[selinux-policy: 1956/3172] trunk: add qemu and virt from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:54:00 UTC 2010
commit eb4216397cf0bdf0f4d5412d5521c8440ed84b0c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Jun 16 18:59:07 2008 +0000
trunk: add qemu and virt from dan.
Changelog | 2 +
policy/modules/apps/qemu.fc | 2 +
policy/modules/apps/qemu.if | 217 +++++++++++++++++++++++++++++++++
policy/modules/apps/qemu.te | 49 ++++++++
policy/modules/services/virt.fc | 11 ++
policy/modules/services/virt.if | 256 +++++++++++++++++++++++++++++++++++++++
policy/modules/services/virt.te | 197 ++++++++++++++++++++++++++++++
7 files changed, 734 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index 13dbcb9..336e867 100644
--- a/Changelog
+++ b/Changelog
@@ -14,6 +14,8 @@
kerneloops (Dan Walsh)
kismet (Dan Walsh)
prelude (Dan Walsh)
+ qemu (Dan Walsh)
+ virt (Dan Walsh)
* Wed Apr 02 2008 Chris PeBenito <selinux at tresys.com> - 20080402
- Add core Security Enhanced X Windows support.
diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc
new file mode 100644
index 0000000..18bdc9d
--- /dev/null
+++ b/policy/modules/apps/qemu.fc
@@ -0,0 +1,2 @@
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
new file mode 100644
index 0000000..95cde51
--- /dev/null
+++ b/policy/modules/apps/qemu.if
@@ -0,0 +1,217 @@
+## <summary>QEMU machine emulator and virtualizer</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qemu_domtrans',`
+ gen_require(`
+ type qemu_t, qemu_exec_t;
+ ')
+
+ domtrans_pattern($1, qemu_exec_t, qemu_t)
+')
+
+########################################
+## <summary>
+## Execute qemu in the qemu domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the qemu domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the qemu domain to use.
+## </summary>
+## </param>
+#
+interface(`qemu_run',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ qemu_domtrans($1)
+ role $2 types qemu_t;
+ allow qemu_t $3:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the domain to read state files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`qemu_read_state',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ read_files_pattern($1, qemu_t, qemu_t)
+')
+
+########################################
+## <summary>
+## Send a signal to qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_signal',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process signal;
+')
+
+########################################
+## <summary>
+## Send a sigill to qemu
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_kill',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run qemu unconfined.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`qemu_domtrans_unconfined',`
+ gen_require(`
+ type qemu_unconfined_t, qemu_exec_t;
+ ')
+
+ domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t)
+')
+
+########################################
+## <summary>
+## Creates types and rules for a basic
+## qemu process domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`qemu_domain_template',`
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ type $1_t;
+ domain_type($1_t)
+
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
+
+ ##############################
+ #
+ # Local Policy
+ #
+
+ allow $1_t self:capability { dac_read_search dac_override };
+ allow $1_t self:process { execstack execmem signal getsched };
+ allow $1_t self:fifo_file rw_file_perms;
+ allow $1_t self:shm create_shm_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+ kernel_read_system_state($1_t)
+
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
+ corenet_tcp_sendrecv_all_if($1_t)
+ corenet_tcp_sendrecv_all_nodes($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_tcp_bind_all_nodes($1_t)
+ corenet_tcp_bind_vnc_port($1_t)
+ corenet_rw_tun_tap_dev($1_t)
+
+# dev_rw_kvm($1_t)
+
+ domain_use_interactive_fds($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_usr_files($1_t)
+ files_read_var_files($1_t)
+ files_search_all($1_t)
+
+ fs_list_inotifyfs($1_t)
+ fs_rw_anon_inodefs_files($1_t)
+ fs_rw_tmpfs_files($1_t)
+
+ storage_raw_write_removable_device($1_t)
+ storage_raw_read_removable_device($1_t)
+
+ term_use_ptmx($1_t)
+ term_getattr_pty_fs($1_t)
+ term_use_generic_ptys($1_t)
+
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ sysnet_read_config($1_t)
+
+# optional_policy(`
+# samba_domtrans_smb($1_t)
+# ')
+
+ optional_policy(`
+ virt_manage_images($1_t)
+ virt_read_config($1_t)
+ virt_read_lib_files($1_t)
+ ')
+
+ optional_policy(`
+ xserver_stream_connect_xdm_xserver($1_t)
+ xserver_read_xdm_tmp_files($1_t)
+ xserver_read_xdm_pid($1_t)
+# xserver_xdm_rw_shm($1_t)
+ ')
+')
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
new file mode 100644
index 0000000..d341aab
--- /dev/null
+++ b/policy/modules/apps/qemu.te
@@ -0,0 +1,49 @@
+
+policy_module(qemu, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow qemu to connect fully to the network
+## </p>
+## </desc>
+gen_tunable(qemu_full_network, false)
+
+type qemu_exec_t;
+qemu_domain_template(qemu)
+application_domain(qemu_t, qemu_exec_t)
+role system_r types qemu_t;
+
+########################################
+#
+# qemu local policy
+#
+
+tunable_policy(`qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms;
+
+ corenet_udp_sendrecv_all_if(qemu_t)
+ corenet_udp_sendrecv_all_nodes(qemu_t)
+ corenet_udp_sendrecv_all_ports(qemu_t)
+ corenet_udp_bind_all_nodes(qemu_t)
+ corenet_udp_bind_all_ports(qemu_t)
+ corenet_tcp_bind_all_ports(qemu_t)
+ corenet_tcp_connect_all_ports(qemu_t)
+')
+
+########################################
+#
+# qemu_unconfined local policy
+#
+
+optional_policy(`
+ type qemu_unconfined_t;
+ domain_type(qemu_unconfined_t)
+ unconfined_domain_noaudit(qemu_unconfined_t)
+
+ allow qemu_unconfined_t self:process { execstack execmem };
+')
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
new file mode 100644
index 0000000..b30e11b
--- /dev/null
+++ b/policy/modules/services/virt.fc
@@ -0,0 +1,11 @@
+/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+
+/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
new file mode 100644
index 0000000..efc0fb6
--- /dev/null
+++ b/policy/modules/services/virt.if
@@ -0,0 +1,256 @@
+## <summary>Libvirt virtualization API</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run virt.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_domtrans',`
+ gen_require(`
+ type virtd_t, virtd_exec_t;
+ ')
+
+ domtrans_pattern($1, virtd_exec_t, virtd_t)
+')
+
+########################################
+## <summary>
+## Read virt config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_config',`
+ gen_require(`
+ type virt_etc_t;
+ type virt_etc_rw_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, virt_etc_t, virt_etc_t)
+ read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
+')
+
+########################################
+## <summary>
+## Read virt PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_pid_files',`
+ gen_require(`
+ type virt_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 virt_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Manage virt pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_pids_files',`
+ gen_require(`
+ type virt_var_run_t;
+ ')
+
+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
+')
+
+########################################
+## <summary>
+## Search virt lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_search_lib',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ allow $1 virt_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read virt lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_read_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## virt lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_lib_files',`
+ gen_require(`
+ type virt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read virt's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_read_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## virt log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`virt_append_log',`
+ gen_require(`
+ type var_log_t, virt_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage virt log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`virt_manage_log',`
+ gen_require(`
+ type virt_log_t;
+ ')
+
+ manage_dirs_pattern($1, virt_log_t, virt_log_t)
+ manage_files_pattern($1, virt_log_t, virt_log_t)
+ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`virt_manage_images',`
+ gen_require(`
+ type virt_image_t, virt_var_lib_t;
+ ')
+
+ virt_search_lib($1)
+ allow $1 virt_image_t:dir list_dir_perms;
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
+ manage_files_pattern($1, virt_image_t, virt_image_t)
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ fs_read_nfs_symlinks($1)
+ ')
+
+ tunable_policy(`virt_use_samba',`
+ fs_manage_nfs_files($1)
+ fs_manage_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an virt environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`virt_admin',`
+ gen_require(`
+ type virtd_t;
+ ')
+
+ allow $1 virtd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, virtd_t)
+
+ virt_manage_pid_files($1)
+
+ virt_manage_lib_files($1)
+
+ virt_manage_log($1)
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
new file mode 100644
index 0000000..1754a3a
--- /dev/null
+++ b/policy/modules/services/virt.te
@@ -0,0 +1,197 @@
+
+policy_module(virt, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow virt to manage nfs files
+## </p>
+## </desc>
+gen_tunable(virt_use_nfs, false)
+
+## <desc>
+## <p>
+## Allow virt to manage cifs files
+## </p>
+## </desc>
+gen_tunable(virt_use_samba, false)
+
+type virt_etc_t;
+files_config_file(virt_etc_t)
+
+type virt_etc_rw_t;
+files_type(virt_etc_rw_t)
+
+# virt Image files
+type virt_image_t; # customizable
+files_type(virt_image_t)
+# virt_image_t can be assigned to blk devices
+dev_node(virt_image_t)
+
+type virt_log_t;
+logging_log_file(virt_log_t)
+
+type virt_var_run_t;
+files_pid_file(virt_var_run_t)
+
+type virt_var_lib_t;
+files_type(virt_var_lib_t)
+
+type virtd_t;
+type virtd_exec_t;
+init_daemon_domain(virtd_t, virtd_exec_t)
+
+########################################
+#
+# virtd local policy
+#
+
+allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
+allow virtd_t self:process { sigkill signal execmem };
+allow virtd_t self:fifo_file rw_file_perms;
+allow virtd_t self:unix_stream_socket create_stream_socket_perms;
+allow virtd_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
+
+manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+
+manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
+manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
+logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+
+manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
+
+manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+
+kernel_read_system_state(virtd_t)
+kernel_read_network_state(virtd_t)
+kernel_rw_net_sysctls(virtd_t)
+kernel_load_module(virtd_t)
+
+corecmd_exec_bin(virtd_t)
+corecmd_exec_shell(virtd_t)
+
+corenet_all_recvfrom_unlabeled(virtd_t)
+corenet_all_recvfrom_netlabel(virtd_t)
+corenet_tcp_sendrecv_all_if(virtd_t)
+corenet_tcp_sendrecv_all_nodes(virtd_t)
+corenet_tcp_sendrecv_all_ports(virtd_t)
+corenet_tcp_bind_all_nodes(virtd_t)
+#corenet_tcp_bind_virt_port(virtd_t)
+corenet_tcp_bind_vnc_port(virtd_t)
+corenet_tcp_connect_vnc_port(virtd_t)
+corenet_tcp_connect_soundd_port(virtd_t)
+corenet_rw_tun_tap_dev(virtd_t)
+
+dev_read_sysfs(virtd_t)
+dev_read_rand(virtd_t)
+
+# Init script handling
+domain_use_interactive_fds(virtd_t)
+
+files_read_usr_files(virtd_t)
+files_read_etc_files(virtd_t)
+files_read_etc_runtime_files(virtd_t)
+files_search_all(virtd_t)
+
+fs_list_auto_mountpoints(virtd_t)
+
+storage_raw_write_removable_device(virtd_t)
+storage_raw_read_removable_device(virtd_t)
+
+term_getattr_pty_fs(virtd_t)
+term_use_ptmx(virtd_t)
+
+auth_use_nsswitch(virtd_t)
+
+libs_use_ld_so(virtd_t)
+libs_use_shared_libs(virtd_t)
+
+miscfiles_read_localization(virtd_t)
+miscfiles_read_certs(virtd_t)
+
+logging_send_syslog_msg(virtd_t)
+
+userdom_read_all_users_state(virtd_t)
+
+tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs(virtd_t)
+ fs_manage_nfs_files(virtd_t)
+ fs_read_nfs_symlinks(virtd_t)
+')
+
+tunable_policy(`virt_use_samba',`
+ fs_manage_nfs_files(virtd_t)
+ fs_manage_cifs_files(virtd_t)
+ fs_read_cifs_symlinks(virtd_t)
+')
+
+optional_policy(`
+ brctl_domtrans(virtd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client_template(virtd, virtd_t)
+
+ optional_policy(`
+ avahi_dbus_chat(virtd_t)
+ ')
+
+ optional_policy(`
+ consolekit_dbus_chat(virtd_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(virtd_t)
+ ')
+')
+
+#optional_policy(`
+# dnsmasq_domtrans(virtd_t)
+# dnsmasq_signal(virtd_t)
+# dnsmasq_sigkill(virtd_t)
+#')
+
+optional_policy(`
+ iptables_domtrans(virtd_t)
+')
+
+#optional_policy(`
+# polkit_domtrans_auth(virtd_t)
+# polkit_domtrans_resolve(virtd_t)
+#')
+
+optional_policy(`
+ qemu_domtrans(virtd_t)
+ qemu_read_state(virtd_t)
+ qemu_signal(virtd_t)
+ qemu_kill(virtd_t)
+')
+
+optional_policy(`
+ sasl_connect(virtd_t)
+')
+
+optional_policy(`
+ kernel_read_xen_state(virtd_t)
+ kernel_write_xen_state(virtd_t)
+
+ xen_stream_connect(virtd_t)
+ xen_stream_connect_xenstore(virtd_t)
+')
More information about the scm-commits
mailing list