1 |
commit: 539bbc9b693447bf2dadb0031b318eb4049ada9b |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Thu Jul 2 18:36:39 2015 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Jul 30 16:44:43 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=539bbc9b |
7 |
|
8 |
qemu: add policy for qemu-guest-agent |
9 |
|
10 |
policy/modules/contrib/qemu.fc | 9 +++++++++ |
11 |
policy/modules/contrib/qemu.te | 35 +++++++++++++++++++++++++++++++++++ |
12 |
2 files changed, 44 insertions(+) |
13 |
|
14 |
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc |
15 |
index 86ea53c..f1304fb 100644 |
16 |
--- a/policy/modules/contrib/qemu.fc |
17 |
+++ b/policy/modules/contrib/qemu.fc |
18 |
@@ -4,3 +4,12 @@ |
19 |
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) |
20 |
|
21 |
/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) |
22 |
+ |
23 |
+ifdef(`distro_gentoo',` |
24 |
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0) |
25 |
+ |
26 |
+/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0) |
27 |
+/var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0) |
28 |
+ |
29 |
+/var/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0) |
30 |
+') |
31 |
|
32 |
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te |
33 |
index cf647bb..136f6f3 100644 |
34 |
--- a/policy/modules/contrib/qemu.te |
35 |
+++ b/policy/modules/contrib/qemu.te |
36 |
@@ -77,4 +77,39 @@ ifdef(`distro_gentoo',` |
37 |
optional_policy(` |
38 |
vde_connect(qemu_t) |
39 |
') |
40 |
+ |
41 |
+ ################################# |
42 |
+ # |
43 |
+ # QEMU Guest Agent policy |
44 |
+ # |
45 |
+ type qemu_ga_t; |
46 |
+ type qemu_ga_exec_t; |
47 |
+ init_system_domain(qemu_ga_t, qemu_ga_exec_t) |
48 |
+ |
49 |
+ type qemu_ga_log_t; |
50 |
+ logging_log_file(qemu_ga_log_t) |
51 |
+ |
52 |
+ type qemu_ga_run_t; |
53 |
+ files_pid_file(qemu_ga_run_t) |
54 |
+ |
55 |
+ allow qemu_ga_t self:capability sys_admin; |
56 |
+ allow qemu_ga_t self:unix_dgram_socket create_socket_perms; |
57 |
+ |
58 |
+ manage_dirs_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t) |
59 |
+ append_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t) |
60 |
+ create_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t) |
61 |
+ setattr_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t) |
62 |
+ logging_log_filetrans(qemu_ga_t, qemu_ga_log_t, { dir file }) |
63 |
+ |
64 |
+ allow qemu_ga_t qemu_ga_run_t:file manage_file_perms; |
65 |
+ files_pid_filetrans(qemu_ga_t, qemu_ga_run_t, file) |
66 |
+ |
67 |
+ corecmd_exec_bin(qemu_ga_t) |
68 |
+ corecmd_exec_shell(qemu_ga_t) |
69 |
+ |
70 |
+ miscfiles_read_localization(qemu_ga_t) |
71 |
+ |
72 |
+ userdom_use_user_terminals(qemu_ga_t) |
73 |
+ |
74 |
+ term_use_virtio_console(qemu_ga_t) |
75 |
') |