysnet_delete_dhcpc_pid(xend_t)
sysnet_read_dhcpc_pid(xend_t)

consoletype_exec(xend_t)

xen_stream_connect_xenstore(xend_t)

########################################
#
# Xen console local policy
#

allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file { read write };

allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;

# pid file
allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms;
allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms;
allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms;
files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file })

kernel_read_kernel_sysctls(xenconsoled_t)
kernel_write_xen_state(xenconsoled_t)
kernel_read_xen_state(xenconsoled_t)

term_create_pty(xenconsoled_t,xen_devpts_t);
term_dontaudit_use_generic_ptys(xenconsoled_t)

init_use_fds(xenconsoled_t)

libs_use_ld_so(xenconsoled_t)
libs_use_shared_libs(xenconsoled_t)

miscfiles_read_localization(xenconsoled_t)

xen_append_log(xenconsoled_t)
xen_stream_connect_xenstore(xenconsoled_t)

########################################
#
# Xen store local policy
#

allow xenstored_t self:capability { dac_override mknod ipc_lock };
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;

# pid file
allow xenstored_t xenstored_var_run_t:file manage_file_perms;
allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms;
allow xenstored_t xenstored_var_run_t:dir rw_dir_perms;
files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file })

# var/lib files for xenstored
allow xenstored_t xenstored_var_lib_t:file create_file_perms;
allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms;
allow xenstored_t xenstored_var_lib_t:dir create_dir_perms;
files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })

kernel_write_xen_state(xenstored_t)
kernel_read_xen_state(xenstored_t)

dev_create_generic_dirs(xenstored_t)
dev_manage_xen(xenconsoled_t)
dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)

term_dontaudit_use_generic_ptys(xenstored_t)

init_use_fds(xenstored_t)

libs_use_ld_so(xenstored_t)
libs_use_shared_libs(xenstored_t)

miscfiles_read_localization(xenstored_t)

xen_append_log(xenstored_t)
Commit	Line	Data
a3cf80d8	1
cdc86ee5	2	policy_module(xen,1.0.1)
a3cf80d8 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	# console ptys
	10	type xen_devpts_t;
	11	term_pty(xen_devpts_t);
	12	files_type(xen_devpts_t);
	13
	14	type xend_t;
	15	type xend_exec_t;
	16	domain_type(xend_t)
	17	init_daemon_domain(xend_t, xend_exec_t)
	18
	19	# var/lib files
	20	type xend_var_lib_t;
	21	files_type(xend_var_lib_t)
cdc86ee5 CP	22	# for mounting an NFS store
cdc86ee5 CP	23	files_mountpoint(xend_var_lib_t)
a3cf80d8 CP	24
	25	# log files
	26	type xend_var_log_t;
	27	logging_log_file(xend_var_log_t)
	28
	29	# pid files
	30	type xend_var_run_t;
	31	files_pid_file(xend_var_run_t)
	32
	33	type xenstored_t;
	34	type xenstored_exec_t;
	35	domain_type(xenstored_t)
	36	domain_entry_file(xenstored_t,xenstored_exec_t)
	37	role system_r types xenstored_t;
	38
	39	# var/lib files
	40	type xenstored_var_lib_t;
	41	files_type(xenstored_var_lib_t)
	42
	43	# pid files
	44	type xenstored_var_run_t;
	45	files_pid_file(xenstored_var_run_t)
	46
	47	type xenconsoled_t;
	48	type xenconsoled_exec_t;
	49	domain_type(xenconsoled_t)
	50	domain_entry_file(xenconsoled_t,xenconsoled_exec_t)
	51	role system_r types xenconsoled_t;
	52
	53	# pid files
	54	type xenconsoled_var_run_t;
	55	files_pid_file(xenconsoled_var_run_t)
	56
	57	########################################
	58	#
	59	# xend local policy
	60	#
	61
	62	allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config };
	63	allow xend_t self:process { signal sigkill };
	64	# internal communication is often done using fifo and unix sockets.
	65	allow xend_t self:fifo_file rw_file_perms;
	66	allow xend_t self:unix_stream_socket create_stream_socket_perms;
	67	allow xend_t self:unix_dgram_socket create_socket_perms;
	68	allow xend_t self:netlink_route_socket r_netlink_socket_perms;
	69	allow xend_t self:tcp_socket create_stream_socket_perms;
	70	allow xend_t self:packet_socket create_socket_perms;
	71
	72	# pid file
	73	allow xend_t xend_var_run_t:file manage_file_perms;
	74	allow xend_t xend_var_run_t:sock_file manage_file_perms;
	75	allow xend_t xend_var_run_t:dir rw_dir_perms;
	76	files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
	77
	78	# log files
	79	allow xend_t xend_var_log_t:file create_file_perms;
	80	allow xend_t xend_var_log_t:sock_file create_file_perms;
	81	allow xend_t xend_var_log_t:dir { rw_dir_perms setattr };
	82	logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir })
	83
	84	# var/lib files for xend
	85	allow xend_t xend_var_lib_t:file create_file_perms;
	86	allow xend_t xend_var_lib_t:sock_file create_file_perms;
	87	allow xend_t xend_var_lib_t:dir create_dir_perms;
88	files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
89
90	# transition to store
91	domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
92	allow xenstored_t xend_t:fd use;
93	allow xenstored_t xend_t:process sigchld;
94	allow xenstored_t xend_t:fifo_file write;
95
96	# transition to console
97	domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t)
98	allow xenconsoled_t xend_t:fd use;
99
100	kernel_read_kernel_sysctls(xend_t)
101	kernel_read_system_state(xend_t)
102	kernel_write_xen_state(xend_t)
103	kernel_read_xen_state(xend_t)
104	kernel_rw_net_sysctls(xend_t)
105	kernel_read_network_state(xend_t)
106
107	corecmd_exec_sbin(xend_t)
108	corecmd_exec_bin(xend_t)
109	corecmd_exec_shell(xend_t)
110
111	corenet_tcp_sendrecv_all_if(xend_t)
112	corenet_tcp_sendrecv_all_nodes(xend_t)
113	corenet_tcp_sendrecv_all_ports(xend_t)
114	corenet_non_ipsec_sendrecv(xend_t)
115	corenet_tcp_bind_xen_port(xend_t)
116	corenet_tcp_bind_soundd_port(xend_t)
117
118	dev_read_urand(xend_t)
119	dev_manage_xen(xend_t)
120	dev_filetrans_xen(xend_t)
121	dev_rw_sysfs(xend_t)
122
123	domain_read_all_domains_state(xend_t)
124	domain_dontaudit_read_all_domains_state(xend_t)
125
126	files_read_etc_files(xend_t)
cdc86ee5	127	files_read_kernel_symbol_table(xend_t)
a3cf80d8 CP	128
	129	storage_raw_read_fixed_disk(xend_t)
	130
	131	term_dontaudit_getattr_all_user_ptys(xend_t)
	132	term_dontaudit_use_generic_ptys(xend_t)
	133
	134	init_use_fds(xend_t)
	135
	136	libs_use_ld_so(xend_t)
	137	libs_use_shared_libs(xend_t)
	138
	139	logging_send_syslog_msg(xend_t)
	140
	141	miscfiles_read_localization(xend_t)
	142
	143	sysnet_domtrans_dhcpc(xend_t)
	144	sysnet_signal_dhcpc(xend_t)
	145	sysnet_domtrans_ifconfig(xend_t)
	146	sysnet_dns_name_resolve(xend_t)
	147	sysnet_delete_dhcpc_pid(xend_t)
	148	sysnet_read_dhcpc_pid(xend_t)
	149
	150	consoletype_exec(xend_t)
	151
	152	xen_stream_connect_xenstore(xend_t)
	153
	154	########################################
	155	#
	156	# Xen console local policy
	157	#
	158
	159	allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
	160	allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
	161	allow xenconsoled_t self:fifo_file { read write };
	162
	163	allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
	164
	165	# pid file
	166	allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms;
	167	allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms;
	168	allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms;
	169	files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file })
	170
	171	kernel_read_kernel_sysctls(xenconsoled_t)
	172	kernel_write_xen_state(xenconsoled_t)
	173	kernel_read_xen_state(xenconsoled_t)
	174
	175	term_create_pty(xenconsoled_t,xen_devpts_t);
	176	term_dontaudit_use_generic_ptys(xenconsoled_t)
	177
	178	init_use_fds(xenconsoled_t)
	179
	180	libs_use_ld_so(xenconsoled_t)
	181	libs_use_shared_libs(xenconsoled_t)
	182
	183	miscfiles_read_localization(xenconsoled_t)
	184
	185	xen_append_log(xenconsoled_t)
	186	xen_stream_connect_xenstore(xenconsoled_t)
	187
	188	########################################
	189	#
	190	# Xen store local policy
	191	#
192
193	allow xenstored_t self:capability { dac_override mknod ipc_lock };
194	allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
195
196	# pid file
197	allow xenstored_t xenstored_var_run_t:file manage_file_perms;
198	allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms;
199	allow xenstored_t xenstored_var_run_t:dir rw_dir_perms;
200	files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file })
201
202	# var/lib files for xenstored
203	allow xenstored_t xenstored_var_lib_t:file create_file_perms;
204	allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms;
205	allow xenstored_t xenstored_var_lib_t:dir create_dir_perms;
206	files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file })
207
208	kernel_write_xen_state(xenstored_t)
209	kernel_read_xen_state(xenstored_t)
210
211	dev_create_generic_dirs(xenstored_t)
212	dev_manage_xen(xenconsoled_t)
213	dev_filetrans_xen(xenstored_t)
cdc86ee5	214	dev_rw_xen(xenstored_t)
a3cf80d8 CP	215
	216	term_dontaudit_use_generic_ptys(xenstored_t)
	217
	218	init_use_fds(xenstored_t)
	219
	220	libs_use_ld_so(xenstored_t)
	221	libs_use_shared_libs(xenstored_t)
	222
	223	miscfiles_read_localization(xenstored_t)
	224
	225	xen_append_log(xenstored_t)