1 ## <summary>Libvirt virtualization API</summary>
3 ########################################
5 ## Creates types and rules for a basic
6 ## qemu process domain.
8 ## <param name="prefix">
10 ## Prefix for the domain.
14 template(`virt_domain_template',`
16 attribute virt_image_type, virt_domain;
17 attribute virt_tmpfs_type;
18 attribute virt_ptynode;
22 type $1_t, virt_domain;
23 application_domain($1_t, qemu_exec_t)
24 domain_user_exemption_target($1_t)
25 mls_rangetrans_target($1_t)
26 mcs_untrusted_proc($1_t)
27 role system_r types $1_t;
29 type $1_devpts_t, virt_ptynode;
33 files_tmp_file($1_tmp_t)
35 type $1_tmpfs_t, virt_tmpfs_type;
36 files_tmpfs_file($1_tmpfs_t)
38 type $1_image_t, virt_image_type;
39 files_type($1_image_t)
41 dev_associate_sysfs($1_image_t)
43 auth_use_nsswitch($1_t)
45 allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
46 term_create_pty($1_t, $1_devpts_t)
48 manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
49 manage_files_pattern($1_t, $1_image_t, $1_image_t)
50 manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t)
51 read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
52 rw_chr_files_pattern($1_t, $1_image_t, $1_image_t)
53 rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
54 fs_hugetlbfs_filetrans($1_t, $1_image_t, file)
56 manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
57 manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
58 manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
59 files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
61 manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
62 manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
63 manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
64 fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
71 ########################################
73 ## Make the specified type usable as a virt image
75 ## <param name="type">
77 ## Type to be used as a virtual image
81 interface(`virt_image',`
83 attribute virt_image_type;
86 typeattribute $1 virt_image_type;
89 # virt images can be assigned to blk devices
93 #######################################
95 ## Getattr on virt executable.
97 ## <param name="domain">
99 ## Domain allowed to transition.
103 interface(`virt_getattr_exec',`
108 allow $1 virtd_exec_t:file getattr;
111 ########################################
113 ## Execute a domain transition to run virt.
115 ## <param name="domain">
117 ## Domain allowed to transition.
121 interface(`virt_domtrans',`
123 type virtd_t, virtd_exec_t;
126 domtrans_pattern($1, virtd_exec_t, virtd_t)
129 ########################################
131 ## Transition to virt_qmf.
133 ## <param name="domain">
135 ## Domain allowed to transition.
139 interface(`virt_domtrans_qmf',`
141 type virt_qmf_t, virt_qmf_exec_t;
144 corecmd_search_bin($1)
145 domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
148 #######################################
150 ## Connect to virt over an unix domain stream socket.
152 ## <param name="domain">
154 ## Domain allowed access.
158 interface(`virt_stream_connect',`
160 type virtd_t, virt_var_run_t;
163 files_search_pids($1)
164 stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
167 ########################################
169 ## Allow domain to attach to virt TUN devices
171 ## <param name="domain">
173 ## Domain allowed access.
177 interface(`virt_attach_tun_iface',`
182 allow $1 virtd_t:tun_socket relabelfrom;
183 allow $1 self:tun_socket relabelto;
186 ########################################
188 ## Read virt config files.
190 ## <param name="domain">
192 ## Domain allowed access.
196 interface(`virt_read_config',`
198 type virt_etc_t, virt_etc_rw_t;
202 read_files_pattern($1, virt_etc_t, virt_etc_t)
203 read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
204 read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
207 ########################################
209 ## manage virt config files.
211 ## <param name="domain">
213 ## Domain allowed access.
217 interface(`virt_manage_config',`
219 type virt_etc_t, virt_etc_rw_t;
223 manage_files_pattern($1, virt_etc_t, virt_etc_t)
224 manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
225 manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
228 ########################################
230 ## Allow domain to manage virt image files
232 ## <param name="domain">
234 ## Domain allowed access.
238 interface(`virt_read_content',`
244 allow $1 virt_content_t:dir list_dir_perms;
245 list_dirs_pattern($1, virt_content_t, virt_content_t)
246 read_files_pattern($1, virt_content_t, virt_content_t)
247 read_lnk_files_pattern($1, virt_content_t, virt_content_t)
248 read_blk_files_pattern($1, virt_content_t, virt_content_t)
250 tunable_policy(`virt_use_nfs',`
252 fs_read_nfs_files($1)
253 fs_read_nfs_symlinks($1)
256 tunable_policy(`virt_use_samba',`
258 fs_read_cifs_files($1)
259 fs_read_cifs_symlinks($1)
263 ########################################
265 ## Allow domain to write virt image files
267 ## <param name="domain">
269 ## Domain allowed access.
273 interface(`virt_write_content',`
278 allow $1 virt_content_t:file write_file_perms;
281 ########################################
283 ## Read virt PID files.
285 ## <param name="domain">
287 ## Domain allowed access.
291 interface(`virt_read_pid_files',`
296 files_search_pids($1)
297 read_files_pattern($1, virt_var_run_t, virt_var_run_t)
300 ########################################
302 ## Manage virt pid files.
304 ## <param name="domain">
306 ## Domain allowed access.
310 interface(`virt_manage_pid_files',`
315 files_search_pids($1)
316 manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
319 ########################################
321 ## Create objects in the pid directory
322 ## with a private type with a type transition.
324 ## <param name="domain">
326 ## Domain allowed access.
329 ## <param name="file">
331 ## Type to which the created node will be transitioned.
334 ## <param name="class">
336 ## Object class(es) (single or set including {}) for which this
337 ## the transition will occur.
341 interface(`virt_pid_filetrans',`
346 filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
349 ########################################
351 ## Search virt lib directories.
353 ## <param name="domain">
355 ## Domain allowed access.
359 interface(`virt_search_lib',`
364 allow $1 virt_var_lib_t:dir search_dir_perms;
365 files_search_var_lib($1)
368 ########################################
370 ## Read virt lib files.
372 ## <param name="domain">
374 ## Domain allowed access.
378 interface(`virt_read_lib_files',`
383 files_search_var_lib($1)
384 read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
385 read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
388 ########################################
390 ## Dontaudit inherited read virt lib files.
392 ## <param name="domain">
394 ## Domain to not audit.
398 interface(`virt_dontaudit_read_lib_files',`
403 dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
406 ########################################
408 ## Create, read, write, and delete
411 ## <param name="domain">
413 ## Domain allowed access.
417 interface(`virt_manage_lib_files',`
422 files_search_var_lib($1)
423 manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
426 ########################################
428 ## Allow the specified domain to read virt's log files.
430 ## <param name="domain">
432 ## Domain allowed access.
437 interface(`virt_read_log',`
442 logging_search_logs($1)
443 read_files_pattern($1, virt_log_t, virt_log_t)
446 ########################################
448 ## Allow the specified domain to append
451 ## <param name="domain">
453 ## Domain allowed access.
457 interface(`virt_append_log',`
462 logging_search_logs($1)
463 append_files_pattern($1, virt_log_t, virt_log_t)
466 ########################################
468 ## Allow domain to manage virt log files
470 ## <param name="domain">
472 ## Domain allowed access.
476 interface(`virt_manage_log',`
481 manage_dirs_pattern($1, virt_log_t, virt_log_t)
482 manage_files_pattern($1, virt_log_t, virt_log_t)
483 manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
486 ########################################
488 ## Allow domain to read virt image files
490 ## <param name="domain">
492 ## Domain allowed access.
496 interface(`virt_read_images',`
499 attribute virt_image_type;
503 allow $1 virt_image_type:dir list_dir_perms;
504 list_dirs_pattern($1, virt_image_type, virt_image_type)
505 read_files_pattern($1, virt_image_type, virt_image_type)
506 read_lnk_files_pattern($1, virt_image_type, virt_image_type)
507 read_blk_files_pattern($1, virt_image_type, virt_image_type)
508 read_chr_files_pattern($1, virt_image_type, virt_image_type)
510 tunable_policy(`virt_use_nfs',`
512 fs_read_nfs_files($1)
513 fs_read_nfs_symlinks($1)
516 tunable_policy(`virt_use_samba',`
518 fs_read_cifs_files($1)
519 fs_read_cifs_symlinks($1)
523 ########################################
525 ## Allow domain to read virt blk image files
527 ## <param name="domain">
529 ## Domain allowed access.
533 interface(`virt_read_blk_images',`
535 attribute virt_image_type;
538 read_blk_files_pattern($1, virt_image_type, virt_image_type)
541 ########################################
543 ## Create, read, write, and delete
544 ## svirt cache files.
546 ## <param name="domain">
548 ## Domain allowed access.
552 interface(`virt_manage_cache',`
558 manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
559 manage_files_pattern($1, virt_cache_t, virt_cache_t)
560 manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
563 ########################################
565 ## Allow domain to manage virt image files
567 ## <param name="domain">
569 ## Domain allowed access.
573 interface(`virt_manage_images',`
576 attribute virt_image_type;
580 allow $1 virt_image_type:dir list_dir_perms;
581 manage_dirs_pattern($1, virt_image_type, virt_image_type)
582 manage_files_pattern($1, virt_image_type, virt_image_type)
583 read_lnk_files_pattern($1, virt_image_type, virt_image_type)
584 rw_blk_files_pattern($1, virt_image_type, virt_image_type)
585 rw_chr_files_pattern($1, virt_image_type, virt_image_type)
587 tunable_policy(`virt_use_nfs',`
588 fs_manage_nfs_dirs($1)
589 fs_manage_nfs_files($1)
590 fs_read_nfs_symlinks($1)
593 tunable_policy(`virt_use_samba',`
594 fs_manage_cifs_files($1)
595 fs_manage_cifs_files($1)
596 fs_read_cifs_symlinks($1)
600 ########################################
602 ## All of the rules required to administrate
603 ## an virt environment
605 ## <param name="domain">
607 ## Domain allowed access.
610 ## <param name="role">
612 ## Role allowed access.
617 interface(`virt_admin',`
619 type virtd_t, virtd_initrc_exec_t;
620 attribute virt_domain;
624 allow $1 virtd_t:process signal_perms;
625 ps_process_pattern($1, virtd_t)
626 tunable_policy(`deny_ptrace',`',`
627 allow $1 virtd_t:process ptrace;
628 allow $1 virt_lxc_t:process ptrace;
631 allow $1 virt_lxc_t:process signal_perms;
632 ps_process_pattern($1, virt_lxc_t)
634 init_labeled_script_domtrans($1, virtd_initrc_exec_t)
635 domain_system_change_exemption($1)
636 role_transition $2 virtd_initrc_exec_t system_r;
639 virt_manage_pid_files($1)
641 virt_manage_lib_files($1)
645 virt_manage_images($1)
647 allow $1 virt_domain:process signal_perms;
650 ########################################
652 ## Execute qemu in the svirt domain, and
653 ## allow the specified role the svirt domain.
655 ## <param name="domain">
657 ## Domain allowed access
660 ## <param name="role">
662 ## The role to be allowed the sandbox domain.
667 interface(`virt_transition_svirt',`
672 allow $1 svirt_t:process transition;
673 role $2 types svirt_t;
676 ptchown_run(svirt_t, $2)
680 ########################################
682 ## Do not audit attempts to write virt daemon unnamed pipes.
684 ## <param name="domain">
686 ## Domain to not audit.
690 interface(`virt_dontaudit_write_pipes',`
695 dontaudit $1 virtd_t:fd use;
696 dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
699 ########################################
701 ## Send a sigkill to virtual machines
703 ## <param name="domain">
705 ## Domain allowed access.
709 interface(`virt_kill_svirt',`
711 attribute virt_domain;
714 allow $1 virt_domain:process sigkill;
717 ########################################
719 ## Send a signal to virtual machines
721 ## <param name="domain">
723 ## Domain allowed access.
727 interface(`virt_signal_svirt',`
729 attribute virt_domain;
732 allow $1 virt_domain:process signal;
735 ########################################
737 ## Manage virt home files.
739 ## <param name="domain">
741 ## Domain allowed access.
745 interface(`virt_manage_home_files',`
750 userdom_search_user_home_dirs($1)
751 manage_files_pattern($1, virt_home_t, virt_home_t)
754 ########################################
756 ## allow domain to read
759 ## <param name="domain">
761 ## Domain allowed access
765 interface(`virt_read_tmpfs_files',`
767 attribute virt_tmpfs_type;
770 allow $1 virt_tmpfs_type:file read_file_perms;
773 ########################################
775 ## allow domain to manage
778 ## <param name="domain">
780 ## Domain allowed access
784 interface(`virt_manage_tmpfs_files',`
786 attribute virt_tmpfs_type;
789 allow $1 virt_tmpfs_type:file manage_file_perms;
792 ########################################
794 ## Create .virt directory in the user home directory
795 ## with an correct label.
797 ## <param name="domain">
799 ## Domain allowed access.
803 interface(`virt_filetrans_home_content',`
808 userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
809 userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
812 ########################################
814 ## Dontaudit attempts to Read virt_image_type devices.
816 ## <param name="domain">
818 ## Domain allowed access.
822 interface(`virt_dontaudit_read_chr_dev',`
824 attribute virt_image_type;
827 dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
830 ########################################
832 ## Creates types and rules for a basic
833 ## virt_lxc process domain.
835 ## <param name="prefix">
837 ## Prefix for the domain.
841 template(`virt_lxc_domain_template',`
843 attribute svirt_lxc_domain;
846 type $1_t, svirt_lxc_domain;
848 domain_user_exemption_target($1_t)
849 mls_rangetrans_target($1_t)
850 mcs_untrusted_proc($1_t)
851 role system_r types $1_t;
854 ########################################
856 ## Execute a qemu_exec_t in the callers domain
858 ## <param name="domain">
860 ## Domain allowed access.
864 interface(`virt_exec_qemu',`
869 can_exec($1, qemu_exec_t)