]>
Commit | Line | Data |
---|---|---|
a3cf80d8 | 1 | |
cdc86ee5 | 2 | policy_module(xen,1.0.1) |
a3cf80d8 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | # console ptys | |
10 | type xen_devpts_t; | |
11 | term_pty(xen_devpts_t); | |
12 | files_type(xen_devpts_t); | |
13 | ||
14 | type xend_t; | |
15 | type xend_exec_t; | |
16 | domain_type(xend_t) | |
17 | init_daemon_domain(xend_t, xend_exec_t) | |
18 | ||
19 | # var/lib files | |
20 | type xend_var_lib_t; | |
21 | files_type(xend_var_lib_t) | |
cdc86ee5 CP |
22 | # for mounting an NFS store |
23 | files_mountpoint(xend_var_lib_t) | |
a3cf80d8 CP |
24 | |
25 | # log files | |
26 | type xend_var_log_t; | |
27 | logging_log_file(xend_var_log_t) | |
28 | ||
29 | # pid files | |
30 | type xend_var_run_t; | |
31 | files_pid_file(xend_var_run_t) | |
32 | ||
33 | type xenstored_t; | |
34 | type xenstored_exec_t; | |
35 | domain_type(xenstored_t) | |
36 | domain_entry_file(xenstored_t,xenstored_exec_t) | |
37 | role system_r types xenstored_t; | |
38 | ||
39 | # var/lib files | |
40 | type xenstored_var_lib_t; | |
41 | files_type(xenstored_var_lib_t) | |
42 | ||
43 | # pid files | |
44 | type xenstored_var_run_t; | |
45 | files_pid_file(xenstored_var_run_t) | |
46 | ||
47 | type xenconsoled_t; | |
48 | type xenconsoled_exec_t; | |
49 | domain_type(xenconsoled_t) | |
50 | domain_entry_file(xenconsoled_t,xenconsoled_exec_t) | |
51 | role system_r types xenconsoled_t; | |
52 | ||
53 | # pid files | |
54 | type xenconsoled_var_run_t; | |
55 | files_pid_file(xenconsoled_var_run_t) | |
56 | ||
57 | ######################################## | |
58 | # | |
59 | # xend local policy | |
60 | # | |
61 | ||
62 | allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config }; | |
63 | allow xend_t self:process { signal sigkill }; | |
64 | # internal communication is often done using fifo and unix sockets. | |
65 | allow xend_t self:fifo_file rw_file_perms; | |
66 | allow xend_t self:unix_stream_socket create_stream_socket_perms; | |
67 | allow xend_t self:unix_dgram_socket create_socket_perms; | |
68 | allow xend_t self:netlink_route_socket r_netlink_socket_perms; | |
69 | allow xend_t self:tcp_socket create_stream_socket_perms; | |
70 | allow xend_t self:packet_socket create_socket_perms; | |
71 | ||
72 | # pid file | |
73 | allow xend_t xend_var_run_t:file manage_file_perms; | |
74 | allow xend_t xend_var_run_t:sock_file manage_file_perms; | |
75 | allow xend_t xend_var_run_t:dir rw_dir_perms; | |
76 | files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file }) | |
77 | ||
78 | # log files | |
79 | allow xend_t xend_var_log_t:file create_file_perms; | |
80 | allow xend_t xend_var_log_t:sock_file create_file_perms; | |
81 | allow xend_t xend_var_log_t:dir { rw_dir_perms setattr }; | |
82 | logging_log_filetrans(xend_t,xend_var_log_t,{ sock_file file dir }) | |
83 | ||
84 | # var/lib files for xend | |
85 | allow xend_t xend_var_lib_t:file create_file_perms; | |
86 | allow xend_t xend_var_lib_t:sock_file create_file_perms; | |
87 | allow xend_t xend_var_lib_t:dir create_dir_perms; | |
88 | files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file }) | |
89 | ||
90 | # transition to store | |
91 | domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t) | |
92 | allow xenstored_t xend_t:fd use; | |
93 | allow xenstored_t xend_t:process sigchld; | |
94 | allow xenstored_t xend_t:fifo_file write; | |
95 | ||
96 | # transition to console | |
97 | domain_auto_trans(xend_t, xenconsoled_exec_t, xenconsoled_t) | |
98 | allow xenconsoled_t xend_t:fd use; | |
99 | ||
100 | kernel_read_kernel_sysctls(xend_t) | |
101 | kernel_read_system_state(xend_t) | |
102 | kernel_write_xen_state(xend_t) | |
103 | kernel_read_xen_state(xend_t) | |
104 | kernel_rw_net_sysctls(xend_t) | |
105 | kernel_read_network_state(xend_t) | |
106 | ||
107 | corecmd_exec_sbin(xend_t) | |
108 | corecmd_exec_bin(xend_t) | |
109 | corecmd_exec_shell(xend_t) | |
110 | ||
111 | corenet_tcp_sendrecv_all_if(xend_t) | |
112 | corenet_tcp_sendrecv_all_nodes(xend_t) | |
113 | corenet_tcp_sendrecv_all_ports(xend_t) | |
114 | corenet_non_ipsec_sendrecv(xend_t) | |
115 | corenet_tcp_bind_xen_port(xend_t) | |
116 | corenet_tcp_bind_soundd_port(xend_t) | |
117 | ||
118 | dev_read_urand(xend_t) | |
119 | dev_manage_xen(xend_t) | |
120 | dev_filetrans_xen(xend_t) | |
121 | dev_rw_sysfs(xend_t) | |
122 | ||
123 | domain_read_all_domains_state(xend_t) | |
124 | domain_dontaudit_read_all_domains_state(xend_t) | |
125 | ||
126 | files_read_etc_files(xend_t) | |
cdc86ee5 | 127 | files_read_kernel_symbol_table(xend_t) |
a3cf80d8 CP |
128 | |
129 | storage_raw_read_fixed_disk(xend_t) | |
130 | ||
131 | term_dontaudit_getattr_all_user_ptys(xend_t) | |
132 | term_dontaudit_use_generic_ptys(xend_t) | |
133 | ||
134 | init_use_fds(xend_t) | |
135 | ||
136 | libs_use_ld_so(xend_t) | |
137 | libs_use_shared_libs(xend_t) | |
138 | ||
139 | logging_send_syslog_msg(xend_t) | |
140 | ||
141 | miscfiles_read_localization(xend_t) | |
142 | ||
143 | sysnet_domtrans_dhcpc(xend_t) | |
144 | sysnet_signal_dhcpc(xend_t) | |
145 | sysnet_domtrans_ifconfig(xend_t) | |
146 | sysnet_dns_name_resolve(xend_t) | |
147 | sysnet_delete_dhcpc_pid(xend_t) | |
148 | sysnet_read_dhcpc_pid(xend_t) | |
149 | ||
150 | consoletype_exec(xend_t) | |
151 | ||
152 | xen_stream_connect_xenstore(xend_t) | |
153 | ||
154 | ######################################## | |
155 | # | |
156 | # Xen console local policy | |
157 | # | |
158 | ||
159 | allow xenconsoled_t self:capability { dac_override fsetid ipc_lock }; | |
160 | allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms; | |
161 | allow xenconsoled_t self:fifo_file { read write }; | |
162 | ||
163 | allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; | |
164 | ||
165 | # pid file | |
166 | allow xenconsoled_t xenconsoled_var_run_t:file manage_file_perms; | |
167 | allow xenconsoled_t xenconsoled_var_run_t:sock_file manage_file_perms; | |
168 | allow xenconsoled_t xenconsoled_var_run_t:dir rw_dir_perms; | |
169 | files_pid_filetrans(xenconsoled_t,xenconsoled_var_run_t, { file sock_file }) | |
170 | ||
171 | kernel_read_kernel_sysctls(xenconsoled_t) | |
172 | kernel_write_xen_state(xenconsoled_t) | |
173 | kernel_read_xen_state(xenconsoled_t) | |
174 | ||
175 | term_create_pty(xenconsoled_t,xen_devpts_t); | |
176 | term_dontaudit_use_generic_ptys(xenconsoled_t) | |
177 | ||
178 | init_use_fds(xenconsoled_t) | |
179 | ||
180 | libs_use_ld_so(xenconsoled_t) | |
181 | libs_use_shared_libs(xenconsoled_t) | |
182 | ||
183 | miscfiles_read_localization(xenconsoled_t) | |
184 | ||
185 | xen_append_log(xenconsoled_t) | |
186 | xen_stream_connect_xenstore(xenconsoled_t) | |
187 | ||
188 | ######################################## | |
189 | # | |
190 | # Xen store local policy | |
191 | # | |
192 | ||
193 | allow xenstored_t self:capability { dac_override mknod ipc_lock }; | |
194 | allow xenstored_t self:unix_stream_socket create_stream_socket_perms; | |
195 | ||
196 | # pid file | |
197 | allow xenstored_t xenstored_var_run_t:file manage_file_perms; | |
198 | allow xenstored_t xenstored_var_run_t:sock_file manage_file_perms; | |
199 | allow xenstored_t xenstored_var_run_t:dir rw_dir_perms; | |
200 | files_pid_filetrans(xenstored_t,xenstored_var_run_t, { file sock_file }) | |
201 | ||
202 | # var/lib files for xenstored | |
203 | allow xenstored_t xenstored_var_lib_t:file create_file_perms; | |
204 | allow xenstored_t xenstored_var_lib_t:sock_file create_file_perms; | |
205 | allow xenstored_t xenstored_var_lib_t:dir create_dir_perms; | |
206 | files_var_lib_filetrans(xenstored_t,xenstored_var_lib_t,{ file dir sock_file }) | |
207 | ||
208 | kernel_write_xen_state(xenstored_t) | |
209 | kernel_read_xen_state(xenstored_t) | |
210 | ||
211 | dev_create_generic_dirs(xenstored_t) | |
212 | dev_manage_xen(xenconsoled_t) | |
213 | dev_filetrans_xen(xenstored_t) | |
cdc86ee5 | 214 | dev_rw_xen(xenstored_t) |
a3cf80d8 CP |
215 | |
216 | term_dontaudit_use_generic_ptys(xenstored_t) | |
217 | ||
218 | init_use_fds(xenstored_t) | |
219 | ||
220 | libs_use_ld_so(xenstored_t) | |
221 | libs_use_shared_libs(xenstored_t) | |
222 | ||
223 | miscfiles_read_localization(xenstored_t) | |
224 | ||
225 | xen_append_log(xenstored_t) |