[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
Date:	Sat, 25 Feb 2017 14:59:46
Message-Id:	`1488034253.a0d699a7a8da9ce12233029519efd3581c448ad4.perfinion@gentoo`

1

commit:     a0d699a7a8da9ce12233029519efd3581c448ad4

2

Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>

3

AuthorDate: Fri Feb 24 01:31:35 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb 25 14:50:53 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a0d699a7

7

8

Xen fixes from Russell Coker.

9

10

 policy/modules/contrib/qemu.fc |  2 ++

11

 policy/modules/contrib/qemu.if | 38 ++++++++++++++++++++++++++++++++++++

12

 policy/modules/contrib/qemu.te | 22 ++++++++++++++++++++-

13

 policy/modules/contrib/xen.fc  |  4 ++++

14

 policy/modules/contrib/xen.if  | 28 +++++++++++++++++++++++++++

15

 policy/modules/contrib/xen.te  | 44 +++++++++++++++++++++++++++++++++++++++---

16

 6 files changed, 134 insertions(+), 4 deletions(-)

17

18

diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc

19

index db9ff368..122ca70f 100644

20

--- a/policy/modules/contrib/qemu.fc

21

+++ b/policy/modules/contrib/qemu.fc

22

@@ -7,6 +7,8 @@

23

24

 /usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)

25

26

+/var/run/xen/qmp.*	--	gen_context(system_u:object_r:qemu_var_run_t,s0)

27

+

28

 ifdef(`distro_gentoo',`

29

 /usr/bin/qemu-ga	--	gen_context(system_u:object_r:qemu_ga_exec_t,s0)

30

31

32

diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if

33

index efdc5286..b6d8e1c2 100644

34

--- a/policy/modules/contrib/qemu.if

35

+++ b/policy/modules/contrib/qemu.if

36

@@ -264,6 +264,44 @@ interface(`qemu_kill',`

37

38

 ########################################

39

 ## <summary>

40

+##	Connect to qemu with a unix

41

+##	domain stream socket.

42

+## </summary>

43

+## <param name="domain">

44

+##	<summary>

45

+##	Domain allowed access.

46

+##	</summary>

47

+## </param>

48

+#

49

+interface(`qemu_stream_connect',`

50

+	gen_require(`

51

+		type qemu_t, qemu_var_run_t;

52

+	')

53

+

54

+	files_search_pids($1)

55

+	stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t)

56

+')

57

+

58

+########################################

59

+## <summary>

60

+##	Unlink qemu socket

61

+## </summary>

62

+## <param name="domain">

63

+##	<summary>

64

+##	Domain allowed access.

65

+##	</summary>

66

+## </param>

67

+#

68

+interface(`qemu_delete_pid_sock_file',`

69

+	gen_require(`

70

+		type qemu_var_run_t;

71

+	')

72

+

73

+	allow $1 qemu_var_run_t:sock_file unlink;

74

+')

75

+

76

+########################################

77

+## <summary>

78

 ##	Execute a domain transition to

79

 ##	run qemu unconfined.

80

 ## </summary>

81

82

diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te

83

index 9dc09977..b2c843f5 100644

84

--- a/policy/modules/contrib/qemu.te

85

+++ b/policy/modules/contrib/qemu.te

86

@@ -1,4 +1,4 @@

87

-policy_module(qemu, 1.9.0)

88

+policy_module(qemu, 1.9.1)

89

90

 ########################################

91

#

92

@@ -25,11 +25,21 @@ role qemu_roles types qemu_t;

93

 type qemu_unit_t;

94

 init_unit_file(qemu_unit_t)

95

96

+type qemu_var_run_t;

97

+files_pid_file(qemu_var_run_t);

98

+

99

 ########################################

100

#

101

 # Local policy

102

#

103

104

+kernel_read_crypto_sysctls(qemu_t)

105

+

106

+dev_read_sysfs(qemu_t)

107

+

108

+allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms;

109

+files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)

110

+

111

 tunable_policy(`qemu_full_network',`

112

 	corenet_udp_sendrecv_generic_if(qemu_t)

113

 	corenet_udp_sendrecv_generic_node(qemu_t)

114

@@ -41,6 +51,16 @@ tunable_policy(`qemu_full_network',`

115

')

116

117

 optional_policy(`

118

+	fs_manage_xenfs_files(qemu_t)

119

+

120

+	dev_rw_xen(qemu_t)

121

+

122

+	xen_stream_connect_xenstore(qemu_t)

123

+	xen_append_log(qemu_t)

124

+	xen_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)

125

+')

126

+

127

+optional_policy(`

128

 	xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)

129

')

130

131

132

diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc

133

index 657a94ac..be0374df 100644

134

--- a/policy/modules/contrib/xen.fc

135

+++ b/policy/modules/contrib/xen.fc

136

@@ -5,6 +5,7 @@

137

 /usr/lib/xen-[^/]*/bin/xenstored	--	gen_context(system_u:object_r:xenstored_exec_t,s0)

138

 /usr/lib/xen-[^/]*/bin/xl	--	gen_context(system_u:object_r:xm_exec_t,s0)

139

 /usr/lib/xen-[^/]*/bin/xm	--	gen_context(system_u:object_r:xm_exec_t,s0)

140

+/usr/lib/xen-[^/]*/xl --	gen_context(system_u:object_r:xm_exec_t,s0)

141

142

 /usr/sbin/blktapctrl	--	gen_context(system_u:object_r:blktap_exec_t,s0)

143

 /usr/sbin/evtchnd	--	gen_context(system_u:object_r:evtchnd_exec_t,s0)

144

@@ -20,6 +21,8 @@

145

 /var/lib/xend(/.*)?	gen_context(system_u:object_r:xend_var_lib_t,s0)

146

 /var/lib/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_lib_t,s0)

147

148

+/var/lock/xl	--	gen_context(system_u:object_r:xen_lock_t,s0)

149

+

150

 /var/log/evtchnd\.log.*	--	gen_context(system_u:object_r:evtchnd_var_log_t,s0)

151

 /var/log/xen(/.*)?	gen_context(system_u:object_r:xend_var_log_t,s0)

152

 /var/log/xen-hotplug\.log.*	--	gen_context(system_u:object_r:xend_var_log_t,s0)

153

@@ -30,6 +33,7 @@

154

 /run/evtchnd\.pid	--	gen_context(system_u:object_r:evtchnd_var_run_t,s0)

155

 /run/xenconsoled\.pid	--	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)

156

 /run/xend(/.*)?	gen_context(system_u:object_r:xend_var_run_t,s0)

157

+/run/xen		-d	gen_context(system_u:object_r:xend_var_run_t,s0)

158

 /run/xend\.pid	--	gen_context(system_u:object_r:xend_var_run_t,s0)

159

 /run/xenner(/.*)?	gen_context(system_u:object_r:xend_var_run_t,s0)

160

 /run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)

161

162

diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if

163

index f93558c5..44116292 100644

164

--- a/policy/modules/contrib/xen.if

165

+++ b/policy/modules/contrib/xen.if

166

@@ -259,6 +259,34 @@ interface(`xen_stream_connect',`

167

168

 ########################################

169

 ## <summary>

170

+##	Create in a xend_var_run_t directory

171

+## </summary>

172

+## <param name="domain">

173

+##	<summary>

174

+##	Domain allowed access.

175

+##	</summary>

176

+## </param>

177

+## <param name="private type">

178

+##      <summary>

179

+##      The type of the object to be created.

180

+##      </summary>

181

+## </param>

182

+## <param name="object">

183

+##      <summary>

184

+##      The object class of the object being created.

185

+##      </summary>

186

+## </param>

187

+#

188

+interface(`xen_pid_filetrans',`

189

+	gen_require(`

190

+		type xend_var_run_t;

191

+	')

192

+

193

+	filetrans_pattern($1, xend_var_run_t, $2, $3)

194

+')

195

+

196

+########################################

197

+## <summary>

198

 ##	Execute a domain transition to run xm.

199

 ## </summary>

200

 ## <param name="domain">

201

202

diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te

203

index 383c00a7..0d680116 100644

204

--- a/policy/modules/contrib/xen.te

205

+++ b/policy/modules/contrib/xen.te

206

@@ -1,4 +1,4 @@

207

-policy_module(xen, 1.15.0)

208

+policy_module(xen, 1.15.1)

209

210

 ########################################

211

#

212

@@ -75,6 +75,9 @@ type xend_t;

213

 type xend_exec_t;

214

 init_daemon_domain(xend_t, xend_exec_t)

215

216

+type xen_lock_t;

217

+files_lock_file(xen_lock_t)

218

+

219

 type xend_tmp_t;

220

 files_tmp_file(xend_tmp_t)

221

222

@@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t)

223

 kernel_read_xen_state(xend_t)

224

 kernel_rw_net_sysctls(xend_t)

225

 kernel_read_network_state(xend_t)

226

+kernel_read_vm_sysctls(xend_t)

227

228

 corecmd_exec_bin(xend_t)

229

 corecmd_exec_shell(xend_t)

230

@@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t)

231

 fs_manage_xenfs_files(xend_t)

232

233

 storage_read_scsi_generic(xend_t)

234

+# for lsscsi

235

+storage_getattr_fixed_disk_dev(xend_t)

236

237

 term_setattr_generic_ptys(xend_t)

238

 term_getattr_all_ptys(xend_t)

239

@@ -444,6 +450,8 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn

240

 kernel_write_xen_state(xenstored_t)

241

 kernel_read_xen_state(xenstored_t)

242

243

+corecmd_search_bin(xenstored_t)

244

+

245

 dev_filetrans_xen(xenstored_t)

246

 dev_rw_xen(xenstored_t)

247

 dev_read_sysfs(xenstored_t)

248

@@ -470,12 +478,19 @@ xen_append_log(xenstored_t)

249

 # xm local policy

250

#

251

252

-allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };

253

-allow xm_t self:process { getcap getsched setsched setcap signal };

254

+allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config };

255

+allow xm_t self:process { getcap getsched setsched setcap signal sigkill };

256

 allow xm_t self:fifo_file rw_fifo_file_perms;

257

 allow xm_t self:unix_stream_socket { accept connectto listen };

258

 allow xm_t self:tcp_socket { accept listen };

259

260

+allow xm_t xend_var_run_t:dir rw_dir_perms;

261

+

262

+allow xm_t xen_lock_t:file manage_file_perms;

263

+files_lock_filetrans(xm_t, xen_lock_t, file)

264

+

265

+manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t)

266

+

267

 manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)

268

 manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)

269

 manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)

270

@@ -494,6 +509,8 @@ xen_stream_connect_xenstore(xm_t)

271

272

 can_exec(xm_t, xm_exec_t)

273

274

+kernel_load_module(xm_t)

275

+kernel_request_load_module(xm_t)

276

 kernel_read_system_state(xm_t)

277

 kernel_read_network_state(xm_t)

278

 kernel_read_kernel_sysctls(xm_t)

279

@@ -517,8 +534,11 @@ dev_read_rand(xm_t)

280

 dev_read_urand(xm_t)

281

 dev_read_sysfs(xm_t)

282

283

+domain_use_interactive_fds(xm_t)

284

+

285

 files_read_etc_runtime_files(xm_t)

286

 files_read_etc_files(xm_t)

287

+files_read_kernel_img(xm_t)

288

 files_read_usr_files(xm_t)

289

 files_search_pids(xm_t)

290

 files_search_var_lib(xm_t)

291

@@ -543,6 +563,13 @@ logging_send_syslog_msg(xm_t)

292

 miscfiles_read_localization(xm_t)

293

294

 sysnet_dns_name_resolve(xm_t)

295

+sysnet_domtrans_ifconfig(xm_t)

296

+

297

+# for vif-bridge to write to /run/xen-hotplug/iptables

298

+# maybe we need a different label for /run/xen-hotplug

299

+udev_manage_pid_files(xm_t)

300

+

301

+userdom_dontaudit_search_user_home_content(xm_t)

302

303

 tunable_policy(`xen_use_fusefs',`

304

 	fs_manage_fusefs_dirs(xm_t)

305

@@ -563,6 +590,17 @@ tunable_policy(`xen_use_samba',`

306

')

307

308

 optional_policy(`

309

+	qemu_domtrans(xm_t)

310

+	qemu_signal(xm_t)

311

+	qemu_stream_connect(xm_t)

312

+	qemu_delete_pid_sock_file(xm_t)

313

+')

314

+

315

+optional_policy(`

316

+	iptables_domtrans(xm_t)

317

+')

318

+

319

+optional_policy(`

320

 	cron_system_entry(xm_t, xm_exec_t)

321

')

1	commit: a0d699a7a8da9ce12233029519efd3581c448ad4
2	Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3	AuthorDate: Fri Feb 24 01:31:35 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 25 14:50:53 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a0d699a7
7
8	Xen fixes from Russell Coker.
9
10	policy/modules/contrib/qemu.fc \| 2 ++
11	policy/modules/contrib/qemu.if \| 38 ++++++++++++++++++++++++++++++++++++
12	policy/modules/contrib/qemu.te \| 22 ++++++++++++++++++++-
13	policy/modules/contrib/xen.fc \| 4 ++++
14	policy/modules/contrib/xen.if \| 28 +++++++++++++++++++++++++++
15	policy/modules/contrib/xen.te \| 44 +++++++++++++++++++++++++++++++++++++++---
16	6 files changed, 134 insertions(+), 4 deletions(-)
17
18	diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
19	index db9ff368..122ca70f 100644
20	--- a/policy/modules/contrib/qemu.fc
21	+++ b/policy/modules/contrib/qemu.fc
22	@@ -7,6 +7,8 @@
23
24	/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
25
26	+/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0)
27	+
28	ifdef(`distro_gentoo',`
29	/usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0)
30
31
32	diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
33	index efdc5286..b6d8e1c2 100644
34	--- a/policy/modules/contrib/qemu.if
35	+++ b/policy/modules/contrib/qemu.if
36	@@ -264,6 +264,44 @@ interface(`qemu_kill',`
37
38	########################################
39	## <summary>
40	+## Connect to qemu with a unix
41	+## domain stream socket.
42	+## </summary>
43	+## <param name="domain">
44	+## <summary>
45	+## Domain allowed access.
46	+## </summary>
47	+## </param>
48	+#
49	+interface(`qemu_stream_connect',`
50	+ gen_require(`
51	+ type qemu_t, qemu_var_run_t;
52	+ ')
53	+
54	+ files_search_pids($1)
55	+ stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t)
56	+')
57	+
58	+########################################
59	+## <summary>
60	+## Unlink qemu socket
61	+## </summary>
62	+## <param name="domain">
63	+## <summary>
64	+## Domain allowed access.
65	+## </summary>
66	+## </param>
67	+#
68	+interface(`qemu_delete_pid_sock_file',`
69	+ gen_require(`
70	+ type qemu_var_run_t;
71	+ ')
72	+
73	+ allow $1 qemu_var_run_t:sock_file unlink;
74	+')
75	+
76	+########################################
77	+## <summary>
78	## Execute a domain transition to
79	## run qemu unconfined.
80	## </summary>
81
82	diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
83	index 9dc09977..b2c843f5 100644
84	--- a/policy/modules/contrib/qemu.te
85	+++ b/policy/modules/contrib/qemu.te
86	@@ -1,4 +1,4 @@
87	-policy_module(qemu, 1.9.0)
88	+policy_module(qemu, 1.9.1)
89
90	########################################
91	#
92	@@ -25,11 +25,21 @@ role qemu_roles types qemu_t;
93	type qemu_unit_t;
94	init_unit_file(qemu_unit_t)
95
96	+type qemu_var_run_t;
97	+files_pid_file(qemu_var_run_t);
98	+
99	########################################
100	#
101	# Local policy
102	#
103
104	+kernel_read_crypto_sysctls(qemu_t)
105	+
106	+dev_read_sysfs(qemu_t)
107	+
108	+allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms;
109	+files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
110	+
111	tunable_policy(`qemu_full_network',`
112	corenet_udp_sendrecv_generic_if(qemu_t)
113	corenet_udp_sendrecv_generic_node(qemu_t)
114	@@ -41,6 +51,16 @@ tunable_policy(`qemu_full_network',`
115	')
116
117	optional_policy(`
118	+ fs_manage_xenfs_files(qemu_t)
119	+
120	+ dev_rw_xen(qemu_t)
121	+
122	+ xen_stream_connect_xenstore(qemu_t)
123	+ xen_append_log(qemu_t)
124	+ xen_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
125	+')
126	+
127	+optional_policy(`
128	xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
129	')
130
131
132	diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc
133	index 657a94ac..be0374df 100644
134	--- a/policy/modules/contrib/xen.fc
135	+++ b/policy/modules/contrib/xen.fc
136	@@ -5,6 +5,7 @@
137	/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
138	/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
139	/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
140	+/usr/lib/xen-[^/]*/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
141
142	/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
143	/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
144	@@ -20,6 +21,8 @@
145	/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
146	/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
147
148	+/var/lock/xl -- gen_context(system_u:object_r:xen_lock_t,s0)
149	+
150	/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
151	/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
152	/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
153	@@ -30,6 +33,7 @@
154	/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
155	/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
156	/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
157	+/run/xen -d gen_context(system_u:object_r:xend_var_run_t,s0)
158	/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
159	/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
160	/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
161
162	diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if
163	index f93558c5..44116292 100644
164	--- a/policy/modules/contrib/xen.if
165	+++ b/policy/modules/contrib/xen.if
166	@@ -259,6 +259,34 @@ interface(`xen_stream_connect',`
167
168	########################################
169	## <summary>
170	+## Create in a xend_var_run_t directory
171	+## </summary>
172	+## <param name="domain">
173	+## <summary>
174	+## Domain allowed access.
175	+## </summary>
176	+## </param>
177	+## <param name="private type">
178	+## <summary>
179	+## The type of the object to be created.
180	+## </summary>
181	+## </param>
182	+## <param name="object">
183	+## <summary>
184	+## The object class of the object being created.
185	+## </summary>
186	+## </param>
187	+#
188	+interface(`xen_pid_filetrans',`
189	+ gen_require(`
190	+ type xend_var_run_t;
191	+ ')
192	+
193	+ filetrans_pattern($1, xend_var_run_t, $2, $3)
194	+')
195	+
196	+########################################
197	+## <summary>
198	## Execute a domain transition to run xm.
199	## </summary>
200	## <param name="domain">
201
202	diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
203	index 383c00a7..0d680116 100644
204	--- a/policy/modules/contrib/xen.te
205	+++ b/policy/modules/contrib/xen.te
206	@@ -1,4 +1,4 @@
207	-policy_module(xen, 1.15.0)
208	+policy_module(xen, 1.15.1)
209
210	########################################
211	#
212	@@ -75,6 +75,9 @@ type xend_t;
213	type xend_exec_t;
214	init_daemon_domain(xend_t, xend_exec_t)
215
216	+type xen_lock_t;
217	+files_lock_file(xen_lock_t)
218	+
219	type xend_tmp_t;
220	files_tmp_file(xend_tmp_t)
221
222	@@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t)
223	kernel_read_xen_state(xend_t)
224	kernel_rw_net_sysctls(xend_t)
225	kernel_read_network_state(xend_t)
226	+kernel_read_vm_sysctls(xend_t)
227
228	corecmd_exec_bin(xend_t)
229	corecmd_exec_shell(xend_t)
230	@@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t)
231	fs_manage_xenfs_files(xend_t)
232
233	storage_read_scsi_generic(xend_t)
234	+# for lsscsi
235	+storage_getattr_fixed_disk_dev(xend_t)
236
237	term_setattr_generic_ptys(xend_t)
238	term_getattr_all_ptys(xend_t)
239	@@ -444,6 +450,8 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn
240	kernel_write_xen_state(xenstored_t)
241	kernel_read_xen_state(xenstored_t)
242
243	+corecmd_search_bin(xenstored_t)
244	+
245	dev_filetrans_xen(xenstored_t)
246	dev_rw_xen(xenstored_t)
247	dev_read_sysfs(xenstored_t)
248	@@ -470,12 +478,19 @@ xen_append_log(xenstored_t)
249	# xm local policy
250	#
251
252	-allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
253	-allow xm_t self:process { getcap getsched setsched setcap signal };
254	+allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config };
255	+allow xm_t self:process { getcap getsched setsched setcap signal sigkill };
256	allow xm_t self:fifo_file rw_fifo_file_perms;
257	allow xm_t self:unix_stream_socket { accept connectto listen };
258	allow xm_t self:tcp_socket { accept listen };
259
260	+allow xm_t xend_var_run_t:dir rw_dir_perms;
261	+
262	+allow xm_t xen_lock_t:file manage_file_perms;
263	+files_lock_filetrans(xm_t, xen_lock_t, file)
264	+
265	+manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t)
266	+
267	manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
268	manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
269	manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
270	@@ -494,6 +509,8 @@ xen_stream_connect_xenstore(xm_t)
271
272	can_exec(xm_t, xm_exec_t)
273
274	+kernel_load_module(xm_t)
275	+kernel_request_load_module(xm_t)
276	kernel_read_system_state(xm_t)
277	kernel_read_network_state(xm_t)
278	kernel_read_kernel_sysctls(xm_t)
279	@@ -517,8 +534,11 @@ dev_read_rand(xm_t)
280	dev_read_urand(xm_t)
281	dev_read_sysfs(xm_t)
282
283	+domain_use_interactive_fds(xm_t)
284	+
285	files_read_etc_runtime_files(xm_t)
286	files_read_etc_files(xm_t)
287	+files_read_kernel_img(xm_t)
288	files_read_usr_files(xm_t)
289	files_search_pids(xm_t)
290	files_search_var_lib(xm_t)
291	@@ -543,6 +563,13 @@ logging_send_syslog_msg(xm_t)
292	miscfiles_read_localization(xm_t)
293
294	sysnet_dns_name_resolve(xm_t)
295	+sysnet_domtrans_ifconfig(xm_t)
296	+
297	+# for vif-bridge to write to /run/xen-hotplug/iptables
298	+# maybe we need a different label for /run/xen-hotplug
299	+udev_manage_pid_files(xm_t)
300	+
301	+userdom_dontaudit_search_user_home_content(xm_t)
302
303	tunable_policy(`xen_use_fusefs',`
304	fs_manage_fusefs_dirs(xm_t)
305	@@ -563,6 +590,17 @@ tunable_policy(`xen_use_samba',`
306	')
307
308	optional_policy(`
309	+ qemu_domtrans(xm_t)
310	+ qemu_signal(xm_t)
311	+ qemu_stream_connect(xm_t)
312	+ qemu_delete_pid_sock_file(xm_t)
313	+')
314	+
315	+optional_policy(`
316	+ iptables_domtrans(xm_t)
317	+')
318	+
319	+optional_policy(`
320	cron_system_entry(xm_t, xm_exec_t)
321	')

Gentoo Archives: gentoo-commits