]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/virt.te
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bump module versions for release.
[people/stevee/selinux-policy.git] / policy / modules / services / virt.te
1
2 policy_module(virt, 1.4.0)
3
4 ########################################
5 #
6 # Declarations
7 #
8
9 ## <desc>
10 ## <p>
11 ## Allow virt to use serial/parallell communication ports
12 ## </p>
13 ## </desc>
14 gen_tunable(virt_use_comm, false)
15
16 ## <desc>
17 ## <p>
18 ## Allow virt to read fuse files
19 ## </p>
20 ## </desc>
21 gen_tunable(virt_use_fusefs, false)
22
23 ## <desc>
24 ## <p>
25 ## Allow virt to manage nfs files
26 ## </p>
27 ## </desc>
28 gen_tunable(virt_use_nfs, false)
29
30 ## <desc>
31 ## <p>
32 ## Allow virt to manage cifs files
33 ## </p>
34 ## </desc>
35 gen_tunable(virt_use_samba, false)
36
37 ## <desc>
38 ## <p>
39 ## Allow virt to manage device configuration, (pci)
40 ## </p>
41 ## </desc>
42 gen_tunable(virt_use_sysfs, false)
43
44 ## <desc>
45 ## <p>
46 ## Allow virt to use usb devices
47 ## </p>
48 ## </desc>
49 gen_tunable(virt_use_usb, true)
50
51 virt_domain_template(svirt)
52 role system_r types svirt_t;
53
54 type svirt_cache_t;
55 files_type(svirt_cache_t)
56
57 attribute virt_domain;
58 attribute virt_image_type;
59
60 type virt_etc_t;
61 files_config_file(virt_etc_t)
62
63 type virt_etc_rw_t;
64 files_type(virt_etc_rw_t)
65
66 # virt Image files
67 type virt_image_t; # customizable
68 virt_image(virt_image_t)
69
70 # virt Image files
71 type virt_content_t; # customizable
72 virt_image(virt_content_t)
73 userdom_user_home_content(virt_content_t)
74
75 type virt_log_t;
76 logging_log_file(virt_log_t)
77
78 type virt_var_run_t;
79 files_pid_file(virt_var_run_t)
80
81 type virt_var_lib_t;
82 files_type(virt_var_lib_t)
83
84 type virtd_t;
85 type virtd_exec_t;
86 init_daemon_domain(virtd_t, virtd_exec_t)
87 domain_obj_id_change_exemption(virtd_t)
88 domain_subj_id_change_exemption(virtd_t)
89
90 type virtd_initrc_exec_t;
91 init_script_file(virtd_initrc_exec_t)
92
93 ifdef(`enable_mcs',`
94 init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
95 ')
96
97 ifdef(`enable_mls',`
98 init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
99 ')
100
101 ########################################
102 #
103 # svirt local policy
104 #
105
106 allow svirt_t self:udp_socket create_socket_perms;
107
108 manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
109 manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
110 files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
111
112 read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
113
114 allow svirt_t svirt_image_t:dir search_dir_perms;
115 manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
116 manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
117 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
118
119 list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
120 read_files_pattern(svirt_t, virt_content_t, virt_content_t)
121 dontaudit svirt_t virt_content_t:file write_file_perms;
122 dontaudit svirt_t virt_content_t:dir write;
123
124 corenet_udp_sendrecv_generic_if(svirt_t)
125 corenet_udp_sendrecv_generic_node(svirt_t)
126 corenet_udp_sendrecv_all_ports(svirt_t)
127 corenet_udp_bind_generic_node(svirt_t)
128 corenet_udp_bind_all_ports(svirt_t)
129 corenet_tcp_bind_all_ports(svirt_t)
130 corenet_tcp_connect_all_ports(svirt_t)
131
132 dev_list_sysfs(svirt_t)
133
134 userdom_search_user_home_content(svirt_t)
135 userdom_read_user_home_content_symlinks(svirt_t)
136 userdom_read_all_users_state(svirt_t)
137
138 tunable_policy(`virt_use_comm',`
139 term_use_unallocated_ttys(svirt_t)
140 dev_rw_printer(svirt_t)
141 ')
142
143 tunable_policy(`virt_use_fusefs',`
144 fs_read_fusefs_files(svirt_t)
145 fs_read_fusefs_symlinks(svirt_t)
146 ')
147
148 tunable_policy(`virt_use_nfs',`
149 fs_manage_nfs_dirs(svirt_t)
150 fs_manage_nfs_files(svirt_t)
151 ')
152
153 tunable_policy(`virt_use_samba',`
154 fs_manage_cifs_dirs(svirt_t)
155 fs_manage_cifs_files(svirt_t)
156 ')
157
158 tunable_policy(`virt_use_sysfs',`
159 dev_rw_sysfs(svirt_t)
160 ')
161
162 tunable_policy(`virt_use_usb',`
163 dev_rw_usbfs(svirt_t)
164 fs_manage_dos_dirs(svirt_t)
165 fs_manage_dos_files(svirt_t)
166 ')
167
168 optional_policy(`
169 xen_rw_image_files(svirt_t)
170 ')
171
172 optional_policy(`
173 xen_rw_image_files(svirt_t)
174 ')
175
176 ########################################
177 #
178 # virtd local policy
179 #
180
181 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
182 allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
183
184 allow virtd_t self:fifo_file rw_fifo_file_perms;
185 allow virtd_t self:unix_stream_socket create_stream_socket_perms;
186 allow virtd_t self:tcp_socket create_stream_socket_perms;
187 allow virtd_t self:tun_socket create_socket_perms;
188 allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
189
190 manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
191 manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
192
193 manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
194 manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
195
196 allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
197
198 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
199 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
200
201 manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
202 manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
203 manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
204 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
205
206 manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
207 manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
208 allow virtd_t virt_image_type:file { relabelfrom relabelto };
209 allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
210
211 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
212 manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
213 logging_log_filetrans(virtd_t, virt_log_t, { file dir })
214
215 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
216 manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
217 manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
218 files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
219
220 manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
221 manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
222 manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
223 files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
224
225 kernel_read_system_state(virtd_t)
226 kernel_read_network_state(virtd_t)
227 kernel_rw_net_sysctls(virtd_t)
228 kernel_request_load_module(virtd_t)
229 kernel_search_debugfs(virtd_t)
230
231 corecmd_exec_bin(virtd_t)
232 corecmd_exec_shell(virtd_t)
233
234 corenet_all_recvfrom_unlabeled(virtd_t)
235 corenet_all_recvfrom_netlabel(virtd_t)
236 corenet_tcp_sendrecv_generic_if(virtd_t)
237 corenet_tcp_sendrecv_generic_node(virtd_t)
238 corenet_tcp_sendrecv_all_ports(virtd_t)
239 corenet_tcp_bind_generic_node(virtd_t)
240 corenet_tcp_bind_virt_port(virtd_t)
241 corenet_tcp_bind_vnc_port(virtd_t)
242 corenet_tcp_connect_vnc_port(virtd_t)
243 corenet_tcp_connect_soundd_port(virtd_t)
244 corenet_rw_tun_tap_dev(virtd_t)
245
246 dev_rw_sysfs(virtd_t)
247 dev_read_rand(virtd_t)
248 dev_rw_kvm(virtd_t)
249 dev_getattr_all_chr_files(virtd_t)
250 dev_rw_mtrr(virtd_t)
251
252 # Init script handling
253 domain_use_interactive_fds(virtd_t)
254 domain_read_all_domains_state(virtd_t)
255
256 files_read_usr_files(virtd_t)
257 files_read_etc_files(virtd_t)
258 files_read_etc_runtime_files(virtd_t)
259 files_search_all(virtd_t)
260 files_read_kernel_modules(virtd_t)
261 files_read_usr_src_files(virtd_t)
262 files_manage_etc_files(virtd_t)
263
264 fs_list_auto_mountpoints(virtd_t)
265 fs_getattr_xattr_fs(virtd_t)
266 fs_rw_anon_inodefs_files(virtd_t)
267 fs_list_inotifyfs(virtd_t)
268 fs_manage_cgroup_dirs(virtd_t)
269 fs_rw_cgroup_files(virtd_t)
270
271 mcs_process_set_categories(virtd_t)
272
273 storage_manage_fixed_disk(virtd_t)
274 storage_relabel_fixed_disk(virtd_t)
275 storage_raw_write_removable_device(virtd_t)
276 storage_raw_read_removable_device(virtd_t)
277
278 term_getattr_pty_fs(virtd_t)
279 term_use_generic_ptys(virtd_t)
280 term_use_ptmx(virtd_t)
281
282 auth_use_nsswitch(virtd_t)
283
284 miscfiles_read_localization(virtd_t)
285 miscfiles_read_certs(virtd_t)
286 miscfiles_read_hwdata(virtd_t)
287
288 modutils_read_module_deps(virtd_t)
289 modutils_read_module_config(virtd_t)
290 modutils_manage_module_config(virtd_t)
291
292 logging_send_syslog_msg(virtd_t)
293
294 seutil_read_default_contexts(virtd_t)
295
296 sysnet_domtrans_ifconfig(virtd_t)
297 sysnet_read_config(virtd_t)
298
299 userdom_getattr_all_users(virtd_t)
300 userdom_list_user_home_content(virtd_t)
301 userdom_read_all_users_state(virtd_t)
302 userdom_read_user_home_content_files(virtd_t)
303
304 tunable_policy(`virt_use_nfs',`
305 fs_manage_nfs_dirs(virtd_t)
306 fs_manage_nfs_files(virtd_t)
307 fs_read_nfs_symlinks(virtd_t)
308 ')
309
310 tunable_policy(`virt_use_samba',`
311 fs_manage_nfs_files(virtd_t)
312 fs_manage_cifs_files(virtd_t)
313 fs_read_cifs_symlinks(virtd_t)
314 ')
315
316 optional_policy(`
317 brctl_domtrans(virtd_t)
318 ')
319
320 optional_policy(`
321 dbus_system_bus_client(virtd_t)
322
323 optional_policy(`
324 avahi_dbus_chat(virtd_t)
325 ')
326
327 optional_policy(`
328 consolekit_dbus_chat(virtd_t)
329 ')
330
331 optional_policy(`
332 hal_dbus_chat(virtd_t)
333 ')
334 ')
335
336 optional_policy(`
337 dnsmasq_domtrans(virtd_t)
338 dnsmasq_signal(virtd_t)
339 dnsmasq_kill(virtd_t)
340 dnsmasq_read_pid_files(virtd_t)
341 dnsmasq_signull(virtd_t)
342 ')
343
344 optional_policy(`
345 iptables_domtrans(virtd_t)
346 iptables_initrc_domtrans(virtd_t)
347
348 # Manages /etc/sysconfig/system-config-firewall
349 iptables_manage_config(virtd_t)
350 ')
351
352 optional_policy(`
353 kerberos_keytab_template(virtd, virtd_t)
354 ')
355
356 optional_policy(`
357 lvm_domtrans(virtd_t)
358 ')
359
360 optional_policy(`
361 policykit_dbus_chat(virtd_t)
362 policykit_domtrans_auth(virtd_t)
363 policykit_domtrans_resolve(virtd_t)
364 policykit_read_lib(virtd_t)
365 ')
366
367 optional_policy(`
368 qemu_domtrans(virtd_t)
369 qemu_read_state(virtd_t)
370 qemu_signal(virtd_t)
371 qemu_kill(virtd_t)
372 qemu_setsched(virtd_t)
373 ')
374
375 optional_policy(`
376 sasl_connect(virtd_t)
377 ')
378
379 optional_policy(`
380 kernel_read_xen_state(virtd_t)
381 kernel_write_xen_state(virtd_t)
382
383 xen_stream_connect(virtd_t)
384 xen_stream_connect_xenstore(virtd_t)
385 xen_read_image_files(virtd_t)
386 ')
387
388 optional_policy(`
389 udev_domtrans(virtd_t)
390 udev_read_db(virtd_t)
391 ')
392
393 optional_policy(`
394 unconfined_domain(virtd_t)
395 ')
396
397 ########################################
398 #
399 # virtual domains common policy
400 #
401
402 allow virt_domain self:capability { dac_read_search dac_override kill };
403 allow virt_domain self:process { execmem execstack signal getsched signull };
404 allow virt_domain self:fifo_file rw_file_perms;
405 allow virt_domain self:shm create_shm_perms;
406 allow virt_domain self:unix_stream_socket create_stream_socket_perms;
407 allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
408 allow virt_domain self:tcp_socket create_stream_socket_perms;
409
410 append_files_pattern(virt_domain, virt_log_t, virt_log_t)
411
412 append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
413
414 kernel_read_system_state(virt_domain)
415
416 corecmd_exec_bin(virt_domain)
417 corecmd_exec_shell(virt_domain)
418
419 corenet_all_recvfrom_unlabeled(virt_domain)
420 corenet_all_recvfrom_netlabel(virt_domain)
421 corenet_tcp_sendrecv_generic_if(virt_domain)
422 corenet_tcp_sendrecv_generic_node(virt_domain)
423 corenet_tcp_sendrecv_all_ports(virt_domain)
424 corenet_tcp_bind_generic_node(virt_domain)
425 corenet_tcp_bind_vnc_port(virt_domain)
426 corenet_rw_tun_tap_dev(virt_domain)
427 corenet_tcp_bind_virt_migration_port(virt_domain)
428 corenet_tcp_connect_virt_migration_port(virt_domain)
429
430 dev_read_rand(virt_domain)
431 dev_read_sound(virt_domain)
432 dev_read_urand(virt_domain)
433 dev_write_sound(virt_domain)
434 dev_rw_ksm(virt_domain)
435 dev_rw_kvm(virt_domain)
436 dev_rw_qemu(virt_domain)
437
438 domain_use_interactive_fds(virt_domain)
439
440 files_read_etc_files(virt_domain)
441 files_read_usr_files(virt_domain)
442 files_read_var_files(virt_domain)
443 files_search_all(virt_domain)
444
445 fs_getattr_tmpfs(virt_domain)
446 fs_rw_anon_inodefs_files(virt_domain)
447 fs_rw_tmpfs_files(virt_domain)
448
449 term_use_all_terms(virt_domain)
450 term_getattr_pty_fs(virt_domain)
451 term_use_generic_ptys(virt_domain)
452 term_use_ptmx(virt_domain)
453
454 auth_use_nsswitch(virt_domain)
455
456 logging_send_syslog_msg(virt_domain)
457
458 miscfiles_read_localization(virt_domain)
459
460 optional_policy(`
461 ptchown_domtrans(virt_domain)
462 ')
463
464 optional_policy(`
465 virt_read_config(virt_domain)
466 virt_read_lib_files(virt_domain)
467 virt_read_content(virt_domain)
468 virt_stream_connect(virt_domain)
469 ')
The IPFire selinux policy.