Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
Date: Sun, 30 Apr 2017 09:41:12
Message-Id: 1493544711.53b8a092b78b1f48530145ef0d62cbfeccf47cb0.perfinion@gentoo
1 commit: 53b8a092b78b1f48530145ef0d62cbfeccf47cb0
2 Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3 AuthorDate: Wed Aug 31 15:03:49 2016 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sun Apr 30 09:31:51 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=53b8a092
7
8 WIP virt: image type perms
9
10 policy/modules/contrib/virt.te | 7 +++----
11 1 file changed, 3 insertions(+), 4 deletions(-)
12
13 diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
14 index 0f82a04e..5df86d7b 100644
15 --- a/policy/modules/contrib/virt.te
16 +++ b/policy/modules/contrib/virt.te
17 @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
18 #
19
20 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
21 -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
22 +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
23 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
24 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
25 allow virtd_t self:tcp_socket { accept listen };
26 @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
27 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
28
29 allow virtd_t virt_image_type:file relabel_file_perms;
30 +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
31 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
32 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
33 -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
34
35 allow virtd_t virt_ptynode:chr_file rw_term_perms;
36
37 @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
38 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
39
40 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
41 -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
42 +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain)
43 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
44 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
45
46 @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
47
48 tunable_policy(`virt_use_vfio',`
49 allow virtd_t self:capability sys_resource;
50 - allow virtd_t self:process setrlimit;
51 allow virtd_t svirt_t:process rlimitinh;
52 dev_relabelfrom_vfio_dev(virtd_t)
53 ')