1 |
commit: 570a767ab83e4540059afccfd833590cecba9a95 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Mon Oct 30 06:38:45 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Oct 31 05:15:22 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=570a767a |
7 |
|
8 |
virt: updated perms for starting guests |
9 |
|
10 |
virtlockd doesnt need ps_process_pattern |
11 |
need to relabel to set categories and allow mount root in slave mode |
12 |
allow mounting devfs in run |
13 |
Already has dac_override so read_search is harmless |
14 |
|
15 |
libvirt errors: |
16 |
libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied |
17 |
Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to switch root mount into slave mode: Permission denied |
18 |
Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to mount devfs on /var/run/libvirt/qemu/selinux.dev type tmpfs (mode=755,size=65536): Permission denied |
19 |
Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to mount devfs on /var/run/libvirt/qemu/selinux.dev type tmpfs (mode=755,size=65536): Permission denied |
20 |
Error starting domain: internal error: Process exited prior to exec: libvirt: QEMU Driver error : Failed to make device /var/run/libvirt/qemu/selinux.dev/null: Permission denied |
21 |
Error starting domain: internal error: Process exited prior to exec: libvirt: QEMU Driver error : Unable to set SELinux label on /var/run/libvirt/qemu/selinux.dev/null: Permission denied |
22 |
|
23 |
avc denials: |
24 |
avc: denied { mounton } for pid=11279 comm="libvirtd" path="/run/libvirt/qemu/selinux.dev" dev="tmpfs" ino=4428609 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_var_run_t:s0 tclass=dir permissive=0 |
25 |
avc: denied { mount } for pid=17844 comm="libvirtd" name="/" dev="tmpfs" ino=4436959 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 |
26 |
avc: denied { create } for pid=24198 comm="libvirtd" name="null" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_tmpfs_t:s0 tclass=chr_file permissive=0 |
27 |
avc: denied { relabelfrom } for pid=539 comm="libvirtd" name="null" dev="tmpfs" ino=4452253 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_tmpfs_t:s0 tclass=chr_file permissive=0 |
28 |
|
29 |
policy/modules/contrib/virt.te | 33 +++++++++++++++++++++++++-------- |
30 |
1 file changed, 25 insertions(+), 8 deletions(-) |
31 |
|
32 |
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te |
33 |
index 1de48461..98d510fd 100644 |
34 |
--- a/policy/modules/contrib/virt.te |
35 |
+++ b/policy/modules/contrib/virt.te |
36 |
@@ -467,8 +467,8 @@ tunable_policy(`virt_use_vfio',` |
37 |
# virtd local policy |
38 |
# |
39 |
|
40 |
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; |
41 |
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; |
42 |
+allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace }; |
43 |
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; |
44 |
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; |
45 |
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; |
46 |
allow virtd_t self:tcp_socket { accept listen }; |
47 |
@@ -478,7 +478,7 @@ allow virtd_t self:packet_socket create_socket_perms; |
48 |
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; |
49 |
allow virtd_t self:netlink_route_socket nlmsg_write; |
50 |
|
51 |
-allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; |
52 |
+allow virtd_t virt_domain:process { getattr getsched setsched transition rlimitinh signal signull sigkill }; |
53 |
dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; |
54 |
|
55 |
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; |
56 |
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") |
57 |
allow virtd_t virtd_keytab_t:file read_file_perms; |
58 |
|
59 |
allow virtd_t svirt_var_run_t:file relabel_file_perms; |
60 |
+allow virtd_t svirt_var_run_t:dir { mounton relabel_dir_perms }; |
61 |
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) |
62 |
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) |
63 |
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) |
64 |
@@ -529,9 +530,10 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) |
65 |
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) |
66 |
|
67 |
allow virtd_t virt_image_type:file relabel_file_perms; |
68 |
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; |
69 |
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; |
70 |
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; |
71 |
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; |
72 |
+allow virtd_t virt_image_type:sock_file manage_sock_file_perms; |
73 |
|
74 |
allow virtd_t virt_ptynode:chr_file rw_term_perms; |
75 |
|
76 |
@@ -541,7 +543,14 @@ files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) |
77 |
|
78 |
manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
79 |
manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
80 |
+manage_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
81 |
+manage_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
82 |
+manage_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
83 |
+relabel_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
84 |
+relabel_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
85 |
+relabel_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
86 |
fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir }) |
87 |
+allow virtd_t virt_tmpfs_t:dir mounton; |
88 |
|
89 |
# This needs a file context specification |
90 |
manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) |
91 |
@@ -571,7 +580,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) |
92 |
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") |
93 |
|
94 |
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) |
95 |
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) |
96 |
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) |
97 |
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) |
98 |
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) |
99 |
|
100 |
@@ -620,6 +629,9 @@ dev_rw_mtrr(virtd_t) |
101 |
dev_rw_vhost(virtd_t) |
102 |
dev_setattr_generic_usb_dev(virtd_t) |
103 |
dev_relabel_generic_usb_dev(virtd_t) |
104 |
+dev_relabel_all_dev_nodes(virtd_t) |
105 |
+dev_relabel_generic_symlinks(virtd_t) |
106 |
+dev_mounton(virtd_t) |
107 |
|
108 |
domain_use_interactive_fds(virtd_t) |
109 |
domain_read_all_domains_state(virtd_t) |
110 |
@@ -629,6 +641,7 @@ files_read_etc_runtime_files(virtd_t) |
111 |
files_search_all(virtd_t) |
112 |
files_read_kernel_modules(virtd_t) |
113 |
files_read_usr_src_files(virtd_t) |
114 |
+files_mounton_root(virtd_t) |
115 |
|
116 |
# Manages /etc/sysconfig/system-config-firewall |
117 |
# files_relabelto_system_conf_files(virtd_t) |
118 |
@@ -643,6 +656,8 @@ fs_manage_cgroup_dirs(virtd_t) |
119 |
fs_rw_cgroup_files(virtd_t) |
120 |
fs_manage_hugetlbfs_dirs(virtd_t) |
121 |
fs_rw_hugetlbfs_files(virtd_t) |
122 |
+fs_read_nsfs_files(virtd_t) |
123 |
+fs_mount_tmpfs(virtd_t) |
124 |
|
125 |
mls_fd_share_all_levels(virtd_t) |
126 |
mls_file_read_to_clearance(virtd_t) |
127 |
@@ -713,8 +728,6 @@ tunable_policy(`virt_use_samba',` |
128 |
|
129 |
tunable_policy(`virt_use_vfio',` |
130 |
allow virtd_t self:capability sys_resource; |
131 |
- allow virtd_t self:process setrlimit; |
132 |
- allow virtd_t svirt_t:process rlimitinh; |
133 |
dev_relabelfrom_vfio_dev(virtd_t) |
134 |
') |
135 |
|
136 |
@@ -1308,6 +1321,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) |
137 |
allow virtlockd_t self:capability dac_override; |
138 |
allow virtlockd_t self:fifo_file rw_fifo_file_perms; |
139 |
|
140 |
+allow virtlockd_t virtd_t:dir list_dir_perms; |
141 |
+allow virtlockd_t virtd_t:file read_file_perms; |
142 |
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; |
143 |
+ |
144 |
allow virtlockd_t virt_image_type:dir list_dir_perms; |
145 |
allow virtlockd_t virt_image_type:file rw_file_perms; |
146 |
|
147 |
@@ -1326,7 +1343,7 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) |
148 |
|
149 |
can_exec(virtlockd_t, virtlockd_exec_t) |
150 |
|
151 |
-ps_process_pattern(virtlockd_t, virtd_t) |
152 |
+kernel_read_system_state(virtlockd_t) |
153 |
|
154 |
files_read_etc_files(virtlockd_t) |
155 |
files_list_var_lib(virtlockd_t) |