[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
Date:	Sat, 03 Sep 2022 19:54:10
Message-Id:	`1662232069.813eb9b92bf4f592dcedf24a2e18d2645d07ea4a.perfinion@gentoo`

1

commit:     813eb9b92bf4f592dcedf24a2e18d2645d07ea4a

2

Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>

3

AuthorDate: Wed Aug 17 17:54:09 2022 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Sep  3 19:07:49 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=813eb9b9

7

8

hypervkvp: Port updated module from Fedora policy.

9

10

Change to refpolicy interfaces and fix optional blocks.

11

12

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>

13

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

14

15

 policy/modules/kernel/devices.fc     |   3 +

16

 policy/modules/kernel/devices.if     |  36 ++++++++

17

 policy/modules/kernel/devices.te     |   9 ++

18

 policy/modules/kernel/files.if       |  18 ++++

19

 policy/modules/services/dbus.if      |  19 +++++

20

 policy/modules/services/hypervkvp.fc |   8 +-

21

 policy/modules/services/hypervkvp.te | 154 +++++++++++++++++++++++++++++++++--

22

 policy/modules/system/sysnetwork.if  |  18 ++++

23

 8 files changed, 258 insertions(+), 7 deletions(-)

24

25

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc

26

index 19b06ab7..84427423 100644

27

--- a/policy/modules/kernel/devices.fc

28

+++ b/policy/modules/kernel/devices.fc

29

@@ -196,6 +196,9 @@ ifdef(`distro_suse', `

30

 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)

31

 /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)

32

33

+/dev/vmbus/hv_kvp	-c	gen_context(system_u:object_r:hyperv_kvp_device_t,s0)

34

+/dev/vmbus/hv_vss	-c	gen_context(system_u:object_r:hyperv_vss_device_t,s0)

35

+

36

 /dev/wmi/dell-smbios	-c	gen_context(system_u:object_r:acpi_bios_t,s0)

37

38

 /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)

39

40

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if

41

index bfb08b21..ba652e81 100644

42

--- a/policy/modules/kernel/devices.if

43

+++ b/policy/modules/kernel/devices.if

44

@@ -2368,6 +2368,42 @@ interface(`dev_rw_framebuffer',`

45

 	rw_chr_files_pattern($1, device_t, framebuf_device_t)

46

')

47

48

+########################################

49

+## <summary>

50

+##	Allow read/write the hypervkvp device

51

+## </summary>

52

+## <param name="domain">

53

+##	<summary>

54

+##	Domain allowed access.

55

+##	</summary>

56

+## </param>

57

+#

58

+interface(`dev_rw_hyperv_kvp',`

59

+	gen_require(`

60

+		type device_t, hyperv_kvp_device_t;

61

+	')

62

+

63

+	rw_chr_files_pattern($1, device_t, hyperv_kvp_device_t)

64

+')

65

+

66

+########################################

67

+## <summary>

68

+##	Allow read/write the hypervvssd device

69

+## </summary>

70

+## <param name="domain">

71

+##	<summary>

72

+##	Domain allowed access.

73

+##	</summary>

74

+## </param>

75

+#

76

+interface(`dev_rw_hyperv_vss',`

77

+	gen_require(`

78

+		type device_t, hyperv_vss_device_t;

79

+	')

80

+

81

+	rw_chr_files_pattern($1, device_t, hyperv_vss_device_t)

82

+')

83

+

84

 ########################################

85

 ## <summary>

86

 ##	Read the kernel messages

87

88

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te

89

index 8ac7c212..49718cc2 100644

90

--- a/policy/modules/kernel/devices.te

91

+++ b/policy/modules/kernel/devices.te

92

@@ -122,6 +122,15 @@ dev_node(freefall_device_t)

93

 type gpiochip_device_t;

94

 dev_node(gpiochip_device_t)

95

96

+#

97

+# Types for Hyper-V guest devices

98

+#

99

+type hyperv_kvp_device_t;

100

+dev_node(hyperv_kvp_device_t)

101

+

102

+type hyperv_vss_device_t;

103

+dev_node(hyperv_vss_device_t)

104

+

105

#

106

 # Type for /dev/infiniband/*

107

#

108

109

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if

110

index fb27ed18..eeed098c 100644

111

--- a/policy/modules/kernel/files.if

112

+++ b/policy/modules/kernel/files.if

113

@@ -1846,6 +1846,24 @@ interface(`files_dontaudit_list_all_mountpoints',`

114

 	dontaudit $1 mountpoint:dir list_dir_perms;

115

')

116

117

+########################################

118

+## <summary>

119

+##	Check if all mountpoints are writable.

120

+## </summary>

121

+## <param name="domain">

122

+##	<summary>

123

+##	Domain allowed access.

124

+##	</summary>

125

+## </param>

126

+#

127

+interface(`files_write_all_mountpoints',`

128

+	gen_require(`

129

+		attribute mountpoint;

130

+	')

131

+

132

+	allow $1 mountpoint:dir write;

133

+')

134

+

135

 ########################################

136

 ## <summary>

137

 ##	Do not audit attempts to write to mount points.

138

139

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if

140

index 3dfeadf9..432eae55 100644

141

--- a/policy/modules/services/dbus.if

142

+++ b/policy/modules/services/dbus.if

143

@@ -647,6 +647,25 @@ interface(`dbus_watch_system_bus_runtime_dirs',`

144

 	allow $1 system_dbusd_runtime_t:dir watch;

145

')

146

147

+########################################

148

+## <summary>

149

+##	Read system bus runtime files.

150

+## </summary>

151

+## <param name="domain">

152

+##	<summary>

153

+##	Domain allowed access.

154

+##	</summary>

155

+## </param>

156

+#

157

+interface(`dbus_read_system_bus_runtime_files',`

158

+	gen_require(`

159

+		type system_dbusd_runtime_t;

160

+	')

161

+

162

+	allow $1 system_dbusd_runtime_t:file read;

163

+')

164

+

165

+

166

 ########################################

167

 ## <summary>

168

 ##	List system bus runtime directories.

169

170

diff --git a/policy/modules/services/hypervkvp.fc b/policy/modules/services/hypervkvp.fc

171

index d1bbb44c..aa585191 100644

172

--- a/policy/modules/services/hypervkvp.fc

173

+++ b/policy/modules/services/hypervkvp.fc

174

@@ -1,5 +1,9 @@

175

 /etc/rc\.d/init\.d/hypervkvpd	--	gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)

176

177

-/usr/bin/hv_kvp_daemon	--	gen_context(system_u:object_r:hypervkvpd_exec_t,s0)

178

+/usr/lib/systemd/system/hypervkvpd.* --	gen_context(system_u:object_r:hypervkvpd_unit_t,s0)

179

+/usr/lib/systemd/system/hypervvssd.* --	gen_context(system_u:object_r:hypervvssd_unit_t,s0)

180

181

-/usr/sbin/hv_kvp_daemon	--	gen_context(system_u:object_r:hypervkvpd_exec_t,s0)

182

+/usr/sbin/hypervkvpd		--	gen_context(system_u:object_r:hypervkvpd_exec_t,s0)

183

+/usr/sbin/hypervvssd		--	gen_context(system_u:object_r:hypervvssd_exec_t,s0)

184

+

185

+/var/lib/hyperv(/.*)?			gen_context(system_u:object_r:hypervkvpd_var_lib_t,s0)

186

187

diff --git a/policy/modules/services/hypervkvp.te b/policy/modules/services/hypervkvp.te

188

index 62e4e55b..dccb0ec0 100644

189

--- a/policy/modules/services/hypervkvp.te

190

+++ b/policy/modules/services/hypervkvp.te

191

@@ -1,28 +1,172 @@

192

-policy_module(hypervkvp)

193

+policy_module(hypervkvp, 1.0.0)

194

195

 ########################################

196

#

197

 # Declarations

198

#

199

200

-type hypervkvpd_t;

201

+attribute hyperv_domain;

202

+

203

+type hypervkvpd_t, hyperv_domain;

204

 type hypervkvpd_exec_t;

205

 init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)

206

207

 type hypervkvpd_initrc_exec_t;

208

 init_script_file(hypervkvpd_initrc_exec_t)

209

210

+type hypervkvpd_unit_t;

211

+init_unit_file(hypervkvpd_unit_t)

212

+

213

+type hypervkvpd_var_lib_t;

214

+files_type(hypervkvpd_var_lib_t)

215

+

216

+type hypervkvpd_tmp_t;

217

+files_tmpfs_file(hypervkvpd_tmp_t)

218

+

219

+type hypervvssd_t, hyperv_domain;

220

+type hypervvssd_exec_t;

221

+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)

222

+

223

+type hypervvssd_unit_t;

224

+init_unit_file(hypervvssd_unit_t)

225

+

226

 ########################################

227

#

228

-# Local policy

229

+# hyperv domain local policy

230

+#

231

+

232

+allow hyperv_domain self:capability net_admin;

233

+allow hyperv_domain self:netlink_socket create_socket_perms;

234

+

235

+allow hyperv_domain self:fifo_file rw_fifo_file_perms;

236

+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;

237

+

238

+corecmd_exec_shell(hyperv_domain)

239

+corecmd_exec_bin(hyperv_domain)

240

+

241

+dev_read_sysfs(hyperv_domain)

242

+

243

+########################################

244

#

245

+# hypervkvp local policy

246

#

247

248

-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;

249

-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;

250

+allow hypervkvpd_t self:capability sys_ptrace;

251

+allow hypervkvpd_t self:process setfscreate;

252

+allow hypervkvpd_t self:netlink_route_socket rw_netlink_socket_perms;

253

+

254

+manage_dirs_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t)

255

+manage_files_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t)

256

+files_var_lib_filetrans(hypervkvpd_t, hypervkvpd_var_lib_t, dir)

257

+

258

+manage_files_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t)

259

+manage_dirs_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t)

260

+files_tmp_filetrans(hypervkvpd_t, hypervkvpd_tmp_t, { file dir })

261

+

262

+kernel_read_system_state(hypervkvpd_t)

263

+kernel_read_network_state(hypervkvpd_t)

264

+kernel_request_load_module(hypervkvpd_t)

265

+kernel_rw_net_sysctls(hypervkvpd_t)

266

+

267

+corecmd_getattr_all_executables(hypervkvpd_t)

268

+

269

+dev_rw_hyperv_kvp(hypervkvpd_t)

270

+

271

+domain_read_all_domains_state(hypervkvpd_t)

272

+

273

+seutil_exec_setfiles(hypervkvpd_t)

274

+seutil_read_file_contexts(hypervkvpd_t)

275

+

276

+domain_read_all_domains_state(hypervkvpd_t)

277

+

278

+dev_read_urand(hypervkvpd_t)

279

+

280

+files_dontaudit_search_home(hypervkvpd_t)

281

+files_dontaudit_getattr_non_security_files(hypervkvpd_t)

282

+

283

+fs_getattr_all_fs(hypervkvpd_t)

284

+fs_list_hugetlbfs(hypervkvpd_t)

285

+

286

+auth_use_nsswitch(hypervkvpd_t)

287

288

 logging_send_syslog_msg(hypervkvpd_t)

289

+logging_read_syslog_config(hypervkvpd_t)

290

+

291

+libs_exec_ldconfig(hypervkvpd_t)

292

293

 miscfiles_read_localization(hypervkvpd_t)

294

295

+modutils_domtrans(hypervkvpd_t)

296

+

297

+seutil_domtrans_setfiles(hypervkvpd_t)

298

+

299

 sysnet_dns_name_resolve(hypervkvpd_t)

300

+sysnet_domtrans_dhcpc(hypervkvpd_t)

301

+sysnet_domtrans_ifconfig(hypervkvpd_t)

302

+

303

+sysnet_manage_dhcpc_runtime_files(hypervkvpd_t)

304

+sysnet_signal_dhcpc(hypervkvpd_t)

305

+sysnet_manage_config(hypervkvpd_t)

306

+sysnet_read_dhcpc_state(hypervkvpd_t)

307

+sysnet_read_dhcp_config(hypervkvpd_t)

308

+sysnet_etc_filetrans_config(hypervkvpd_t)

309

+

310

+systemd_exec_systemctl(hypervkvpd_t)

311

+

312

+userdom_dontaudit_search_user_home_dirs(hypervkvpd_t)

313

+

314

+optional_policy(`

315

+	brctl_domtrans(hypervkvpd_t)

316

+')

317

+

318

+optional_policy(`

319

+	dbus_read_system_bus_runtime_files(hypervkvpd_t)

320

+	dbus_system_bus_client(hypervkvpd_t)

321

+

322

+	optional_policy(`

323

+		firewalld_dbus_chat(hypervkvpd_t)

324

+	')

325

+

326

+	optional_policy(`

327

+		networkmanager_read_runtime_files(hypervkvpd_t)

328

+		networkmanager_dbus_chat(hypervkvpd_t)

329

+	')

330

+')

331

+

332

+optional_policy(`

333

+	hostname_exec(hypervkvpd_t)

334

+')

335

+

336

+optional_policy(`

337

+	netutils_domtrans_ping(hypervkvpd_t)

338

+	netutils_domtrans(hypervkvpd_t)

339

+')

340

+

341

+optional_policy(`

342

+	sysnet_exec_ifconfig(hypervkvpd_t)

343

+')

344

+

345

+optional_policy(`

346

+	rpm_exec(hypervkvpd_t)

347

+')

348

+

349

+########################################

350

+#

351

+# hypervvssd local policy

352

+#

353

+

354

+allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin };

355

+

356

+dev_rw_hyperv_vss(hypervvssd_t)

357

+

358

+files_list_boot(hypervvssd_t)

359

+

360

+files_list_all_mountpoints(hypervvssd_t)

361

+files_write_all_mountpoints(hypervvssd_t)

362

+files_list_non_auth_dirs(hypervvssd_t)

363

+

364

+logging_send_syslog_msg(hypervvssd_t)

365

+

366

+miscfiles_read_localization(hypervvssd_t)

367

+

368

+storage_raw_read_fixed_disk(hypervvssd_t)

369

370

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if

371

index 464893f6..2598c7ad 100644

372

--- a/policy/modules/system/sysnetwork.if

373

+++ b/policy/modules/system/sysnetwork.if

374

@@ -614,6 +614,24 @@ interface(`sysnet_delete_dhcpc_runtime_files',`

375

 	allow $1 dhcpc_runtime_t:file unlink;

376

')

377

378

+#######################################

379

+## <summary>

380

+##	Create, read, write, and delete dhcp client runtime files.

381

+## </summary>

382

+## <param name="domain">

383

+##	<summary>

384

+##	Domain allowed access.

385

+##	</summary>

386

+## </param>

387

+#

388

+interface(`sysnet_manage_dhcpc_runtime_files',`

389

+	gen_require(`

390

+		type dhcpc_runtime_t;

391

+	')

392

+

393

+	manage_files_pattern($1, dhcpc_runtime_t, dhcpc_runtime_t)

394

+')

395

+

396

 #######################################

397

 ## <summary>

398

 ##	Execute ifconfig in the ifconfig domain.

1	commit: 813eb9b92bf4f592dcedf24a2e18d2645d07ea4a
2	Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
3	AuthorDate: Wed Aug 17 17:54:09 2022 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Sep 3 19:07:49 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=813eb9b9
7
8	hypervkvp: Port updated module from Fedora policy.
9
10	Change to refpolicy interfaces and fix optional blocks.
11
12	Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
13	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
14
15	policy/modules/kernel/devices.fc \| 3 +
16	policy/modules/kernel/devices.if \| 36 ++++++++
17	policy/modules/kernel/devices.te \| 9 ++
18	policy/modules/kernel/files.if \| 18 ++++
19	policy/modules/services/dbus.if \| 19 +++++
20	policy/modules/services/hypervkvp.fc \| 8 +-
21	policy/modules/services/hypervkvp.te \| 154 +++++++++++++++++++++++++++++++++--
22	policy/modules/system/sysnetwork.if \| 18 ++++
23	8 files changed, 258 insertions(+), 7 deletions(-)
24
25	diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
26	index 19b06ab7..84427423 100644
27	--- a/policy/modules/kernel/devices.fc
28	+++ b/policy/modules/kernel/devices.fc
29	@@ -196,6 +196,9 @@ ifdef(`distro_suse', `
30	/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
31	/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
32
33	+/dev/vmbus/hv_kvp -c gen_context(system_u:object_r:hyperv_kvp_device_t,s0)
34	+/dev/vmbus/hv_vss -c gen_context(system_u:object_r:hyperv_vss_device_t,s0)
35	+
36	/dev/wmi/dell-smbios -c gen_context(system_u:object_r:acpi_bios_t,s0)
37
38	/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
39
40	diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
41	index bfb08b21..ba652e81 100644
42	--- a/policy/modules/kernel/devices.if
43	+++ b/policy/modules/kernel/devices.if
44	@@ -2368,6 +2368,42 @@ interface(`dev_rw_framebuffer',`
45	rw_chr_files_pattern($1, device_t, framebuf_device_t)
46	')
47
48	+########################################
49	+## <summary>
50	+## Allow read/write the hypervkvp device
51	+## </summary>
52	+## <param name="domain">
53	+## <summary>
54	+## Domain allowed access.
55	+## </summary>
56	+## </param>
57	+#
58	+interface(`dev_rw_hyperv_kvp',`
59	+ gen_require(`
60	+ type device_t, hyperv_kvp_device_t;
61	+ ')
62	+
63	+ rw_chr_files_pattern($1, device_t, hyperv_kvp_device_t)
64	+')
65	+
66	+########################################
67	+## <summary>
68	+## Allow read/write the hypervvssd device
69	+## </summary>
70	+## <param name="domain">
71	+## <summary>
72	+## Domain allowed access.
73	+## </summary>
74	+## </param>
75	+#
76	+interface(`dev_rw_hyperv_vss',`
77	+ gen_require(`
78	+ type device_t, hyperv_vss_device_t;
79	+ ')
80	+
81	+ rw_chr_files_pattern($1, device_t, hyperv_vss_device_t)
82	+')
83	+
84	########################################
85	## <summary>
86	## Read the kernel messages
87
88	diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
89	index 8ac7c212..49718cc2 100644
90	--- a/policy/modules/kernel/devices.te
91	+++ b/policy/modules/kernel/devices.te
92	@@ -122,6 +122,15 @@ dev_node(freefall_device_t)
93	type gpiochip_device_t;
94	dev_node(gpiochip_device_t)
95
96	+#
97	+# Types for Hyper-V guest devices
98	+#
99	+type hyperv_kvp_device_t;
100	+dev_node(hyperv_kvp_device_t)
101	+
102	+type hyperv_vss_device_t;
103	+dev_node(hyperv_vss_device_t)
104	+
105	#
106	# Type for /dev/infiniband/*
107	#
108
109	diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
110	index fb27ed18..eeed098c 100644
111	--- a/policy/modules/kernel/files.if
112	+++ b/policy/modules/kernel/files.if
113	@@ -1846,6 +1846,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
114	dontaudit $1 mountpoint:dir list_dir_perms;
115	')
116
117	+########################################
118	+## <summary>
119	+## Check if all mountpoints are writable.
120	+## </summary>
121	+## <param name="domain">
122	+## <summary>
123	+## Domain allowed access.
124	+## </summary>
125	+## </param>
126	+#
127	+interface(`files_write_all_mountpoints',`
128	+ gen_require(`
129	+ attribute mountpoint;
130	+ ')
131	+
132	+ allow $1 mountpoint:dir write;
133	+')
134	+
135	########################################
136	## <summary>
137	## Do not audit attempts to write to mount points.
138
139	diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
140	index 3dfeadf9..432eae55 100644
141	--- a/policy/modules/services/dbus.if
142	+++ b/policy/modules/services/dbus.if
143	@@ -647,6 +647,25 @@ interface(`dbus_watch_system_bus_runtime_dirs',`
144	allow $1 system_dbusd_runtime_t:dir watch;
145	')
146
147	+########################################
148	+## <summary>
149	+## Read system bus runtime files.
150	+## </summary>
151	+## <param name="domain">
152	+## <summary>
153	+## Domain allowed access.
154	+## </summary>
155	+## </param>
156	+#
157	+interface(`dbus_read_system_bus_runtime_files',`
158	+ gen_require(`
159	+ type system_dbusd_runtime_t;
160	+ ')
161	+
162	+ allow $1 system_dbusd_runtime_t:file read;
163	+')
164	+
165	+
166	########################################
167	## <summary>
168	## List system bus runtime directories.
169
170	diff --git a/policy/modules/services/hypervkvp.fc b/policy/modules/services/hypervkvp.fc
171	index d1bbb44c..aa585191 100644
172	--- a/policy/modules/services/hypervkvp.fc
173	+++ b/policy/modules/services/hypervkvp.fc
174	@@ -1,5 +1,9 @@
175	/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
176
177	-/usr/bin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
178	+/usr/lib/systemd/system/hypervkvpd.* -- gen_context(system_u:object_r:hypervkvpd_unit_t,s0)
179	+/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_t,s0)
180
181	-/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
182	+/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
183	+/usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0)
184	+
185	+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvpd_var_lib_t,s0)
186
187	diff --git a/policy/modules/services/hypervkvp.te b/policy/modules/services/hypervkvp.te
188	index 62e4e55b..dccb0ec0 100644
189	--- a/policy/modules/services/hypervkvp.te
190	+++ b/policy/modules/services/hypervkvp.te
191	@@ -1,28 +1,172 @@
192	-policy_module(hypervkvp)
193	+policy_module(hypervkvp, 1.0.0)
194
195	########################################
196	#
197	# Declarations
198	#
199
200	-type hypervkvpd_t;
201	+attribute hyperv_domain;
202	+
203	+type hypervkvpd_t, hyperv_domain;
204	type hypervkvpd_exec_t;
205	init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
206
207	type hypervkvpd_initrc_exec_t;
208	init_script_file(hypervkvpd_initrc_exec_t)
209
210	+type hypervkvpd_unit_t;
211	+init_unit_file(hypervkvpd_unit_t)
212	+
213	+type hypervkvpd_var_lib_t;
214	+files_type(hypervkvpd_var_lib_t)
215	+
216	+type hypervkvpd_tmp_t;
217	+files_tmpfs_file(hypervkvpd_tmp_t)
218	+
219	+type hypervvssd_t, hyperv_domain;
220	+type hypervvssd_exec_t;
221	+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)
222	+
223	+type hypervvssd_unit_t;
224	+init_unit_file(hypervvssd_unit_t)
225	+
226	########################################
227	#
228	-# Local policy
229	+# hyperv domain local policy
230	+#
231	+
232	+allow hyperv_domain self:capability net_admin;
233	+allow hyperv_domain self:netlink_socket create_socket_perms;
234	+
235	+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
236	+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
237	+
238	+corecmd_exec_shell(hyperv_domain)
239	+corecmd_exec_bin(hyperv_domain)
240	+
241	+dev_read_sysfs(hyperv_domain)
242	+
243	+########################################
244	#
245	+# hypervkvp local policy
246	#
247
248	-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
249	-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
250	+allow hypervkvpd_t self:capability sys_ptrace;
251	+allow hypervkvpd_t self:process setfscreate;
252	+allow hypervkvpd_t self:netlink_route_socket rw_netlink_socket_perms;
253	+
254	+manage_dirs_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t)
255	+manage_files_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t)
256	+files_var_lib_filetrans(hypervkvpd_t, hypervkvpd_var_lib_t, dir)
257	+
258	+manage_files_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t)
259	+manage_dirs_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t)
260	+files_tmp_filetrans(hypervkvpd_t, hypervkvpd_tmp_t, { file dir })
261	+
262	+kernel_read_system_state(hypervkvpd_t)
263	+kernel_read_network_state(hypervkvpd_t)
264	+kernel_request_load_module(hypervkvpd_t)
265	+kernel_rw_net_sysctls(hypervkvpd_t)
266	+
267	+corecmd_getattr_all_executables(hypervkvpd_t)
268	+
269	+dev_rw_hyperv_kvp(hypervkvpd_t)
270	+
271	+domain_read_all_domains_state(hypervkvpd_t)
272	+
273	+seutil_exec_setfiles(hypervkvpd_t)
274	+seutil_read_file_contexts(hypervkvpd_t)
275	+
276	+domain_read_all_domains_state(hypervkvpd_t)
277	+
278	+dev_read_urand(hypervkvpd_t)
279	+
280	+files_dontaudit_search_home(hypervkvpd_t)
281	+files_dontaudit_getattr_non_security_files(hypervkvpd_t)
282	+
283	+fs_getattr_all_fs(hypervkvpd_t)
284	+fs_list_hugetlbfs(hypervkvpd_t)
285	+
286	+auth_use_nsswitch(hypervkvpd_t)
287
288	logging_send_syslog_msg(hypervkvpd_t)
289	+logging_read_syslog_config(hypervkvpd_t)
290	+
291	+libs_exec_ldconfig(hypervkvpd_t)
292
293	miscfiles_read_localization(hypervkvpd_t)
294
295	+modutils_domtrans(hypervkvpd_t)
296	+
297	+seutil_domtrans_setfiles(hypervkvpd_t)
298	+
299	sysnet_dns_name_resolve(hypervkvpd_t)
300	+sysnet_domtrans_dhcpc(hypervkvpd_t)
301	+sysnet_domtrans_ifconfig(hypervkvpd_t)
302	+
303	+sysnet_manage_dhcpc_runtime_files(hypervkvpd_t)
304	+sysnet_signal_dhcpc(hypervkvpd_t)
305	+sysnet_manage_config(hypervkvpd_t)
306	+sysnet_read_dhcpc_state(hypervkvpd_t)
307	+sysnet_read_dhcp_config(hypervkvpd_t)
308	+sysnet_etc_filetrans_config(hypervkvpd_t)
309	+
310	+systemd_exec_systemctl(hypervkvpd_t)
311	+
312	+userdom_dontaudit_search_user_home_dirs(hypervkvpd_t)
313	+
314	+optional_policy(`
315	+ brctl_domtrans(hypervkvpd_t)
316	+')
317	+
318	+optional_policy(`
319	+ dbus_read_system_bus_runtime_files(hypervkvpd_t)
320	+ dbus_system_bus_client(hypervkvpd_t)
321	+
322	+ optional_policy(`
323	+ firewalld_dbus_chat(hypervkvpd_t)
324	+ ')
325	+
326	+ optional_policy(`
327	+ networkmanager_read_runtime_files(hypervkvpd_t)
328	+ networkmanager_dbus_chat(hypervkvpd_t)
329	+ ')
330	+')
331	+
332	+optional_policy(`
333	+ hostname_exec(hypervkvpd_t)
334	+')
335	+
336	+optional_policy(`
337	+ netutils_domtrans_ping(hypervkvpd_t)
338	+ netutils_domtrans(hypervkvpd_t)
339	+')
340	+
341	+optional_policy(`
342	+ sysnet_exec_ifconfig(hypervkvpd_t)
343	+')
344	+
345	+optional_policy(`
346	+ rpm_exec(hypervkvpd_t)
347	+')
348	+
349	+########################################
350	+#
351	+# hypervvssd local policy
352	+#
353	+
354	+allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin };
355	+
356	+dev_rw_hyperv_vss(hypervvssd_t)
357	+
358	+files_list_boot(hypervvssd_t)
359	+
360	+files_list_all_mountpoints(hypervvssd_t)
361	+files_write_all_mountpoints(hypervvssd_t)
362	+files_list_non_auth_dirs(hypervvssd_t)
363	+
364	+logging_send_syslog_msg(hypervvssd_t)
365	+
366	+miscfiles_read_localization(hypervvssd_t)
367	+
368	+storage_raw_read_fixed_disk(hypervvssd_t)
369
370	diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
371	index 464893f6..2598c7ad 100644
372	--- a/policy/modules/system/sysnetwork.if
373	+++ b/policy/modules/system/sysnetwork.if
374	@@ -614,6 +614,24 @@ interface(`sysnet_delete_dhcpc_runtime_files',`
375	allow $1 dhcpc_runtime_t:file unlink;
376	')
377
378	+#######################################
379	+## <summary>
380	+## Create, read, write, and delete dhcp client runtime files.
381	+## </summary>
382	+## <param name="domain">
383	+## <summary>
384	+## Domain allowed access.
385	+## </summary>
386	+## </param>
387	+#
388	+interface(`sysnet_manage_dhcpc_runtime_files',`
389	+ gen_require(`
390	+ type dhcpc_runtime_t;
391	+ ')
392	+
393	+ manage_files_pattern($1, dhcpc_runtime_t, dhcpc_runtime_t)
394	+')
395	+
396	#######################################
397	## <summary>
398	## Execute ifconfig in the ifconfig domain.

Gentoo Archives: gentoo-commits