| 1 |
commit: 8ae62ddf1a01ef783ef5e8f8b26af07e928a1dc6 |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Thu Nov 1 16:51:07 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Fri Nov 2 19:08:08 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8ae62ddf |
| 7 |
|
| 8 |
Changes to the xen policy module and relevant dependencies |
| 9 |
|
| 10 |
Ported from Fedora with changes |
| 11 |
|
| 12 |
Drop qemu dm run it in xend_t instead |
| 13 |
|
| 14 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 15 |
|
| 16 |
--- |
| 17 |
policy/modules/contrib/ptchown.if | 19 +++ |
| 18 |
policy/modules/contrib/ptchown.te | 2 +- |
| 19 |
policy/modules/contrib/virt.if | 19 +++ |
| 20 |
policy/modules/contrib/virt.te | 2 +- |
| 21 |
policy/modules/contrib/xen.fc | 23 ++-- |
| 22 |
policy/modules/contrib/xen.if | 41 +++--- |
| 23 |
policy/modules/contrib/xen.te | 322 ++++++++++++++++++++----------------- |
| 24 |
7 files changed, 247 insertions(+), 181 deletions(-) |
| 25 |
|
| 26 |
diff --git a/policy/modules/contrib/ptchown.if b/policy/modules/contrib/ptchown.if |
| 27 |
index 8e24623..97a1e7b 100644 |
| 28 |
--- a/policy/modules/contrib/ptchown.if |
| 29 |
+++ b/policy/modules/contrib/ptchown.if |
| 30 |
@@ -19,6 +19,25 @@ interface(`ptchown_domtrans',` |
| 31 |
domtrans_pattern($1, ptchown_exec_t, ptchown_t) |
| 32 |
') |
| 33 |
|
| 34 |
+####################################### |
| 35 |
+## <summary> |
| 36 |
+## Execute ptchown in the caller domain. |
| 37 |
+## </summary> |
| 38 |
+## <param name="domain"> |
| 39 |
+## <summary> |
| 40 |
+## Domain allowed access. |
| 41 |
+## </summary> |
| 42 |
+## </param> |
| 43 |
+# |
| 44 |
+interface(`ptchown_exec',` |
| 45 |
+ gen_require(` |
| 46 |
+ type ptchown_exec_t; |
| 47 |
+ ') |
| 48 |
+ |
| 49 |
+ corecmd_search_bin($1) |
| 50 |
+ can_exec($1, ptchown_exec_t) |
| 51 |
+') |
| 52 |
+ |
| 53 |
######################################## |
| 54 |
## <summary> |
| 55 |
## Execute ptchown in the ptchown |
| 56 |
|
| 57 |
diff --git a/policy/modules/contrib/ptchown.te b/policy/modules/contrib/ptchown.te |
| 58 |
index c7e3187..d67905e 100644 |
| 59 |
--- a/policy/modules/contrib/ptchown.te |
| 60 |
+++ b/policy/modules/contrib/ptchown.te |
| 61 |
@@ -1,4 +1,4 @@ |
| 62 |
-policy_module(ptchown, 1.1.1) |
| 63 |
+policy_module(ptchown, 1.1.2) |
| 64 |
|
| 65 |
######################################## |
| 66 |
# |
| 67 |
|
| 68 |
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if |
| 69 |
index e1c17d0..2b69064 100644 |
| 70 |
--- a/policy/modules/contrib/virt.if |
| 71 |
+++ b/policy/modules/contrib/virt.if |
| 72 |
@@ -963,6 +963,25 @@ interface(`virt_manage_log',` |
| 73 |
|
| 74 |
######################################## |
| 75 |
## <summary> |
| 76 |
+## Search virt image directories. |
| 77 |
+## </summary> |
| 78 |
+## <param name="domain"> |
| 79 |
+## <summary> |
| 80 |
+## Domain allowed access. |
| 81 |
+## </summary> |
| 82 |
+## </param> |
| 83 |
+# |
| 84 |
+interface(`virt_search_images',` |
| 85 |
+ gen_require(` |
| 86 |
+ attribute virt_image_type; |
| 87 |
+ ') |
| 88 |
+ |
| 89 |
+ virt_search_lib($1) |
| 90 |
+ allow $1 virt_image_type:dir search_dir_perms; |
| 91 |
+') |
| 92 |
+ |
| 93 |
+######################################## |
| 94 |
+## <summary> |
| 95 |
## Read virt image files. |
| 96 |
## </summary> |
| 97 |
## <param name="domain"> |
| 98 |
|
| 99 |
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te |
| 100 |
index 8760ef5..99b68a3 100644 |
| 101 |
--- a/policy/modules/contrib/virt.te |
| 102 |
+++ b/policy/modules/contrib/virt.te |
| 103 |
@@ -1,4 +1,4 @@ |
| 104 |
-policy_module(virt, 1.6.1) |
| 105 |
+policy_module(virt, 1.6.2) |
| 106 |
|
| 107 |
######################################## |
| 108 |
# |
| 109 |
|
| 110 |
diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc |
| 111 |
index 0bd5f6b..42d83b0 100644 |
| 112 |
--- a/policy/modules/contrib/xen.fc |
| 113 |
+++ b/policy/modules/contrib/xen.fc |
| 114 |
@@ -1,33 +1,30 @@ |
| 115 |
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0) |
| 116 |
|
| 117 |
-/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) |
| 118 |
-/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) |
| 119 |
-/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) |
| 120 |
- |
| 121 |
-/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0) |
| 122 |
- |
| 123 |
-ifdef(`distro_debian',` |
| 124 |
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) |
| 125 |
/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) |
| 126 |
/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) |
| 127 |
+/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) |
| 128 |
/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) |
| 129 |
-',` |
| 130 |
+ |
| 131 |
+/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) |
| 132 |
+/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) |
| 133 |
+/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0) |
| 134 |
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0) |
| 135 |
/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0) |
| 136 |
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) |
| 137 |
+/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) |
| 138 |
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) |
| 139 |
-') |
| 140 |
|
| 141 |
/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) |
| 142 |
/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0) |
| 143 |
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) |
| 144 |
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) |
| 145 |
|
| 146 |
-/var/log/evtchnd\.log -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) |
| 147 |
+/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) |
| 148 |
/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) |
| 149 |
-/var/log/xen-hotplug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) |
| 150 |
-/var/log/xend\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) |
| 151 |
-/var/log/xend-debug\.log -- gen_context(system_u:object_r:xend_var_log_t,s0) |
| 152 |
+/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) |
| 153 |
+/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) |
| 154 |
+/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) |
| 155 |
|
| 156 |
/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0) |
| 157 |
/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) |
| 158 |
|
| 159 |
diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if |
| 160 |
index e7e99d3..f93558c 100644 |
| 161 |
--- a/policy/modules/contrib/xen.if |
| 162 |
+++ b/policy/modules/contrib/xen.if |
| 163 |
@@ -1,13 +1,13 @@ |
| 164 |
-## <summary>Xen hypervisor</summary> |
| 165 |
+## <summary>Xen hypervisor.</summary> |
| 166 |
|
| 167 |
######################################## |
| 168 |
## <summary> |
| 169 |
## Execute a domain transition to run xend. |
| 170 |
## </summary> |
| 171 |
## <param name="domain"> |
| 172 |
-## <summary> |
| 173 |
+## <summary> |
| 174 |
## Domain allowed to transition. |
| 175 |
-## </summary> |
| 176 |
+## </summary> |
| 177 |
## </param> |
| 178 |
# |
| 179 |
interface(`xen_domtrans',` |
| 180 |
@@ -15,6 +15,7 @@ interface(`xen_domtrans',` |
| 181 |
type xend_t, xend_exec_t; |
| 182 |
') |
| 183 |
|
| 184 |
+ corecmd_search_bin($1) |
| 185 |
domtrans_pattern($1, xend_exec_t, xend_t) |
| 186 |
') |
| 187 |
|
| 188 |
@@ -99,9 +100,9 @@ interface(`xen_manage_image_dirs',` |
| 189 |
## Read xend image files. |
| 190 |
## </summary> |
| 191 |
## <param name="domain"> |
| 192 |
-## <summary> |
| 193 |
+## <summary> |
| 194 |
## Domain allowed access. |
| 195 |
-## </summary> |
| 196 |
+## </summary> |
| 197 |
## </param> |
| 198 |
# |
| 199 |
interface(`xen_read_image_files',` |
| 200 |
@@ -110,20 +111,18 @@ interface(`xen_read_image_files',` |
| 201 |
') |
| 202 |
|
| 203 |
files_list_var_lib($1) |
| 204 |
- |
| 205 |
list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) |
| 206 |
read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) |
| 207 |
') |
| 208 |
|
| 209 |
######################################## |
| 210 |
## <summary> |
| 211 |
-## Allow the specified domain to read/write |
| 212 |
-## xend image files. |
| 213 |
+## Read and write xend image files. |
| 214 |
## </summary> |
| 215 |
## <param name="domain"> |
| 216 |
-## <summary> |
| 217 |
+## <summary> |
| 218 |
## Domain allowed access. |
| 219 |
-## </summary> |
| 220 |
+## </summary> |
| 221 |
## </param> |
| 222 |
# |
| 223 |
interface(`xen_rw_image_files',` |
| 224 |
@@ -138,8 +137,7 @@ interface(`xen_rw_image_files',` |
| 225 |
|
| 226 |
######################################## |
| 227 |
## <summary> |
| 228 |
-## Allow the specified domain to append |
| 229 |
-## xend log files. |
| 230 |
+## Append xend log files. |
| 231 |
## </summary> |
| 232 |
## <param name="domain"> |
| 233 |
## <summary> |
| 234 |
@@ -159,13 +157,13 @@ interface(`xen_append_log',` |
| 235 |
|
| 236 |
######################################## |
| 237 |
## <summary> |
| 238 |
-## Create, read, write, and delete the |
| 239 |
+## Create, read, write, and delete |
| 240 |
## xend log files. |
| 241 |
## </summary> |
| 242 |
## <param name="domain"> |
| 243 |
-## <summary> |
| 244 |
+## <summary> |
| 245 |
## Domain allowed access. |
| 246 |
-## </summary> |
| 247 |
+## </summary> |
| 248 |
## </param> |
| 249 |
# |
| 250 |
interface(`xen_manage_log',` |
| 251 |
@@ -200,8 +198,7 @@ interface(`xen_read_xenstored_pid_files',` |
| 252 |
######################################## |
| 253 |
## <summary> |
| 254 |
## Do not audit attempts to read and write |
| 255 |
-## Xen unix domain stream sockets. These |
| 256 |
-## are leaked file descriptors. |
| 257 |
+## Xen unix domain stream sockets. |
| 258 |
## </summary> |
| 259 |
## <param name="domain"> |
| 260 |
## <summary> |
| 261 |
@@ -219,7 +216,8 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` |
| 262 |
|
| 263 |
######################################## |
| 264 |
## <summary> |
| 265 |
-## Connect to xenstored over an unix stream socket. |
| 266 |
+## Connect to xenstored with a unix |
| 267 |
+## domain stream socket. |
| 268 |
## </summary> |
| 269 |
## <param name="domain"> |
| 270 |
## <summary> |
| 271 |
@@ -238,7 +236,8 @@ interface(`xen_stream_connect_xenstore',` |
| 272 |
|
| 273 |
######################################## |
| 274 |
## <summary> |
| 275 |
-## Connect to xend over an unix domain stream socket. |
| 276 |
+## Connect to xend with a unix |
| 277 |
+## domain stream socket. |
| 278 |
## </summary> |
| 279 |
## <param name="domain"> |
| 280 |
## <summary> |
| 281 |
@@ -273,12 +272,14 @@ interface(`xen_domtrans_xm',` |
| 282 |
type xm_t, xm_exec_t; |
| 283 |
') |
| 284 |
|
| 285 |
+ corecmd_search_bin($1) |
| 286 |
domtrans_pattern($1, xm_exec_t, xm_t) |
| 287 |
') |
| 288 |
|
| 289 |
######################################## |
| 290 |
## <summary> |
| 291 |
-## Connect to xm over an unix stream socket. |
| 292 |
+## Connect to xm with a unix |
| 293 |
+## domain stream socket. |
| 294 |
## </summary> |
| 295 |
## <param name="domain"> |
| 296 |
## <summary> |
| 297 |
|
| 298 |
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te |
| 299 |
index 279a214..8b278c2 100644 |
| 300 |
--- a/policy/modules/contrib/xen.te |
| 301 |
+++ b/policy/modules/contrib/xen.te |
| 302 |
@@ -1,4 +1,4 @@ |
| 303 |
-policy_module(xen, 1.12.2) |
| 304 |
+policy_module(xen, 1.12.3) |
| 305 |
|
| 306 |
######################################## |
| 307 |
# |
| 308 |
@@ -6,28 +6,37 @@ policy_module(xen, 1.12.2) |
| 309 |
# |
| 310 |
|
| 311 |
## <desc> |
| 312 |
-## <p> |
| 313 |
-## Allow xend to run blktapctrl/tapdisk. |
| 314 |
-## Not required if using dedicated logical volumes for disk images. |
| 315 |
+## <p> |
| 316 |
+## Determine whether xend can |
| 317 |
+## run blktapctrl and tapdisk. |
| 318 |
## </p> |
| 319 |
## </desc> |
| 320 |
gen_tunable(xend_run_blktap, false) |
| 321 |
|
| 322 |
## <desc> |
| 323 |
-## <p> |
| 324 |
-## Allow xend to run qemu-dm. |
| 325 |
-## Not required if using paravirt and no vfb. |
| 326 |
-## </p> |
| 327 |
+## <p> |
| 328 |
+## Determine whether xen can |
| 329 |
+## use fusefs file systems. |
| 330 |
+## </p> |
| 331 |
## </desc> |
| 332 |
-gen_tunable(xend_run_qemu, false) |
| 333 |
+gen_tunable(xen_use_fusefs, false) |
| 334 |
|
| 335 |
## <desc> |
| 336 |
-## <p> |
| 337 |
-## Allow xen to manage nfs files |
| 338 |
-## </p> |
| 339 |
+## <p> |
| 340 |
+## Determine whether xen can |
| 341 |
+## use nfs file systems. |
| 342 |
+## </p> |
| 343 |
## </desc> |
| 344 |
gen_tunable(xen_use_nfs, false) |
| 345 |
|
| 346 |
+## <desc> |
| 347 |
+## <p> |
| 348 |
+## Determine whether xen can |
| 349 |
+## use samba file systems. |
| 350 |
+## </p> |
| 351 |
+## </desc> |
| 352 |
+gen_tunable(xen_use_samba, false) |
| 353 |
+ |
| 354 |
type blktap_t; |
| 355 |
type blktap_exec_t; |
| 356 |
domain_type(blktap_t) |
| 357 |
@@ -41,54 +50,41 @@ type evtchnd_t; |
| 358 |
type evtchnd_exec_t; |
| 359 |
init_daemon_domain(evtchnd_t, evtchnd_exec_t) |
| 360 |
|
| 361 |
-# log files |
| 362 |
type evtchnd_var_log_t; |
| 363 |
logging_log_file(evtchnd_var_log_t) |
| 364 |
|
| 365 |
-# pid files |
| 366 |
type evtchnd_var_run_t; |
| 367 |
files_pid_file(evtchnd_var_run_t) |
| 368 |
|
| 369 |
-type qemu_dm_t; |
| 370 |
-type qemu_dm_exec_t; |
| 371 |
-domain_type(qemu_dm_t) |
| 372 |
-domain_entry_file(qemu_dm_t, qemu_dm_exec_t) |
| 373 |
-role system_r types qemu_dm_t; |
| 374 |
- |
| 375 |
-# console ptys |
| 376 |
type xen_devpts_t; |
| 377 |
term_pty(xen_devpts_t) |
| 378 |
files_type(xen_devpts_t) |
| 379 |
|
| 380 |
-# Xen Image files |
| 381 |
type xen_image_t; # customizable |
| 382 |
files_type(xen_image_t) |
| 383 |
-# xen_image_t can be assigned to blk devices |
| 384 |
dev_node(xen_image_t) |
| 385 |
|
| 386 |
+optional_policy(` |
| 387 |
+ virt_image(xen_image_t) |
| 388 |
+') |
| 389 |
+ |
| 390 |
type xenctl_t; |
| 391 |
files_type(xenctl_t) |
| 392 |
|
| 393 |
type xend_t; |
| 394 |
type xend_exec_t; |
| 395 |
-domain_type(xend_t) |
| 396 |
init_daemon_domain(xend_t, xend_exec_t) |
| 397 |
|
| 398 |
-# tmp files |
| 399 |
type xend_tmp_t; |
| 400 |
files_tmp_file(xend_tmp_t) |
| 401 |
|
| 402 |
-# var/lib files |
| 403 |
type xend_var_lib_t; |
| 404 |
files_type(xend_var_lib_t) |
| 405 |
-# for mounting an NFS store |
| 406 |
files_mountpoint(xend_var_lib_t) |
| 407 |
|
| 408 |
-# log files |
| 409 |
type xend_var_log_t; |
| 410 |
logging_log_file(xend_var_log_t) |
| 411 |
|
| 412 |
-# pid files |
| 413 |
type xend_var_run_t; |
| 414 |
files_pid_file(xend_var_run_t) |
| 415 |
files_mountpoint(xend_var_run_t) |
| 416 |
@@ -100,16 +96,13 @@ init_daemon_domain(xenstored_t, xenstored_exec_t) |
| 417 |
type xenstored_tmp_t; |
| 418 |
files_tmp_file(xenstored_tmp_t) |
| 419 |
|
| 420 |
-# var/lib files |
| 421 |
type xenstored_var_lib_t; |
| 422 |
files_type(xenstored_var_lib_t) |
| 423 |
files_mountpoint(xenstored_var_lib_t) |
| 424 |
|
| 425 |
-# log files |
| 426 |
type xenstored_var_log_t; |
| 427 |
logging_log_file(xenstored_var_log_t) |
| 428 |
|
| 429 |
-# pid files |
| 430 |
type xenstored_var_run_t; |
| 431 |
files_pid_file(xenstored_var_run_t) |
| 432 |
|
| 433 |
@@ -117,22 +110,19 @@ type xenconsoled_t; |
| 434 |
type xenconsoled_exec_t; |
| 435 |
init_daemon_domain(xenconsoled_t, xenconsoled_exec_t) |
| 436 |
|
| 437 |
-# pid files |
| 438 |
type xenconsoled_var_run_t; |
| 439 |
files_pid_file(xenconsoled_var_run_t) |
| 440 |
|
| 441 |
type xm_t; |
| 442 |
type xm_exec_t; |
| 443 |
-domain_type(xm_t) |
| 444 |
init_system_domain(xm_t, xm_exec_t) |
| 445 |
|
| 446 |
######################################## |
| 447 |
# |
| 448 |
# blktap local policy |
| 449 |
# |
| 450 |
-# Do we need to allow execution of blktap? |
| 451 |
+ |
| 452 |
tunable_policy(`xend_run_blktap',` |
| 453 |
- # If yes, transition to its own domain. |
| 454 |
domtrans_pattern(xend_t, blktap_exec_t, blktap_t) |
| 455 |
|
| 456 |
allow blktap_t self:fifo_file { read write }; |
| 457 |
@@ -148,7 +138,6 @@ tunable_policy(`xend_run_blktap',` |
| 458 |
|
| 459 |
xen_stream_connect_xenstore(blktap_t) |
| 460 |
',` |
| 461 |
- # If no, then silently refuse to run it. |
| 462 |
dontaudit xend_t blktap_exec_t:file { execute execute_no_trans }; |
| 463 |
') |
| 464 |
|
| 465 |
@@ -158,7 +147,9 @@ tunable_policy(`xend_run_blktap',` |
| 466 |
# |
| 467 |
|
| 468 |
manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) |
| 469 |
-manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) |
| 470 |
+append_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) |
| 471 |
+create_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) |
| 472 |
+setattr_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t) |
| 473 |
logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir }) |
| 474 |
|
| 475 |
manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t) |
| 476 |
@@ -168,57 +159,18 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) |
| 477 |
|
| 478 |
######################################## |
| 479 |
# |
| 480 |
-# qemu-dm local policy |
| 481 |
-# |
| 482 |
-# Do we need to allow execution of qemu-dm? |
| 483 |
-tunable_policy(`xend_run_qemu',` |
| 484 |
- allow qemu_dm_t self:capability sys_resource; |
| 485 |
- allow qemu_dm_t self:process setrlimit; |
| 486 |
- allow qemu_dm_t self:fifo_file { read write }; |
| 487 |
- allow qemu_dm_t self:tcp_socket create_stream_socket_perms; |
| 488 |
- |
| 489 |
- # If yes, transition to its own domain. |
| 490 |
- domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t) |
| 491 |
- |
| 492 |
- append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t) |
| 493 |
- |
| 494 |
- rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t) |
| 495 |
- |
| 496 |
- corenet_tcp_bind_generic_node(qemu_dm_t) |
| 497 |
- corenet_tcp_bind_vnc_port(qemu_dm_t) |
| 498 |
- |
| 499 |
- dev_rw_xen(qemu_dm_t) |
| 500 |
- |
| 501 |
- files_read_etc_files(qemu_dm_t) |
| 502 |
- files_read_usr_files(qemu_dm_t) |
| 503 |
- |
| 504 |
- fs_manage_xenfs_dirs(qemu_dm_t) |
| 505 |
- fs_manage_xenfs_files(qemu_dm_t) |
| 506 |
- |
| 507 |
- miscfiles_read_localization(qemu_dm_t) |
| 508 |
- |
| 509 |
- xen_stream_connect_xenstore(qemu_dm_t) |
| 510 |
-',` |
| 511 |
- # If no, then silently refuse to run it. |
| 512 |
- dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans }; |
| 513 |
-') |
| 514 |
- |
| 515 |
-######################################## |
| 516 |
-# |
| 517 |
# xend local policy |
| 518 |
# |
| 519 |
|
| 520 |
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw }; |
| 521 |
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource }; |
| 522 |
dontaudit xend_t self:capability { sys_ptrace }; |
| 523 |
-allow xend_t self:process { signal sigkill }; |
| 524 |
+allow xend_t self:process { setrlimit signal sigkill }; |
| 525 |
dontaudit xend_t self:process ptrace; |
| 526 |
-# internal communication is often done using fifo and unix sockets. |
| 527 |
allow xend_t self:fifo_file rw_fifo_file_perms; |
| 528 |
-allow xend_t self:unix_stream_socket create_stream_socket_perms; |
| 529 |
-allow xend_t self:unix_dgram_socket create_socket_perms; |
| 530 |
-allow xend_t self:netlink_route_socket r_netlink_socket_perms; |
| 531 |
-allow xend_t self:tcp_socket create_stream_socket_perms; |
| 532 |
+allow xend_t self:unix_stream_socket { accept listen }; |
| 533 |
+allow xend_t self:tcp_socket { accept listen }; |
| 534 |
allow xend_t self:packet_socket create_socket_perms; |
| 535 |
+allow xend_t self:tun_socket create_socket_perms; |
| 536 |
|
| 537 |
allow xend_t xen_image_t:dir list_dir_perms; |
| 538 |
manage_dirs_pattern(xend_t, xen_image_t, xen_image_t) |
| 539 |
@@ -233,37 +185,33 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t) |
| 540 |
manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t) |
| 541 |
files_tmp_filetrans(xend_t, xend_tmp_t, { file dir }) |
| 542 |
|
| 543 |
-# pid file |
| 544 |
manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t) |
| 545 |
manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) |
| 546 |
manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) |
| 547 |
manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t) |
| 548 |
files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir }) |
| 549 |
|
| 550 |
-# log files |
| 551 |
manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t) |
| 552 |
-manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) |
| 553 |
+append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) |
| 554 |
+create_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) |
| 555 |
+setattr_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) |
| 556 |
manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t) |
| 557 |
logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir }) |
| 558 |
|
| 559 |
-# var/lib files for xend |
| 560 |
manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) |
| 561 |
manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) |
| 562 |
manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) |
| 563 |
manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t) |
| 564 |
files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir }) |
| 565 |
|
| 566 |
-# transition to store |
| 567 |
-domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) |
| 568 |
- |
| 569 |
-# manage xenstored pid file |
| 570 |
manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t) |
| 571 |
|
| 572 |
-# mount tmpfs on /var/lib/xenstored |
| 573 |
-allow xend_t xenstored_var_lib_t:dir read; |
| 574 |
+allow xend_t xenstored_var_lib_t:dir list_dir_perms; |
| 575 |
|
| 576 |
-# transition to console |
| 577 |
domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t) |
| 578 |
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t) |
| 579 |
+ |
| 580 |
+xen_stream_connect_xenstore(xend_t) |
| 581 |
|
| 582 |
kernel_read_kernel_sysctls(xend_t) |
| 583 |
kernel_read_system_state(xend_t) |
| 584 |
@@ -281,18 +229,28 @@ corenet_tcp_sendrecv_generic_if(xend_t) |
| 585 |
corenet_tcp_sendrecv_generic_node(xend_t) |
| 586 |
corenet_tcp_sendrecv_all_ports(xend_t) |
| 587 |
corenet_tcp_bind_generic_node(xend_t) |
| 588 |
+ |
| 589 |
+corenet_sendrecv_xen_server_packets(xend_t) |
| 590 |
corenet_tcp_bind_xen_port(xend_t) |
| 591 |
+ |
| 592 |
+corenet_sendrecv_soundd_server_packets(xend_t) |
| 593 |
corenet_tcp_bind_soundd_port(xend_t) |
| 594 |
+ |
| 595 |
+corenet_sendrecv_generic_server_packets(xend_t) |
| 596 |
corenet_tcp_bind_generic_port(xend_t) |
| 597 |
+ |
| 598 |
+corenet_sendrecv_vnc_server_packets(xend_t) |
| 599 |
corenet_tcp_bind_vnc_port(xend_t) |
| 600 |
-corenet_tcp_connect_xserver_port(xend_t) |
| 601 |
-corenet_tcp_connect_xen_port(xend_t) |
| 602 |
+ |
| 603 |
corenet_sendrecv_xserver_client_packets(xend_t) |
| 604 |
-corenet_sendrecv_xen_server_packets(xend_t) |
| 605 |
+corenet_tcp_connect_xserver_port(xend_t) |
| 606 |
+ |
| 607 |
corenet_sendrecv_xen_client_packets(xend_t) |
| 608 |
-corenet_sendrecv_soundd_server_packets(xend_t) |
| 609 |
+corenet_tcp_connect_xen_port(xend_t) |
| 610 |
+ |
| 611 |
corenet_rw_tun_tap_dev(xend_t) |
| 612 |
|
| 613 |
+dev_getattr_all_chr_files(xend_t) |
| 614 |
dev_read_urand(xend_t) |
| 615 |
dev_filetrans_xen(xend_t) |
| 616 |
dev_rw_sysfs(xend_t) |
| 617 |
@@ -308,8 +266,17 @@ files_manage_etc_runtime_files(xend_t) |
| 618 |
files_etc_filetrans_etc_runtime(xend_t, file) |
| 619 |
files_read_usr_files(xend_t) |
| 620 |
files_read_default_symlinks(xend_t) |
| 621 |
+files_search_mnt(xend_t) |
| 622 |
+ |
| 623 |
+fs_getattr_all_fs(xend_t) |
| 624 |
+fs_list_auto_mountpoints(xend_t) |
| 625 |
+fs_read_dos_files(xend_t) |
| 626 |
+fs_manage_xenfs_dirs(xend_t) |
| 627 |
+fs_manage_xenfs_files(xend_t) |
| 628 |
|
| 629 |
+term_setattr_generic_ptys(xend_t) |
| 630 |
term_getattr_all_ptys(xend_t) |
| 631 |
+term_setattr_all_ptys(xend_t) |
| 632 |
term_use_generic_ptys(xend_t) |
| 633 |
term_use_ptmx(xend_t) |
| 634 |
term_getattr_pty_fs(xend_t) |
| 635 |
@@ -320,13 +287,9 @@ locallogin_dontaudit_use_fds(xend_t) |
| 636 |
|
| 637 |
logging_send_syslog_msg(xend_t) |
| 638 |
|
| 639 |
-lvm_domtrans(xend_t) |
| 640 |
- |
| 641 |
miscfiles_read_localization(xend_t) |
| 642 |
miscfiles_read_hwdata(xend_t) |
| 643 |
|
| 644 |
-mount_domtrans(xend_t) |
| 645 |
- |
| 646 |
sysnet_domtrans_dhcpc(xend_t) |
| 647 |
sysnet_signal_dhcpc(xend_t) |
| 648 |
sysnet_domtrans_ifconfig(xend_t) |
| 649 |
@@ -337,9 +300,23 @@ sysnet_rw_dhcp_config(xend_t) |
| 650 |
|
| 651 |
userdom_dontaudit_search_user_home_dirs(xend_t) |
| 652 |
|
| 653 |
-xen_stream_connect_xenstore(xend_t) |
| 654 |
+tunable_policy(`xen_use_fusefs',` |
| 655 |
+ fs_manage_fusefs_dirs(xend_t) |
| 656 |
+ fs_manage_fusefs_files(xend_t) |
| 657 |
+ fs_read_fusefs_symlinks(xend_t) |
| 658 |
+') |
| 659 |
+ |
| 660 |
+tunable_policy(`xen_use_nfs',` |
| 661 |
+ fs_manage_nfs_dirs(xend_t) |
| 662 |
+ fs_manage_nfs_files(xend_t) |
| 663 |
+ fs_read_nfs_symlinks(xend_t) |
| 664 |
+') |
| 665 |
|
| 666 |
-netutils_domtrans(xend_t) |
| 667 |
+tunable_policy(`xen_use_samba',` |
| 668 |
+ fs_manage_cifs_files(xend_t) |
| 669 |
+ fs_manage_cifs_files(xend_t) |
| 670 |
+ fs_read_cifs_symlinks(xend_t) |
| 671 |
+') |
| 672 |
|
| 673 |
optional_policy(` |
| 674 |
brctl_domtrans(xend_t) |
| 675 |
@@ -349,6 +326,27 @@ optional_policy(` |
| 676 |
consoletype_exec(xend_t) |
| 677 |
') |
| 678 |
|
| 679 |
+optional_policy(` |
| 680 |
+ lvm_domtrans(xend_t) |
| 681 |
+') |
| 682 |
+ |
| 683 |
+optional_policy(` |
| 684 |
+ mount_domtrans(xend_t) |
| 685 |
+') |
| 686 |
+ |
| 687 |
+optional_policy(` |
| 688 |
+ netutils_domtrans(xend_t) |
| 689 |
+') |
| 690 |
+ |
| 691 |
+optional_policy(` |
| 692 |
+ ptchown_exec(xend_t) |
| 693 |
+') |
| 694 |
+ |
| 695 |
+optional_policy(` |
| 696 |
+ virt_search_images(xend_t) |
| 697 |
+ virt_read_config(xend_t) |
| 698 |
+') |
| 699 |
+ |
| 700 |
######################################## |
| 701 |
# |
| 702 |
# Xen console local policy |
| 703 |
@@ -361,7 +359,11 @@ allow xenconsoled_t self:fifo_file rw_fifo_file_perms; |
| 704 |
|
| 705 |
allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms; |
| 706 |
|
| 707 |
-# pid file |
| 708 |
+manage_dirs_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) |
| 709 |
+append_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) |
| 710 |
+create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) |
| 711 |
+setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t) |
| 712 |
+ |
| 713 |
manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) |
| 714 |
manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t) |
| 715 |
files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file }) |
| 716 |
@@ -390,9 +392,10 @@ term_use_console(xenconsoled_t) |
| 717 |
init_use_fds(xenconsoled_t) |
| 718 |
init_use_script_ptys(xenconsoled_t) |
| 719 |
|
| 720 |
+logging_search_logs(xenconsoled_t) |
| 721 |
+ |
| 722 |
miscfiles_read_localization(xenconsoled_t) |
| 723 |
|
| 724 |
-xen_manage_log(xenconsoled_t) |
| 725 |
xen_stream_connect_xenstore(xenconsoled_t) |
| 726 |
|
| 727 |
optional_policy(` |
| 728 |
@@ -405,25 +408,24 @@ optional_policy(` |
| 729 |
# |
| 730 |
|
| 731 |
allow xenstored_t self:capability { dac_override ipc_lock sys_resource }; |
| 732 |
-allow xenstored_t self:unix_stream_socket create_stream_socket_perms; |
| 733 |
-allow xenstored_t self:unix_dgram_socket create_socket_perms; |
| 734 |
+allow xenstored_t self:unix_stream_socket { accept listen }; |
| 735 |
|
| 736 |
manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) |
| 737 |
manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) |
| 738 |
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) |
| 739 |
|
| 740 |
-# pid file |
| 741 |
+manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) |
| 742 |
manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) |
| 743 |
manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t) |
| 744 |
-files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file }) |
| 745 |
+files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir }) |
| 746 |
|
| 747 |
-# log files |
| 748 |
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) |
| 749 |
-manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) |
| 750 |
+append_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) |
| 751 |
+create_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) |
| 752 |
+setattr_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) |
| 753 |
manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) |
| 754 |
logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir }) |
| 755 |
|
| 756 |
-# var/lib files for xenstored |
| 757 |
manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) |
| 758 |
manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) |
| 759 |
manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t) |
| 760 |
@@ -439,9 +441,9 @@ dev_rw_xen(xenstored_t) |
| 761 |
dev_read_sysfs(xenstored_t) |
| 762 |
|
| 763 |
files_read_etc_files(xenstored_t) |
| 764 |
- |
| 765 |
files_read_usr_files(xenstored_t) |
| 766 |
|
| 767 |
+fs_search_xenfs(xenstored_t) |
| 768 |
fs_manage_xenfs_files(xenstored_t) |
| 769 |
|
| 770 |
term_use_generic_ptys(xenstored_t) |
| 771 |
@@ -460,24 +462,32 @@ xen_append_log(xenstored_t) |
| 772 |
# xm local policy |
| 773 |
# |
| 774 |
|
| 775 |
-allow xm_t self:capability { dac_override ipc_lock sys_tty_config }; |
| 776 |
-allow xm_t self:process { getsched signal }; |
| 777 |
- |
| 778 |
-# internal communication is often done using fifo and unix sockets. |
| 779 |
+allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; |
| 780 |
+allow xm_t self:process { getcap getsched setsched setcap signal }; |
| 781 |
allow xm_t self:fifo_file rw_fifo_file_perms; |
| 782 |
-allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
| 783 |
-allow xm_t self:tcp_socket create_stream_socket_perms; |
| 784 |
+allow xm_t self:unix_stream_socket { accept connectto listen }; |
| 785 |
+allow xm_t self:tcp_socket { accept listen }; |
| 786 |
|
| 787 |
manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) |
| 788 |
manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) |
| 789 |
manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) |
| 790 |
-files_search_var_lib(xm_t) |
| 791 |
|
| 792 |
allow xm_t xen_image_t:dir rw_dir_perms; |
| 793 |
allow xm_t xen_image_t:file read_file_perms; |
| 794 |
allow xm_t xen_image_t:blk_file read_blk_file_perms; |
| 795 |
|
| 796 |
+read_files_pattern(xm_t, xenstored_var_run_t, xenstored_var_run_t) |
| 797 |
+ |
| 798 |
+xen_manage_image_dirs(xm_t) |
| 799 |
+xen_append_log(xm_t) |
| 800 |
+xen_domtrans(xm_t) |
| 801 |
+xen_stream_connect(xm_t) |
| 802 |
+xen_stream_connect_xenstore(xm_t) |
| 803 |
+ |
| 804 |
+can_exec(xm_t, xm_exec_t) |
| 805 |
+ |
| 806 |
kernel_read_system_state(xm_t) |
| 807 |
+kernel_read_network_state(xm_t) |
| 808 |
kernel_read_kernel_sysctls(xm_t) |
| 809 |
kernel_read_sysctl(xm_t) |
| 810 |
kernel_read_xen_state(xm_t) |
| 811 |
@@ -486,22 +496,33 @@ kernel_write_xen_state(xm_t) |
| 812 |
corecmd_exec_bin(xm_t) |
| 813 |
corecmd_exec_shell(xm_t) |
| 814 |
|
| 815 |
+corenet_all_recvfrom_unlabeled(xm_t) |
| 816 |
+corenet_all_recvfrom_netlabel(xm_t) |
| 817 |
corenet_tcp_sendrecv_generic_if(xm_t) |
| 818 |
corenet_tcp_sendrecv_generic_node(xm_t) |
| 819 |
+ |
| 820 |
+corenet_sendrecv_soundd_client_packets(xm_t) |
| 821 |
corenet_tcp_connect_soundd_port(xm_t) |
| 822 |
+corenet_tcp_sendrecv_soundd_port(xm_t) |
| 823 |
|
| 824 |
+dev_read_rand(xm_t) |
| 825 |
dev_read_urand(xm_t) |
| 826 |
dev_read_sysfs(xm_t) |
| 827 |
|
| 828 |
files_read_etc_runtime_files(xm_t) |
| 829 |
+files_read_etc_files(xm_t) |
| 830 |
files_read_usr_files(xm_t) |
| 831 |
+files_search_pids(xm_t) |
| 832 |
+files_search_var_lib(xm_t) |
| 833 |
files_list_mnt(xm_t) |
| 834 |
-# Some common macros (you might be able to remove some) |
| 835 |
-files_read_etc_files(xm_t) |
| 836 |
+files_list_tmp(xm_t) |
| 837 |
|
| 838 |
fs_getattr_all_fs(xm_t) |
| 839 |
fs_manage_xenfs_dirs(xm_t) |
| 840 |
fs_manage_xenfs_files(xm_t) |
| 841 |
+fs_search_auto_mountpoints(xm_t) |
| 842 |
+ |
| 843 |
+storage_raw_read_fixed_disk(xm_t) |
| 844 |
|
| 845 |
term_use_all_terms(xm_t) |
| 846 |
|
| 847 |
@@ -509,13 +530,33 @@ init_stream_connect_script(xm_t) |
| 848 |
init_rw_script_stream_sockets(xm_t) |
| 849 |
init_use_fds(xm_t) |
| 850 |
|
| 851 |
+logging_send_syslog_msg(xm_t) |
| 852 |
+ |
| 853 |
miscfiles_read_localization(xm_t) |
| 854 |
|
| 855 |
sysnet_dns_name_resolve(xm_t) |
| 856 |
|
| 857 |
-xen_append_log(xm_t) |
| 858 |
-xen_stream_connect(xm_t) |
| 859 |
-xen_stream_connect_xenstore(xm_t) |
| 860 |
+tunable_policy(`xen_use_fusefs',` |
| 861 |
+ fs_manage_fusefs_dirs(xm_t) |
| 862 |
+ fs_manage_fusefs_files(xm_t) |
| 863 |
+ fs_read_fusefs_symlinks(xm_t) |
| 864 |
+') |
| 865 |
+ |
| 866 |
+tunable_policy(`xen_use_nfs',` |
| 867 |
+ fs_manage_nfs_dirs(xm_t) |
| 868 |
+ fs_manage_nfs_files(xm_t) |
| 869 |
+ fs_read_nfs_symlinks(xm_t) |
| 870 |
+') |
| 871 |
+ |
| 872 |
+tunable_policy(`xen_use_samba',` |
| 873 |
+ fs_manage_cifs_files(xm_t) |
| 874 |
+ fs_manage_cifs_files(xm_t) |
| 875 |
+ fs_read_cifs_symlinks(xm_t) |
| 876 |
+') |
| 877 |
+ |
| 878 |
+optional_policy(` |
| 879 |
+ cron_system_entry(xm_t, xm_exec_t) |
| 880 |
+') |
| 881 |
|
| 882 |
optional_policy(` |
| 883 |
dbus_system_bus_client(xm_t) |
| 884 |
@@ -526,16 +567,22 @@ optional_policy(` |
| 885 |
') |
| 886 |
|
| 887 |
optional_policy(` |
| 888 |
+ rpm_exec(xm_t) |
| 889 |
+') |
| 890 |
+ |
| 891 |
+optional_policy(` |
| 892 |
+ vhostmd_rw_tmpfs_files(xm_t) |
| 893 |
+ vhostmd_stream_connect(xm_t) |
| 894 |
+ vhostmd_dontaudit_rw_stream_connect(xm_t) |
| 895 |
+') |
| 896 |
+ |
| 897 |
+optional_policy(` |
| 898 |
virt_domtrans(xm_t) |
| 899 |
virt_manage_images(xm_t) |
| 900 |
virt_manage_config(xm_t) |
| 901 |
virt_stream_connect(xm_t) |
| 902 |
') |
| 903 |
|
| 904 |
-######################################## |
| 905 |
-# |
| 906 |
-# SSH component local policy |
| 907 |
-# |
| 908 |
optional_policy(` |
| 909 |
ssh_basic_client_template(xm, xm_t, system_r) |
| 910 |
|
| 911 |
@@ -546,21 +593,4 @@ optional_policy(` |
| 912 |
|
| 913 |
fs_manage_xenfs_dirs(xm_ssh_t) |
| 914 |
fs_manage_xenfs_files(xm_ssh_t) |
| 915 |
- |
| 916 |
- #Should have a boolean wrapping these |
| 917 |
- fs_list_auto_mountpoints(xend_t) |
| 918 |
- files_search_mnt(xend_t) |
| 919 |
- fs_getattr_all_fs(xend_t) |
| 920 |
- fs_read_dos_files(xend_t) |
| 921 |
- fs_manage_xenfs_dirs(xend_t) |
| 922 |
- fs_manage_xenfs_files(xend_t) |
| 923 |
- |
| 924 |
- tunable_policy(`xen_use_nfs',` |
| 925 |
- fs_manage_nfs_files(xend_t) |
| 926 |
- fs_read_nfs_symlinks(xend_t) |
| 927 |
- ') |
| 928 |
- |
| 929 |
- optional_policy(` |
| 930 |
- unconfined_domain(xend_t) |
| 931 |
- ') |
| 932 |
') |
Archives