1 |
commit: 8ae62ddf1a01ef783ef5e8f8b26af07e928a1dc6 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Thu Nov 1 16:51:07 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Nov 2 19:08:08 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8ae62ddf |
7 |
|
8 |
Changes to the xen policy module and relevant dependencies |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Drop qemu dm run it in xend_t instead |
13 |
|
14 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
15 |
|
16 |
--- |
17 |
policy/modules/contrib/ptchown.if | 19 +++ |
18 |
policy/modules/contrib/ptchown.te | 2 +- |
19 |
policy/modules/contrib/virt.if | 19 +++ |
20 |
policy/modules/contrib/virt.te | 2 +- |
21 |
policy/modules/contrib/xen.fc | 23 ++-- |
22 |
policy/modules/contrib/xen.if | 41 +++--- |
23 |
policy/modules/contrib/xen.te | 322 ++++++++++++++++++++----------------- |
24 |
7 files changed, 247 insertions(+), 181 deletions(-) |
25 |
|
26 |
diff --git a/policy/modules/contrib/ptchown.if b/policy/modules/contrib/ptchown.if |
27 |
index 8e24623..97a1e7b 100644 |
28 |
--- a/policy/modules/contrib/ptchown.if |
29 |
+++ b/policy/modules/contrib/ptchown.if |
30 |
@@ -19,6 +19,25 @@ interface(`ptchown_domtrans',` |
31 |
domtrans_pattern($1, ptchown_exec_t, ptchown_t) |
32 |
') |
33 |
|
34 |
+####################################### |
35 |
+## <summary> |
36 |
+## Execute ptchown in the caller domain. |
37 |
+## </summary> |
38 |
+## <param name="domain"> |
39 |
+## <summary> |
40 |
+## Domain allowed access. |
41 |
+## </summary> |
42 |
+## </param> |
43 |
+# |
44 |
+interface(`ptchown_exec',` |
45 |
+ gen_require(` |
46 |
+ type ptchown_exec_t; |
47 |
+ ') |
48 |
+ |
49 |
+ corecmd_search_bin($1) |
50 |
+ can_exec($1, ptchown_exec_t) |
51 |
+') |
52 |
+ |
53 |
######################################## |
54 |
## <summary> |
55 |
## Execute ptchown in the ptchown |
56 |
|
57 |
diff --git a/policy/modules/contrib/ptchown.te b/policy/modules/contrib/ptchown.te |
58 |
index c7e3187..d67905e 100644 |
59 |
--- a/policy/modules/contrib/ptchown.te |
60 |
+++ b/policy/modules/contrib/ptchown.te |
61 |
@@ -1,4 +1,4 @@ |
62 |
-policy_module(ptchown, 1.1.1) |
63 |
+policy_module(ptchown, 1.1.2) |
64 |
|
65 |
######################################## |
66 |
# |
67 |
|
68 |
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if |
69 |
index e1c17d0..2b69064 100644 |
70 |
--- a/policy/modules/contrib/virt.if |
71 |
+++ b/policy/modules/contrib/virt.if |
72 |
@@ -963,6 +963,25 @@ interface(`virt_manage_log',` |
73 |
|
74 |
######################################## |
75 |
## <summary> |
76 |
+## Search virt image directories. |
77 |
+## </summary> |
78 |
+## <param name="domain"> |
79 |
+## <summary> |
80 |
+## Domain allowed access. |
81 |
+## </summary> |
82 |
+## </param> |
83 |
+# |
84 |
+interface(`virt_search_images',` |
85 |
+ gen_require(` |
86 |
+ attribute virt_image_type; |
87 |
+ ') |
88 |
+ |
89 |
+ virt_search_lib($1) |
90 |
+ allow $1 virt_image_type:dir search_dir_perms; |
91 |
+') |
92 |
+ |
93 |
+######################################## |
94 |
+## <summary> |
95 |
## Read virt image files. |
96 |
## </summary> |
97 |
## <param name="domain"> |
98 |
|
99 |
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te |
100 |
index 8760ef5..99b68a3 100644 |
101 |
--- a/policy/modules/contrib/virt.te |
102 |
+++ b/policy/modules/contrib/virt.te |
103 |
@@ -1,4 +1,4 @@ |
104 |
-policy_module(virt, 1.6.1) |
105 |
+policy_module(virt, 1.6.2) |
106 |
|
107 |
######################################## |
108 |
# |
109 |
|
110 |
diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc |
111 |
index 0bd5f6b..42d83b0 100644 |
112 |
--- a/policy/modules/contrib/xen.fc |
113 |
+++ b/policy/modules/contrib/xen.fc |
114 |
@@ -1,33 +1,30 @@ |
115 |
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) |
116 |
|
117 |
-/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) |
118 |
-/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) |
119 |
-/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) |
120 |
- |
121 |
-/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) |
122 |
- |
123 |
-ifdef(`distro_debian',` |
124 |
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) |
125 |
/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) |
126 |
/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) |
127 |
+/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) |
128 |
/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) |
129 |
-',` |
130 |
+ |
131 |
+/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) |
132 |
+/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) |
133 |
+/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) |
134 |
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) |
135 |
/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) |
136 |
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) |
137 |
+/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) |
138 |
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) |
139 |
-') |
140 |
|
141 |
/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) |
142 |
/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) |
143 |
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) |
144 |
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) |
145 |
|
146 |
-/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) |
147 |
+/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) |
148 |
/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) |
149 |
-/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) |
150 |
-/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) |
151 |
-/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) |
152 |
+/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) |
153 |
+/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) |
154 |
+/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) |
155 |
|
156 |
/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) |
157 |
/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) |
158 |
|
159 |
diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if |
160 |
index e7e99d3..f93558c 100644 |
161 |
--- a/policy/modules/contrib/xen.if |
162 |
+++ b/policy/modules/contrib/xen.if |
163 |
@@ -1,13 +1,13 @@ |
164 |
-## <summary>Xen hypervisor</summary> |
165 |
+## <summary>Xen hypervisor.</summary> |
166 |
|
167 |
######################################## |
168 |
## <summary> |
169 |
## Execute a domain transition to run xend. |
170 |
## </summary> |
171 |
## <param name="domain"> |
172 |
-## <summary> |
173 |
+## <summary> |
174 |
## Domain allowed to transition. |
175 |
-## </summary> |
176 |
+## </summary> |
177 |
## </param> |
178 |
# |
179 |
interface(`xen_domtrans',` |
180 |
@@ -15,6 +15,7 @@ interface(`xen_domtrans',` |
181 |
type xend_t, xend_exec_t; |
182 |
') |
183 |
|
184 |
+ corecmd_search_bin($1) |
185 |
domtrans_pattern($1, xend_exec_t, xend_t) |
186 |
') |
187 |
|
188 |
@@ -99,9 +100,9 @@ interface(`xen_manage_image_dirs',` |
189 |
## Read xend image files. |
190 |
## </summary> |
191 |
## <param name="domain"> |
192 |
-## <summary> |
193 |
+## <summary> |
194 |
## Domain allowed access. |
195 |
-## </summary> |
196 |
+## </summary> |
197 |
## </param> |
198 |
# |
199 |
interface(`xen_read_image_files',` |
200 |
@@ -110,20 +111,18 @@ interface(`xen_read_image_files',` |
201 |
') |
202 |
|
203 |
files_list_var_lib($1) |
204 |
- |
205 |
list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) |
206 |
read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) |
207 |
') |
208 |
|
209 |
######################################## |
210 |
## <summary> |
211 |
-## Allow the specified domain to read/write |
212 |
-## xend image files. |
213 |
+## Read and write xend image files. |
214 |
## </summary> |
215 |
## <param name="domain"> |
216 |
-## <summary> |
217 |
+## <summary> |
218 |
## Domain allowed access. |
219 |
-## </summary> |
220 |
+## </summary> |
221 |
## </param> |
222 |
# |
223 |
interface(`xen_rw_image_files',` |
224 |
@@ -138,8 +137,7 @@ interface(`xen_rw_image_files',` |
225 |
|
226 |
######################################## |
227 |
## <summary> |
228 |
-## Allow the specified domain to append |
229 |
-## xend log files. |
230 |
+## Append xend log files. |
231 |
## </summary> |
232 |
## <param name="domain"> |
233 |
## <summary> |
234 |
@@ -159,13 +157,13 @@ interface(`xen_append_log',` |
235 |
|
236 |
######################################## |
237 |
## <summary> |
238 |
-## Create, read, write, and delete the |
239 |
+## Create, read, write, and delete |
240 |
## xend log files. |
241 |
## </summary> |
242 |
## <param name="domain"> |
243 |
-## <summary> |
244 |
+## <summary> |
245 |
## Domain allowed access. |
246 |
-## </summary> |
247 |
+## </summary> |
248 |
## </param> |
249 |
# |
250 |
interface(`xen_manage_log',` |
251 |
@@ -200,8 +198,7 @@ interface(`xen_read_xenstored_pid_files',` |
252 |
######################################## |
253 |
## <summary> |
254 |
## Do not audit attempts to read and write |
255 |
-## Xen unix domain stream sockets. These |
256 |
-## are leaked file descriptors. |
257 |
+## Xen unix domain stream sockets. |
258 |
## </summary> |
259 |
## <param name="domain"> |
260 |
## <summary> |
261 |
@@ -219,7 +216,8 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` |
262 |
|
263 |
######################################## |
264 |
## <summary> |
265 |
-## Connect to xenstored over an unix stream socket. |
266 |
+## Connect to xenstored with a unix |
267 |
+## domain stream socket. |
268 |
## </summary> |
269 |
## <param name="domain"> |
270 |
## <summary> |
271 |
@@ -238,7 +236,8 @@ interface(`xen_stream_connect_xenstore',` |
272 |
|
273 |
######################################## |
274 |
## <summary> |
275 |
-## Connect to xend over an unix domain stream socket. |
276 |
+## Connect to xend with a unix |
277 |
+## domain stream socket. |
278 |
## </summary> |
279 |
## <param name="domain"> |
280 |
## <summary> |
281 |
@@ -273,12 +272,14 @@ interface(`xen_domtrans_xm',` |
282 |
type xm_t, xm_exec_t; |
283 |
') |
284 |
|
285 |
+ corecmd_search_bin($1) |
286 |
domtrans_pattern($1, xm_exec_t, xm_t) |
287 |
') |
288 |
|
289 |
######################################## |
290 |
## <summary> |
291 |
-## Connect to xm over an unix stream socket. |
292 |
+## Connect to xm with a unix |
293 |
+## domain stream socket. |
294 |
## </summary> |
295 |
## <param name="domain"> |
296 |
## <summary> |
297 |
|
298 |
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te |
299 |
index 279a214..8b278c2 100644 |
300 |
--- a/policy/modules/contrib/xen.te |
301 |
+++ b/policy/modules/contrib/xen.te |
302 |
@@ -1,4 +1,4 @@ |
303 |
-policy_module(xen, 1.12.2) |
304 |
+policy_module(xen, 1.12.3) |
305 |
|
306 |
######################################## |
307 |
# |
308 |
@@ -6,28 +6,37 @@ policy_module(xen, 1.12.2) |
309 |
# |
310 |
|
311 |
## <desc> |
312 |
-## <p> |
313 |
-## Allow xend to run blktapctrl/tapdisk. |
314 |
-## Not required if using dedicated logical volumes for disk images. |
315 |
+## <p> |
316 |
+## Determine whether xend can |
317 |
+## run blktapctrl and tapdisk. |
318 |
## </p> |
319 |
## </desc> |
320 |
gen_tunable(xend_run_blktap, false) |
321 |
|
322 |
## <desc> |
323 |
-## <p> |
324 |
-## Allow xend to run qemu-dm. |
325 |
-## Not required if using paravirt and no vfb. |
326 |
-## </p> |
327 |
+## <p> |
328 |
+## Determine whether xen can |
329 |
+## use fusefs file systems. |
330 |
+## </p> |
331 |
## </desc> |
332 |
-gen_tunable(xend_run_qemu, false) |
333 |
+gen_tunable(xen_use_fusefs, false) |
334 |
|
335 |
## <desc> |
336 |
-## <p> |
337 |
-## Allow xen to manage nfs files |
338 |
-## </p> |
339 |
+## <p> |
340 |
+## Determine whether xen can |
341 |
+## use nfs file systems. |
342 |
+## </p> |
343 |
## </desc> |
344 |
gen_tunable(xen_use_nfs, false) |
345 |
|
346 |
+## <desc> |
347 |
+## <p> |
348 |
+## Determine whether xen can |
349 |
+## use samba file systems. |
350 |
+## </p> |
351 |
+## </desc> |
352 |
+gen_tunable(xen_use_samba, false) |
353 |
+ |
354 |
type blktap_t; |
355 |
type blktap_exec_t; |
356 |
domain_type(blktap_t) |
357 |
@@ -41,54 +50,41 @@ type evtchnd_t; |
358 |
type evtchnd_exec_t; |
359 |
init_daemon_domain(evtchnd_t, evtchnd_exec_t) |
360 |
|
361 |
-# log files |
362 |
type evtchnd_var_log_t; |
363 |
logging_log_file(evtchnd_var_log_t) |
364 |
|
365 |
-# pid files |
366 |
type evtchnd_var_run_t; |
367 |
files_pid_file(evtchnd_var_run_t) |
368 |
|
369 |
-type qemu_dm_t; |
370 |
-type qemu_dm_exec_t; |
371 |
-domain_type(qemu_dm_t) |
372 |
-domain_entry_file(qemu_dm_t, qemu_dm_exec_t) |
373 |
-role system_r types qemu_dm_t; |
374 |
- |
375 |
-# console ptys |
376 |
type xen_devpts_t; |
377 |
term_pty(xen_devpts_t) |
378 |
files_type(xen_devpts_t) |
379 |
|
380 |
-# Xen Image files |
381 |
type xen_image_t; # customizable |
382 |
files_type(xen_image_t) |
383 |
-# xen_image_t can be assigned to blk devices |
384 |
dev_node(xen_image_t) |
385 |
|
386 |
+optional_policy(` |
387 |
+ virt_image(xen_image_t) |
388 |
+') |
389 |
+ |
390 |
type xenctl_t; |
391 |
files_type(xenctl_t) |
392 |
|
393 |
type xend_t; |
394 |
type xend_exec_t; |
395 |
-domain_type(xend_t) |
396 |
init_daemon_domain(xend_t, xend_exec_t) |
397 |
|
398 |
-# tmp files |
399 |
type xend_tmp_t; |
400 |
files_tmp_file(xend_tmp_t) |
401 |
|
402 |
-# var/lib files |
403 |
type xend_var_lib_t; |
404 |
files_type(xend_var_lib_t) |
405 |
-# for mounting an NFS store |
406 |
files_mountpoint(xend_var_lib_t) |
407 |
|
408 |
-# log files |
409 |
type xend_var_log_t; |
410 |
logging_log_file(xend_var_log_t) |
411 |
|
412 |
-# pid files |
413 |
type xend_var_run_t; |
414 |
files_pid_file(xend_var_run_t) |
415 |
files_mountpoint(xend_var_run_t) |
416 |
@@ -100,16 +96,13 @@ init_daemon_domain(xenstored_t, xenstored_exec_t) |
417 |
type xenstored_tmp_t; |
418 |
files_tmp_file(xenstored_tmp_t) |
419 |
|
420 |
-# var/lib files |
421 |
type xenstored_var_lib_t; |
422 |
files_type(xenstored_var_lib_t) |
423 |
files_mountpoint(xenstored_var_lib_t) |
424 |
|
425 |
-# log files |
426 |
type xenstored_var_log_t; |
427 |
logging_log_file(xenstored_var_log_t) |
428 |
|
429 |
-# pid files |
430 |
type xenstored_var_run_t; |
431 |
files_pid_file(xenstored_var_run_t) |
432 |
|
433 |
@@ -117,22 +110,19 @@ type xenconsoled_t; |
434 |
type xenconsoled_exec_t; |
435 |
init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) |
436 |
|
437 |
-# pid files |
438 |
type xenconsoled_var_run_t; |
439 |
files_pid_file(xenconsoled_var_run_t) |
440 |
|
441 |
type xm_t; |
442 |
type xm_exec_t; |
443 |
-domain_type(xm_t) |
444 |
init_system_domain(xm_t, xm_exec_t) |
445 |
|
446 |
######################################## |
447 |
# |
448 |
# blktap local policy |
449 |
# |
450 |
-# Do we need to allow execution of blktap? |
451 |
+ |
452 |
tunable_policy(`xend_run_blktap',` |
453 |
- # If yes, transition to its own domain. |
454 |
domtrans_pattern(xend_t, blktap_exec_t, blktap_t) |
455 |
|
456 |
allow blktap_t self:fifo_file { read write }; |
457 |
@@ -148,7 +138,6 @@ tunable_policy(`xend_run_blktap',` |
458 |
|
459 |
xen_stream_connect_xenstore(blktap_t) |
460 |
',` |
461 |
- # If no, then silently refuse to run it. |
462 |
dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; |
463 |
') |
464 |
|
465 |
@@ -158,7 +147,9 @@ tunable_policy(`xend_run_blktap',` |
466 |
# |
467 |
|
468 |
manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) |
469 |
-manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) |
470 |
+append_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) |
471 |
+create_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) |
472 |
+setattr_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) |
473 |
logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) |
474 |
|
475 |
manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) |
476 |
@@ -168,57 +159,18 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) |
477 |
|
478 |
######################################## |
479 |
# |
480 |
-# qemu-dm local policy |
481 |
-# |
482 |
-# Do we need to allow execution of qemu-dm? |
483 |
-tunable_policy(`xend_run_qemu',` |
484 |
- allow qemu_dm_t self:capability sys_resource; |
485 |
- allow qemu_dm_t self:process setrlimit; |
486 |
- allow qemu_dm_t self:fifo_file { read write }; |
487 |
- allow qemu_dm_t self:tcp_socket create_stream_socket_perms; |
488 |
- |
489 |
- # If yes, transition to its own domain. |
490 |
- domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t) |
491 |
- |
492 |
- append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t) |
493 |
- |
494 |
- rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t) |
495 |
- |
496 |
- corenet_tcp_bind_generic_node(qemu_dm_t) |
497 |
- corenet_tcp_bind_vnc_port(qemu_dm_t) |
498 |
- |
499 |
- dev_rw_xen(qemu_dm_t) |
500 |
- |
501 |
- files_read_etc_files(qemu_dm_t) |
502 |
- files_read_usr_files(qemu_dm_t) |
503 |
- |
504 |
- fs_manage_xenfs_dirs(qemu_dm_t) |
505 |
- fs_manage_xenfs_files(qemu_dm_t) |
506 |
- |
507 |
- miscfiles_read_localization(qemu_dm_t) |
508 |
- |
509 |
- xen_stream_connect_xenstore(qemu_dm_t) |
510 |
-',` |
511 |
- # If no, then silently refuse to run it. |
512 |
- dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans }; |
513 |
-') |
514 |
- |
515 |
-######################################## |
516 |
-# |
517 |
# xend local policy |
518 |
# |
519 |
|
520 |
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw }; |
521 |
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource }; |
522 |
dontaudit xend_t self:capability { sys_ptrace }; |
523 |
-allow xend_t self:process { signal sigkill }; |
524 |
+allow xend_t self:process { setrlimit signal sigkill }; |
525 |
dontaudit xend_t self:process ptrace; |
526 |
-# internal communication is often done using fifo and unix sockets. |
527 |
allow xend_t self:fifo_file rw_fifo_file_perms; |
528 |
-allow xend_t self:unix_stream_socket create_stream_socket_perms; |
529 |
-allow xend_t self:unix_dgram_socket create_socket_perms; |
530 |
-allow xend_t self:netlink_route_socket r_netlink_socket_perms; |
531 |
-allow xend_t self:tcp_socket create_stream_socket_perms; |
532 |
+allow xend_t self:unix_stream_socket { accept listen }; |
533 |
+allow xend_t self:tcp_socket { accept listen }; |
534 |
allow xend_t self:packet_socket create_socket_perms; |
535 |
+allow xend_t self:tun_socket create_socket_perms; |
536 |
|
537 |
allow xend_t xen_image_t:dir list_dir_perms; |
538 |
manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) |
539 |
@@ -233,37 +185,33 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) |
540 |
manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) |
541 |
files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) |
542 |
|
543 |
-# pid file |
544 |
manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) |
545 |
manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) |
546 |
manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) |
547 |
manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) |
548 |
files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) |
549 |
|
550 |
-# log files |
551 |
manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) |
552 |
-manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) |
553 |
+append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) |
554 |
+create_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) |
555 |
+setattr_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) |
556 |
manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) |
557 |
logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir }) |
558 |
|
559 |
-# var/lib files for xend |
560 |
manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) |
561 |
manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) |
562 |
manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) |
563 |
manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) |
564 |
files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) |
565 |
|
566 |
-# transition to store |
567 |
-domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) |
568 |
- |
569 |
-# manage xenstored pid file |
570 |
manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t) |
571 |
|
572 |
-# mount tmpfs on /var/lib/xenstored |
573 |
-allow xend_t xenstored_var_lib_t:dir read; |
574 |
+allow xend_t xenstored_var_lib_t:dir list_dir_perms; |
575 |
|
576 |
-# transition to console |
577 |
domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) |
578 |
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) |
579 |
+ |
580 |
+xen_stream_connect_xenstore(xend_t) |
581 |
|
582 |
kernel_read_kernel_sysctls(xend_t) |
583 |
kernel_read_system_state(xend_t) |
584 |
@@ -281,18 +229,28 @@ corenet_tcp_sendrecv_generic_if(xend_t) |
585 |
corenet_tcp_sendrecv_generic_node(xend_t) |
586 |
corenet_tcp_sendrecv_all_ports(xend_t) |
587 |
corenet_tcp_bind_generic_node(xend_t) |
588 |
+ |
589 |
+corenet_sendrecv_xen_server_packets(xend_t) |
590 |
corenet_tcp_bind_xen_port(xend_t) |
591 |
+ |
592 |
+corenet_sendrecv_soundd_server_packets(xend_t) |
593 |
corenet_tcp_bind_soundd_port(xend_t) |
594 |
+ |
595 |
+corenet_sendrecv_generic_server_packets(xend_t) |
596 |
corenet_tcp_bind_generic_port(xend_t) |
597 |
+ |
598 |
+corenet_sendrecv_vnc_server_packets(xend_t) |
599 |
corenet_tcp_bind_vnc_port(xend_t) |
600 |
-corenet_tcp_connect_xserver_port(xend_t) |
601 |
-corenet_tcp_connect_xen_port(xend_t) |
602 |
+ |
603 |
corenet_sendrecv_xserver_client_packets(xend_t) |
604 |
-corenet_sendrecv_xen_server_packets(xend_t) |
605 |
+corenet_tcp_connect_xserver_port(xend_t) |
606 |
+ |
607 |
corenet_sendrecv_xen_client_packets(xend_t) |
608 |
-corenet_sendrecv_soundd_server_packets(xend_t) |
609 |
+corenet_tcp_connect_xen_port(xend_t) |
610 |
+ |
611 |
corenet_rw_tun_tap_dev(xend_t) |
612 |
|
613 |
+dev_getattr_all_chr_files(xend_t) |
614 |
dev_read_urand(xend_t) |
615 |
dev_filetrans_xen(xend_t) |
616 |
dev_rw_sysfs(xend_t) |
617 |
@@ -308,8 +266,17 @@ files_manage_etc_runtime_files(xend_t) |
618 |
files_etc_filetrans_etc_runtime(xend_t, file) |
619 |
files_read_usr_files(xend_t) |
620 |
files_read_default_symlinks(xend_t) |
621 |
+files_search_mnt(xend_t) |
622 |
+ |
623 |
+fs_getattr_all_fs(xend_t) |
624 |
+fs_list_auto_mountpoints(xend_t) |
625 |
+fs_read_dos_files(xend_t) |
626 |
+fs_manage_xenfs_dirs(xend_t) |
627 |
+fs_manage_xenfs_files(xend_t) |
628 |
|
629 |
+term_setattr_generic_ptys(xend_t) |
630 |
term_getattr_all_ptys(xend_t) |
631 |
+term_setattr_all_ptys(xend_t) |
632 |
term_use_generic_ptys(xend_t) |
633 |
term_use_ptmx(xend_t) |
634 |
term_getattr_pty_fs(xend_t) |
635 |
@@ -320,13 +287,9 @@ locallogin_dontaudit_use_fds(xend_t) |
636 |
|
637 |
logging_send_syslog_msg(xend_t) |
638 |
|
639 |
-lvm_domtrans(xend_t) |
640 |
- |
641 |
miscfiles_read_localization(xend_t) |
642 |
miscfiles_read_hwdata(xend_t) |
643 |
|
644 |
-mount_domtrans(xend_t) |
645 |
- |
646 |
sysnet_domtrans_dhcpc(xend_t) |
647 |
sysnet_signal_dhcpc(xend_t) |
648 |
sysnet_domtrans_ifconfig(xend_t) |
649 |
@@ -337,9 +300,23 @@ sysnet_rw_dhcp_config(xend_t) |
650 |
|
651 |
userdom_dontaudit_search_user_home_dirs(xend_t) |
652 |
|
653 |
-xen_stream_connect_xenstore(xend_t) |
654 |
+tunable_policy(`xen_use_fusefs',` |
655 |
+ fs_manage_fusefs_dirs(xend_t) |
656 |
+ fs_manage_fusefs_files(xend_t) |
657 |
+ fs_read_fusefs_symlinks(xend_t) |
658 |
+') |
659 |
+ |
660 |
+tunable_policy(`xen_use_nfs',` |
661 |
+ fs_manage_nfs_dirs(xend_t) |
662 |
+ fs_manage_nfs_files(xend_t) |
663 |
+ fs_read_nfs_symlinks(xend_t) |
664 |
+') |
665 |
|
666 |
-netutils_domtrans(xend_t) |
667 |
+tunable_policy(`xen_use_samba',` |
668 |
+ fs_manage_cifs_files(xend_t) |
669 |
+ fs_manage_cifs_files(xend_t) |
670 |
+ fs_read_cifs_symlinks(xend_t) |
671 |
+') |
672 |
|
673 |
optional_policy(` |
674 |
brctl_domtrans(xend_t) |
675 |
@@ -349,6 +326,27 @@ optional_policy(` |
676 |
consoletype_exec(xend_t) |
677 |
') |
678 |
|
679 |
+optional_policy(` |
680 |
+ lvm_domtrans(xend_t) |
681 |
+') |
682 |
+ |
683 |
+optional_policy(` |
684 |
+ mount_domtrans(xend_t) |
685 |
+') |
686 |
+ |
687 |
+optional_policy(` |
688 |
+ netutils_domtrans(xend_t) |
689 |
+') |
690 |
+ |
691 |
+optional_policy(` |
692 |
+ ptchown_exec(xend_t) |
693 |
+') |
694 |
+ |
695 |
+optional_policy(` |
696 |
+ virt_search_images(xend_t) |
697 |
+ virt_read_config(xend_t) |
698 |
+') |
699 |
+ |
700 |
######################################## |
701 |
# |
702 |
# Xen console local policy |
703 |
@@ -361,7 +359,11 @@ allow xenconsoled_t self:fifo_file rw_fifo_file_perms; |
704 |
|
705 |
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; |
706 |
|
707 |
-# pid file |
708 |
+manage_dirs_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) |
709 |
+append_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) |
710 |
+create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) |
711 |
+setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) |
712 |
+ |
713 |
manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) |
714 |
manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) |
715 |
files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) |
716 |
@@ -390,9 +392,10 @@ term_use_console(xenconsoled_t) |
717 |
init_use_fds(xenconsoled_t) |
718 |
init_use_script_ptys(xenconsoled_t) |
719 |
|
720 |
+logging_search_logs(xenconsoled_t) |
721 |
+ |
722 |
miscfiles_read_localization(xenconsoled_t) |
723 |
|
724 |
-xen_manage_log(xenconsoled_t) |
725 |
xen_stream_connect_xenstore(xenconsoled_t) |
726 |
|
727 |
optional_policy(` |
728 |
@@ -405,25 +408,24 @@ optional_policy(` |
729 |
# |
730 |
|
731 |
allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; |
732 |
-allow xenstored_t self:unix_stream_socket create_stream_socket_perms; |
733 |
-allow xenstored_t self:unix_dgram_socket create_socket_perms; |
734 |
+allow xenstored_t self:unix_stream_socket { accept listen }; |
735 |
|
736 |
manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) |
737 |
manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) |
738 |
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) |
739 |
|
740 |
-# pid file |
741 |
+manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) |
742 |
manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) |
743 |
manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) |
744 |
-files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file }) |
745 |
+files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) |
746 |
|
747 |
-# log files |
748 |
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) |
749 |
-manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) |
750 |
+append_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) |
751 |
+create_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) |
752 |
+setattr_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) |
753 |
manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) |
754 |
logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) |
755 |
|
756 |
-# var/lib files for xenstored |
757 |
manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) |
758 |
manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) |
759 |
manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) |
760 |
@@ -439,9 +441,9 @@ dev_rw_xen(xenstored_t) |
761 |
dev_read_sysfs(xenstored_t) |
762 |
|
763 |
files_read_etc_files(xenstored_t) |
764 |
- |
765 |
files_read_usr_files(xenstored_t) |
766 |
|
767 |
+fs_search_xenfs(xenstored_t) |
768 |
fs_manage_xenfs_files(xenstored_t) |
769 |
|
770 |
term_use_generic_ptys(xenstored_t) |
771 |
@@ -460,24 +462,32 @@ xen_append_log(xenstored_t) |
772 |
# xm local policy |
773 |
# |
774 |
|
775 |
-allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; |
776 |
-allow xm_t self:process { getsched signal }; |
777 |
- |
778 |
-# internal communication is often done using fifo and unix sockets. |
779 |
+allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; |
780 |
+allow xm_t self:process { getcap getsched setsched setcap signal }; |
781 |
allow xm_t self:fifo_file rw_fifo_file_perms; |
782 |
-allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
783 |
-allow xm_t self:tcp_socket create_stream_socket_perms; |
784 |
+allow xm_t self:unix_stream_socket { accept connectto listen }; |
785 |
+allow xm_t self:tcp_socket { accept listen }; |
786 |
|
787 |
manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) |
788 |
manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) |
789 |
manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) |
790 |
-files_search_var_lib(xm_t) |
791 |
|
792 |
allow xm_t xen_image_t:dir rw_dir_perms; |
793 |
allow xm_t xen_image_t:file read_file_perms; |
794 |
allow xm_t xen_image_t:blk_file read_blk_file_perms; |
795 |
|
796 |
+read_files_pattern(xm_t, xenstored_var_run_t, xenstored_var_run_t) |
797 |
+ |
798 |
+xen_manage_image_dirs(xm_t) |
799 |
+xen_append_log(xm_t) |
800 |
+xen_domtrans(xm_t) |
801 |
+xen_stream_connect(xm_t) |
802 |
+xen_stream_connect_xenstore(xm_t) |
803 |
+ |
804 |
+can_exec(xm_t, xm_exec_t) |
805 |
+ |
806 |
kernel_read_system_state(xm_t) |
807 |
+kernel_read_network_state(xm_t) |
808 |
kernel_read_kernel_sysctls(xm_t) |
809 |
kernel_read_sysctl(xm_t) |
810 |
kernel_read_xen_state(xm_t) |
811 |
@@ -486,22 +496,33 @@ kernel_write_xen_state(xm_t) |
812 |
corecmd_exec_bin(xm_t) |
813 |
corecmd_exec_shell(xm_t) |
814 |
|
815 |
+corenet_all_recvfrom_unlabeled(xm_t) |
816 |
+corenet_all_recvfrom_netlabel(xm_t) |
817 |
corenet_tcp_sendrecv_generic_if(xm_t) |
818 |
corenet_tcp_sendrecv_generic_node(xm_t) |
819 |
+ |
820 |
+corenet_sendrecv_soundd_client_packets(xm_t) |
821 |
corenet_tcp_connect_soundd_port(xm_t) |
822 |
+corenet_tcp_sendrecv_soundd_port(xm_t) |
823 |
|
824 |
+dev_read_rand(xm_t) |
825 |
dev_read_urand(xm_t) |
826 |
dev_read_sysfs(xm_t) |
827 |
|
828 |
files_read_etc_runtime_files(xm_t) |
829 |
+files_read_etc_files(xm_t) |
830 |
files_read_usr_files(xm_t) |
831 |
+files_search_pids(xm_t) |
832 |
+files_search_var_lib(xm_t) |
833 |
files_list_mnt(xm_t) |
834 |
-# Some common macros (you might be able to remove some) |
835 |
-files_read_etc_files(xm_t) |
836 |
+files_list_tmp(xm_t) |
837 |
|
838 |
fs_getattr_all_fs(xm_t) |
839 |
fs_manage_xenfs_dirs(xm_t) |
840 |
fs_manage_xenfs_files(xm_t) |
841 |
+fs_search_auto_mountpoints(xm_t) |
842 |
+ |
843 |
+storage_raw_read_fixed_disk(xm_t) |
844 |
|
845 |
term_use_all_terms(xm_t) |
846 |
|
847 |
@@ -509,13 +530,33 @@ init_stream_connect_script(xm_t) |
848 |
init_rw_script_stream_sockets(xm_t) |
849 |
init_use_fds(xm_t) |
850 |
|
851 |
+logging_send_syslog_msg(xm_t) |
852 |
+ |
853 |
miscfiles_read_localization(xm_t) |
854 |
|
855 |
sysnet_dns_name_resolve(xm_t) |
856 |
|
857 |
-xen_append_log(xm_t) |
858 |
-xen_stream_connect(xm_t) |
859 |
-xen_stream_connect_xenstore(xm_t) |
860 |
+tunable_policy(`xen_use_fusefs',` |
861 |
+ fs_manage_fusefs_dirs(xm_t) |
862 |
+ fs_manage_fusefs_files(xm_t) |
863 |
+ fs_read_fusefs_symlinks(xm_t) |
864 |
+') |
865 |
+ |
866 |
+tunable_policy(`xen_use_nfs',` |
867 |
+ fs_manage_nfs_dirs(xm_t) |
868 |
+ fs_manage_nfs_files(xm_t) |
869 |
+ fs_read_nfs_symlinks(xm_t) |
870 |
+') |
871 |
+ |
872 |
+tunable_policy(`xen_use_samba',` |
873 |
+ fs_manage_cifs_files(xm_t) |
874 |
+ fs_manage_cifs_files(xm_t) |
875 |
+ fs_read_cifs_symlinks(xm_t) |
876 |
+') |
877 |
+ |
878 |
+optional_policy(` |
879 |
+ cron_system_entry(xm_t, xm_exec_t) |
880 |
+') |
881 |
|
882 |
optional_policy(` |
883 |
dbus_system_bus_client(xm_t) |
884 |
@@ -526,16 +567,22 @@ optional_policy(` |
885 |
') |
886 |
|
887 |
optional_policy(` |
888 |
+ rpm_exec(xm_t) |
889 |
+') |
890 |
+ |
891 |
+optional_policy(` |
892 |
+ vhostmd_rw_tmpfs_files(xm_t) |
893 |
+ vhostmd_stream_connect(xm_t) |
894 |
+ vhostmd_dontaudit_rw_stream_connect(xm_t) |
895 |
+') |
896 |
+ |
897 |
+optional_policy(` |
898 |
virt_domtrans(xm_t) |
899 |
virt_manage_images(xm_t) |
900 |
virt_manage_config(xm_t) |
901 |
virt_stream_connect(xm_t) |
902 |
') |
903 |
|
904 |
-######################################## |
905 |
-# |
906 |
-# SSH component local policy |
907 |
-# |
908 |
optional_policy(` |
909 |
ssh_basic_client_template(xm, xm_t, system_r) |
910 |
|
911 |
@@ -546,21 +593,4 @@ optional_policy(` |
912 |
|
913 |
fs_manage_xenfs_dirs(xm_ssh_t) |
914 |
fs_manage_xenfs_files(xm_ssh_t) |
915 |
- |
916 |
- #Should have a boolean wrapping these |
917 |
- fs_list_auto_mountpoints(xend_t) |
918 |
- files_search_mnt(xend_t) |
919 |
- fs_getattr_all_fs(xend_t) |
920 |
- fs_read_dos_files(xend_t) |
921 |
- fs_manage_xenfs_dirs(xend_t) |
922 |
- fs_manage_xenfs_files(xend_t) |
923 |
- |
924 |
- tunable_policy(`xen_use_nfs',` |
925 |
- fs_manage_nfs_files(xend_t) |
926 |
- fs_read_nfs_symlinks(xend_t) |
927 |
- ') |
928 |
- |
929 |
- optional_policy(` |
930 |
- unconfined_domain(xend_t) |
931 |
- ') |
932 |
') |