| 1 |
commit: 570a767ab83e4540059afccfd833590cecba9a95 |
| 2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
| 3 |
AuthorDate: Mon Oct 30 06:38:45 2017 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Tue Oct 31 05:15:22 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=570a767a |
| 7 |
|
| 8 |
virt: updated perms for starting guests |
| 9 |
|
| 10 |
virtlockd doesnt need ps_process_pattern |
| 11 |
need to relabel to set categories and allow mount root in slave mode |
| 12 |
allow mounting devfs in run |
| 13 |
Already has dac_override so read_search is harmless |
| 14 |
|
| 15 |
libvirt errors: |
| 16 |
libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied |
| 17 |
Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to switch root mount into slave mode: Permission denied |
| 18 |
Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to mount devfs on /var/run/libvirt/qemu/selinux.dev type tmpfs (mode=755,size=65536): Permission denied |
| 19 |
Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to mount devfs on /var/run/libvirt/qemu/selinux.dev type tmpfs (mode=755,size=65536): Permission denied |
| 20 |
Error starting domain: internal error: Process exited prior to exec: libvirt: QEMU Driver error : Failed to make device /var/run/libvirt/qemu/selinux.dev/null: Permission denied |
| 21 |
Error starting domain: internal error: Process exited prior to exec: libvirt: QEMU Driver error : Unable to set SELinux label on /var/run/libvirt/qemu/selinux.dev/null: Permission denied |
| 22 |
|
| 23 |
avc denials: |
| 24 |
avc: denied { mounton } for pid=11279 comm="libvirtd" path="/run/libvirt/qemu/selinux.dev" dev="tmpfs" ino=4428609 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_var_run_t:s0 tclass=dir permissive=0 |
| 25 |
avc: denied { mount } for pid=17844 comm="libvirtd" name="/" dev="tmpfs" ino=4436959 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 |
| 26 |
avc: denied { create } for pid=24198 comm="libvirtd" name="null" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_tmpfs_t:s0 tclass=chr_file permissive=0 |
| 27 |
avc: denied { relabelfrom } for pid=539 comm="libvirtd" name="null" dev="tmpfs" ino=4452253 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_tmpfs_t:s0 tclass=chr_file permissive=0 |
| 28 |
|
| 29 |
policy/modules/contrib/virt.te | 33 +++++++++++++++++++++++++-------- |
| 30 |
1 file changed, 25 insertions(+), 8 deletions(-) |
| 31 |
|
| 32 |
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te |
| 33 |
index 1de48461..98d510fd 100644 |
| 34 |
--- a/policy/modules/contrib/virt.te |
| 35 |
+++ b/policy/modules/contrib/virt.te |
| 36 |
@@ -467,8 +467,8 @@ tunable_policy(`virt_use_vfio',` |
| 37 |
# virtd local policy |
| 38 |
# |
| 39 |
|
| 40 |
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; |
| 41 |
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; |
| 42 |
+allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace }; |
| 43 |
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; |
| 44 |
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; |
| 45 |
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; |
| 46 |
allow virtd_t self:tcp_socket { accept listen }; |
| 47 |
@@ -478,7 +478,7 @@ allow virtd_t self:packet_socket create_socket_perms; |
| 48 |
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; |
| 49 |
allow virtd_t self:netlink_route_socket nlmsg_write; |
| 50 |
|
| 51 |
-allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; |
| 52 |
+allow virtd_t virt_domain:process { getattr getsched setsched transition rlimitinh signal signull sigkill }; |
| 53 |
dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; |
| 54 |
|
| 55 |
allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; |
| 56 |
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") |
| 57 |
allow virtd_t virtd_keytab_t:file read_file_perms; |
| 58 |
|
| 59 |
allow virtd_t svirt_var_run_t:file relabel_file_perms; |
| 60 |
+allow virtd_t svirt_var_run_t:dir { mounton relabel_dir_perms }; |
| 61 |
manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) |
| 62 |
manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) |
| 63 |
manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) |
| 64 |
@@ -529,9 +530,10 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) |
| 65 |
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) |
| 66 |
|
| 67 |
allow virtd_t virt_image_type:file relabel_file_perms; |
| 68 |
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; |
| 69 |
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; |
| 70 |
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; |
| 71 |
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; |
| 72 |
+allow virtd_t virt_image_type:sock_file manage_sock_file_perms; |
| 73 |
|
| 74 |
allow virtd_t virt_ptynode:chr_file rw_term_perms; |
| 75 |
|
| 76 |
@@ -541,7 +543,14 @@ files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) |
| 77 |
|
| 78 |
manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
| 79 |
manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
| 80 |
+manage_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
| 81 |
+manage_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
| 82 |
+manage_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
| 83 |
+relabel_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
| 84 |
+relabel_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
| 85 |
+relabel_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) |
| 86 |
fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir }) |
| 87 |
+allow virtd_t virt_tmpfs_t:dir mounton; |
| 88 |
|
| 89 |
# This needs a file context specification |
| 90 |
manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) |
| 91 |
@@ -571,7 +580,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) |
| 92 |
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") |
| 93 |
|
| 94 |
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) |
| 95 |
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) |
| 96 |
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) |
| 97 |
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) |
| 98 |
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) |
| 99 |
|
| 100 |
@@ -620,6 +629,9 @@ dev_rw_mtrr(virtd_t) |
| 101 |
dev_rw_vhost(virtd_t) |
| 102 |
dev_setattr_generic_usb_dev(virtd_t) |
| 103 |
dev_relabel_generic_usb_dev(virtd_t) |
| 104 |
+dev_relabel_all_dev_nodes(virtd_t) |
| 105 |
+dev_relabel_generic_symlinks(virtd_t) |
| 106 |
+dev_mounton(virtd_t) |
| 107 |
|
| 108 |
domain_use_interactive_fds(virtd_t) |
| 109 |
domain_read_all_domains_state(virtd_t) |
| 110 |
@@ -629,6 +641,7 @@ files_read_etc_runtime_files(virtd_t) |
| 111 |
files_search_all(virtd_t) |
| 112 |
files_read_kernel_modules(virtd_t) |
| 113 |
files_read_usr_src_files(virtd_t) |
| 114 |
+files_mounton_root(virtd_t) |
| 115 |
|
| 116 |
# Manages /etc/sysconfig/system-config-firewall |
| 117 |
# files_relabelto_system_conf_files(virtd_t) |
| 118 |
@@ -643,6 +656,8 @@ fs_manage_cgroup_dirs(virtd_t) |
| 119 |
fs_rw_cgroup_files(virtd_t) |
| 120 |
fs_manage_hugetlbfs_dirs(virtd_t) |
| 121 |
fs_rw_hugetlbfs_files(virtd_t) |
| 122 |
+fs_read_nsfs_files(virtd_t) |
| 123 |
+fs_mount_tmpfs(virtd_t) |
| 124 |
|
| 125 |
mls_fd_share_all_levels(virtd_t) |
| 126 |
mls_file_read_to_clearance(virtd_t) |
| 127 |
@@ -713,8 +728,6 @@ tunable_policy(`virt_use_samba',` |
| 128 |
|
| 129 |
tunable_policy(`virt_use_vfio',` |
| 130 |
allow virtd_t self:capability sys_resource; |
| 131 |
- allow virtd_t self:process setrlimit; |
| 132 |
- allow virtd_t svirt_t:process rlimitinh; |
| 133 |
dev_relabelfrom_vfio_dev(virtd_t) |
| 134 |
') |
| 135 |
|
| 136 |
@@ -1308,6 +1321,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) |
| 137 |
allow virtlockd_t self:capability dac_override; |
| 138 |
allow virtlockd_t self:fifo_file rw_fifo_file_perms; |
| 139 |
|
| 140 |
+allow virtlockd_t virtd_t:dir list_dir_perms; |
| 141 |
+allow virtlockd_t virtd_t:file read_file_perms; |
| 142 |
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; |
| 143 |
+ |
| 144 |
allow virtlockd_t virt_image_type:dir list_dir_perms; |
| 145 |
allow virtlockd_t virt_image_type:file rw_file_perms; |
| 146 |
|
| 147 |
@@ -1326,7 +1343,7 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) |
| 148 |
|
| 149 |
can_exec(virtlockd_t, virtlockd_exec_t) |
| 150 |
|
| 151 |
-ps_process_pattern(virtlockd_t, virtd_t) |
| 152 |
+kernel_read_system_state(virtlockd_t) |
| 153 |
|
| 154 |
files_read_etc_files(virtlockd_t) |
| 155 |
files_list_var_lib(virtlockd_t) |
Archives