From: Dan Walsh Date: Thu, 14 Jul 2011 21:09:35 +0000 (-0400) Subject: Add support for virt_lxc, default to unconfined domains for now X-Git-Tag: 000~710 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a0a53d298b37480d1a358550e8624c47242628e;p=people%2Fstevee%2Fselinux-policy.git Add support for virt_lxc, default to unconfined domains for now --- diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if index c808b311..6534e481 100644 --- a/policy/modules/services/dnsmasq.if +++ b/policy/modules/services/dnsmasq.if @@ -173,6 +173,24 @@ interface(`dnsmasq_read_pid_files',` read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') +######################################## +## +## Transition to dnsmasq named content +## +## +## +## Domain allowed access. +## +## +# +interface(`dnsmasq_filetrans_named_content',` + gen_require(` + type dnsmasq_var_run_t; + ') + + filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network") +') + ######################################## ## ## All of the rules required to administrate diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc index 9682c441..55b50127 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -13,6 +13,8 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virt_lxc_exec_t,s0) + /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) /usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) @@ -28,6 +30,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) /var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) +/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if index 411edf39..59ba27ca 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -576,11 +576,15 @@ interface(`virt_admin',` gen_require(` type virtd_t, virtd_initrc_exec_t; attribute virt_domain; + type virt_lxc_t; ') allow $1 virtd_t:process { ptrace signal_perms }; ps_process_pattern($1, virtd_t) + allow $1 virt_lxc_t:process { ptrace signal_perms }; + ps_process_pattern($1, virt_lxc_t) + init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 virtd_initrc_exec_t system_r; diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 441810b8..14304d1c 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -121,6 +121,22 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') +######################################## +# +# Declarations +# + +type virt_lxc_t; +type virt_lxc_exec_t; +init_system_domain(virt_lxc_t, virt_lxc_exec_t) + +type virt_lxc_var_run_t; +files_pid_file(virt_lxc_var_run_t) + +permissive virt_lxc_t; + +permissive virtd_t; + ######################################## # # svirt local policy @@ -240,6 +256,7 @@ manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain) +filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu") read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) @@ -275,6 +292,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virt_lxc_t) + kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -435,6 +457,7 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_read_pid_files(virtd_t) dnsmasq_signull(virtd_t) + dnsmasq_filetrans_named_content(virtd_t, virt_var_run_t); ') optional_policy(` @@ -703,3 +726,50 @@ optional_policy(` userdom_search_admin_dir(virsh_ssh_t) ') + +######################################## +# +# virt_lxc local policy +# +allow virt_lxc_t self:capability { net_admin setpcap chown sys_admin }; +allow virt_lxc_t self:process { setsched getcap setcap }; +allow virt_lxc_t self:fifo_file rw_fifo_file_perms; +allow virt_lxc_t self:netlink_route_socket rw_netlink_socket_perms; +allow virt_lxc_t self:unix_stream_socket create_stream_socket_perms; + +domtrans_pattern(virtd_t, virt_lxc_exec_t, virt_lxc_t) +allow virtd_t virt_lxc_t:process signal; + +manage_dirs_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_sock_files_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +files_pid_filetrans(virt_lxc_t, virt_lxc_var_run_t, { file dir }) + +kernel_read_network_state(virt_lxc_t) +kernel_search_network_sysctl(virt_lxc_t) + +dev_read_sysfs(virt_lxc_t) + +domain_use_interactive_fds(virt_lxc_t) + +files_read_etc_files(virt_lxc_t) +files_mounton_all_mountpoints(virt_lxc_t) +files_mount_all_file_type_fs(virt_lxc_t) +files_unmount_all_file_type_fs(virt_lxc_t) + +fs_manage_cgroup_dirs(virt_lxc_t) +fs_rw_cgroup_files(virt_lxc_t) + +term_use_generic_ptys(virt_lxc_t) +term_use_ptmx(virt_lxc_t) + +auth_use_nsswitch(virt_lxc_t) + +logging_send_syslog_msg(virt_lxc_t) + +miscfiles_read_localization(virt_lxc_t) + +sysnet_exec_ifconfig(virt_lxc_t) + +unconfined_shell_domtrans(virt_lxc_t) +unconfined_signal(virtd_t)