[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
Date:	Mon, 27 Feb 2017 11:40:26
Message-Id:	`1488195161.7607e67783d8ae44493ce4f3a45abf1c80916be2.perfinion@gentoo`

1

commit:     7607e67783d8ae44493ce4f3a45abf1c80916be2

2

Author:     Jason Zaman <jason <AT> perfinion <DOT> com>

3

AuthorDate: Thu May 12 16:49:07 2016 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Feb 27 11:32:41 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7607e677

7

8

virt: add policy for virtlogd

9

10

 policy/modules/contrib/virt.fc |  1 +

11

 policy/modules/contrib/virt.te | 42 ++++++++++++++++++++++++++++++++++++++++++

12

 2 files changed, 43 insertions(+)

13

14

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc

15

index 22c1ed70..dca262ab 100644

16

--- a/policy/modules/contrib/virt.fc

17

+++ b/policy/modules/contrib/virt.fc

18

@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_context(system_u:object_r:virt_content_t

19

 /usr/sbin/libvirt-qmf	--	gen_context(system_u:object_r:virt_qmf_exec_t,s0)

20

 /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)

21

 /usr/sbin/virtlockd	--	gen_context(system_u:object_r:virtlockd_exec_t,s0)

22

+/usr/sbin/virtlogd	--	gen_context(system_u:object_r:virtlogd_exec_t,s0)

23

24

 /var/cache/libvirt(/.*)?	gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)

25

26

27

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te

28

index eb72843f..e1a3bcaf 100644

29

--- a/policy/modules/contrib/virt.te

30

+++ b/policy/modules/contrib/virt.te

31

@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)

32

 type virtlockd_var_lib_t;

33

 files_type(virtlockd_var_lib_t)

34

35

+type virtlogd_t;

36

+type virtlogd_exec_t;

37

+init_daemon_domain(virtlogd_t, virtlogd_exec_t)

38

+

39

+type virtlogd_run_t;

40

+files_pid_file(virtlogd_run_t)

41

+

42

 ifdef(`enable_mcs',`

43

 	init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)

44

+	init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)

45

')

46

47

 ifdef(`enable_mls',`

48

 	init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)

49

+	init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)

50

')

51

52

 ########################################

53

@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;

54

 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;

55

 allow virt_domain virtd_t:process sigchld;

56

57

+allow virt_domain virtlogd_t:fd use;

58

+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;

59

+

60

 dontaudit virt_domain virtd_t:unix_stream_socket { read write };

61

62

 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)

63

@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };

64

 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };

65

 allow virtd_t svirt_lxc_domain:process signal_perms;

66

67

+allow virtd_t virtlogd_t:fd use;

68

+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;

69

+

70

 allow virtd_t virtd_lxc_t:process { signal signull sigkill };

71

72

 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)

73

@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")

74

 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)

75

 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)

76

 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)

77

+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)

78

79

 can_exec(virtd_t, virt_tmp_t)

80

81

@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)

82

83

 virt_append_log(virtlockd_t)

84

 virt_read_config(virtlockd_t)

85

+

86

+########################################

87

+#

88

+# Virtlogd local policy

89

+#

90

+

91

+allow virtlogd_t self:fifo_file rw_fifo_file_perms;

92

+

93

+allow virtlogd_t virtd_t:dir list_dir_perms;

94

+allow virtlogd_t virtd_t:file read_file_perms;

95

+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;

96

+

97

+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)

98

+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)

99

+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)

100

+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)

101

+

102

+can_exec(virtlogd_t, virtlogd_exec_t)

103

+

104

+files_read_etc_files(virtlogd_t)

105

+files_list_var_lib(virtlogd_t)

106

+

107

+miscfiles_read_localization(virtlogd_t)

108

+

109

+virt_manage_log(virtlogd_t)

110

+virt_read_config(virtlogd_t)

1	commit: 7607e67783d8ae44493ce4f3a45abf1c80916be2
2	Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3	AuthorDate: Thu May 12 16:49:07 2016 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Feb 27 11:32:41 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7607e677
7
8	virt: add policy for virtlogd
9
10	policy/modules/contrib/virt.fc \| 1 +
11	policy/modules/contrib/virt.te \| 42 ++++++++++++++++++++++++++++++++++++++++++
12	2 files changed, 43 insertions(+)
13
14	diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
15	index 22c1ed70..dca262ab 100644
16	--- a/policy/modules/contrib/virt.fc
17	+++ b/policy/modules/contrib/virt.fc
18	@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
19	/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
20	/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
21	/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlockd_exec_t,s0)
22	+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
23
24	/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
25
26
27	diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
28	index eb72843f..e1a3bcaf 100644
29	--- a/policy/modules/contrib/virt.te
30	+++ b/policy/modules/contrib/virt.te
31	@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
32	type virtlockd_var_lib_t;
33	files_type(virtlockd_var_lib_t)
34
35	+type virtlogd_t;
36	+type virtlogd_exec_t;
37	+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
38	+
39	+type virtlogd_run_t;
40	+files_pid_file(virtlogd_run_t)
41	+
42	ifdef(`enable_mcs',`
43	init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh)
44	+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh)
45	')
46
47	ifdef(`enable_mls',`
48	init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh)
49	+ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
50	')
51
52	########################################
53	@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
54	allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
55	allow virt_domain virtd_t:process sigchld;
56
57	+allow virt_domain virtlogd_t:fd use;
58	+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
59	+
60	dontaudit virt_domain virtd_t:unix_stream_socket { read write };
61
62	manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
63	@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
64	allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto };
65	allow virtd_t svirt_lxc_domain:process signal_perms;
66
67	+allow virtd_t virtlogd_t:fd use;
68	+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
69	+
70	allow virtd_t virtd_lxc_t:process { signal signull sigkill };
71
72	domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
73	@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
74	stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
75	stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
76	stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
77	+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
78
79	can_exec(virtd_t, virt_tmp_t)
80
81	@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
82
83	virt_append_log(virtlockd_t)
84	virt_read_config(virtlockd_t)
85	+
86	+########################################
87	+#
88	+# Virtlogd local policy
89	+#
90	+
91	+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
92	+
93	+allow virtlogd_t virtd_t:dir list_dir_perms;
94	+allow virtlogd_t virtd_t:file read_file_perms;
95	+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
96	+
97	+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
98	+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
99	+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
100	+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
101	+
102	+can_exec(virtlogd_t, virtlogd_exec_t)
103	+
104	+files_read_etc_files(virtlogd_t)
105	+files_list_var_lib(virtlogd_t)
106	+
107	+miscfiles_read_localization(virtlogd_t)
108	+
109	+virt_manage_log(virtlogd_t)
110	+virt_read_config(virtlogd_t)

Gentoo Archives: gentoo-commits