From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BA27D139694 for ; Sat, 25 Feb 2017 14:52:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 17F66E0D29; Sat, 25 Feb 2017 14:51:59 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DC359E0D29 for ; Sat, 25 Feb 2017 14:51:58 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 98B953415D2 for ; Sat, 25 Feb 2017 14:51:46 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 6B27A543C for ; Sat, 25 Feb 2017 14:51:43 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1488034253.a0d699a7a8da9ce12233029519efd3581c448ad4.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/qemu.fc policy/modules/contrib/qemu.if policy/modules/contrib/qemu.te policy/modules/contrib/xen.fc policy/modules/contrib/xen.if policy/modules/contrib/xen.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: a0d699a7a8da9ce12233029519efd3581c448ad4 X-VCS-Branch: master Date: Sat, 25 Feb 2017 14:51:43 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 3671227c-f7e6-4bc6-8754-16e009a9df37 X-Archives-Hash: 5d221002cc4b67797669c6172c16ecb9 commit: a0d699a7a8da9ce12233029519efd3581c448ad4 Author: Chris PeBenito ieee org> AuthorDate: Fri Feb 24 01:31:35 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 14:50:53 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a0d699a7 Xen fixes from Russell Coker. policy/modules/contrib/qemu.fc | 2 ++ policy/modules/contrib/qemu.if | 38 ++++++++++++++++++++++++++++++++++++ policy/modules/contrib/qemu.te | 22 ++++++++++++++++++++- policy/modules/contrib/xen.fc | 4 ++++ policy/modules/contrib/xen.if | 28 +++++++++++++++++++++++++++ policy/modules/contrib/xen.te | 44 +++++++++++++++++++++++++++++++++++++++--- 6 files changed, 134 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc index db9ff368..122ca70f 100644 --- a/policy/modules/contrib/qemu.fc +++ b/policy/modules/contrib/qemu.fc @@ -7,6 +7,8 @@ /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0) + ifdef(`distro_gentoo',` /usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0) diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if index efdc5286..b6d8e1c2 100644 --- a/policy/modules/contrib/qemu.if +++ b/policy/modules/contrib/qemu.if @@ -264,6 +264,44 @@ interface(`qemu_kill',` ######################################## ## +## Connect to qemu with a unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_stream_connect',` + gen_require(` + type qemu_t, qemu_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t) +') + +######################################## +## +## Unlink qemu socket +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_delete_pid_sock_file',` + gen_require(` + type qemu_var_run_t; + ') + + allow $1 qemu_var_run_t:sock_file unlink; +') + +######################################## +## ## Execute a domain transition to ## run qemu unconfined. ## diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te index 9dc09977..b2c843f5 100644 --- a/policy/modules/contrib/qemu.te +++ b/policy/modules/contrib/qemu.te @@ -1,4 +1,4 @@ -policy_module(qemu, 1.9.0) +policy_module(qemu, 1.9.1) ######################################## # @@ -25,11 +25,21 @@ role qemu_roles types qemu_t; type qemu_unit_t; init_unit_file(qemu_unit_t) +type qemu_var_run_t; +files_pid_file(qemu_var_run_t); + ######################################## # # Local policy # +kernel_read_crypto_sysctls(qemu_t) + +dev_read_sysfs(qemu_t) + +allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms; +files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) + tunable_policy(`qemu_full_network',` corenet_udp_sendrecv_generic_if(qemu_t) corenet_udp_sendrecv_generic_node(qemu_t) @@ -41,6 +51,16 @@ tunable_policy(`qemu_full_network',` ') optional_policy(` + fs_manage_xenfs_files(qemu_t) + + dev_rw_xen(qemu_t) + + xen_stream_connect_xenstore(qemu_t) + xen_append_log(qemu_t) + xen_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) +') + +optional_policy(` xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) ') diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc index 657a94ac..be0374df 100644 --- a/policy/modules/contrib/xen.fc +++ b/policy/modules/contrib/xen.fc @@ -5,6 +5,7 @@ /usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) /usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) /usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) +/usr/lib/xen-[^/]*/xl -- gen_context(system_u:object_r:xm_exec_t,s0) /usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) @@ -20,6 +21,8 @@ /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) +/var/lock/xl -- gen_context(system_u:object_r:xen_lock_t,s0) + /var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) @@ -30,6 +33,7 @@ /run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) /run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) /run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) +/run/xen -d gen_context(system_u:object_r:xend_var_run_t,s0) /run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) /run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) /run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if index f93558c5..44116292 100644 --- a/policy/modules/contrib/xen.if +++ b/policy/modules/contrib/xen.if @@ -259,6 +259,34 @@ interface(`xen_stream_connect',` ######################################## ## +## Create in a xend_var_run_t directory +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +# +interface(`xen_pid_filetrans',` + gen_require(` + type xend_var_run_t; + ') + + filetrans_pattern($1, xend_var_run_t, $2, $3) +') + +######################################## +## ## Execute a domain transition to run xm. ## ## diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te index 383c00a7..0d680116 100644 --- a/policy/modules/contrib/xen.te +++ b/policy/modules/contrib/xen.te @@ -1,4 +1,4 @@ -policy_module(xen, 1.15.0) +policy_module(xen, 1.15.1) ######################################## # @@ -75,6 +75,9 @@ type xend_t; type xend_exec_t; init_daemon_domain(xend_t, xend_exec_t) +type xen_lock_t; +files_lock_file(xen_lock_t) + type xend_tmp_t; files_tmp_file(xend_tmp_t) @@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t) kernel_read_xen_state(xend_t) kernel_rw_net_sysctls(xend_t) kernel_read_network_state(xend_t) +kernel_read_vm_sysctls(xend_t) corecmd_exec_bin(xend_t) corecmd_exec_shell(xend_t) @@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t) fs_manage_xenfs_files(xend_t) storage_read_scsi_generic(xend_t) +# for lsscsi +storage_getattr_fixed_disk_dev(xend_t) term_setattr_generic_ptys(xend_t) term_getattr_all_ptys(xend_t) @@ -444,6 +450,8 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn kernel_write_xen_state(xenstored_t) kernel_read_xen_state(xenstored_t) +corecmd_search_bin(xenstored_t) + dev_filetrans_xen(xenstored_t) dev_rw_xen(xenstored_t) dev_read_sysfs(xenstored_t) @@ -470,12 +478,19 @@ xen_append_log(xenstored_t) # xm local policy # -allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config }; -allow xm_t self:process { getcap getsched setsched setcap signal }; +allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config }; +allow xm_t self:process { getcap getsched setsched setcap signal sigkill }; allow xm_t self:fifo_file rw_fifo_file_perms; allow xm_t self:unix_stream_socket { accept connectto listen }; allow xm_t self:tcp_socket { accept listen }; +allow xm_t xend_var_run_t:dir rw_dir_perms; + +allow xm_t xen_lock_t:file manage_file_perms; +files_lock_filetrans(xm_t, xen_lock_t, file) + +manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t) + manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) @@ -494,6 +509,8 @@ xen_stream_connect_xenstore(xm_t) can_exec(xm_t, xm_exec_t) +kernel_load_module(xm_t) +kernel_request_load_module(xm_t) kernel_read_system_state(xm_t) kernel_read_network_state(xm_t) kernel_read_kernel_sysctls(xm_t) @@ -517,8 +534,11 @@ dev_read_rand(xm_t) dev_read_urand(xm_t) dev_read_sysfs(xm_t) +domain_use_interactive_fds(xm_t) + files_read_etc_runtime_files(xm_t) files_read_etc_files(xm_t) +files_read_kernel_img(xm_t) files_read_usr_files(xm_t) files_search_pids(xm_t) files_search_var_lib(xm_t) @@ -543,6 +563,13 @@ logging_send_syslog_msg(xm_t) miscfiles_read_localization(xm_t) sysnet_dns_name_resolve(xm_t) +sysnet_domtrans_ifconfig(xm_t) + +# for vif-bridge to write to /run/xen-hotplug/iptables +# maybe we need a different label for /run/xen-hotplug +udev_manage_pid_files(xm_t) + +userdom_dontaudit_search_user_home_content(xm_t) tunable_policy(`xen_use_fusefs',` fs_manage_fusefs_dirs(xm_t) @@ -563,6 +590,17 @@ tunable_policy(`xen_use_samba',` ') optional_policy(` + qemu_domtrans(xm_t) + qemu_signal(xm_t) + qemu_stream_connect(xm_t) + qemu_delete_pid_sock_file(xm_t) +') + +optional_policy(` + iptables_domtrans(xm_t) +') + +optional_policy(` cron_system_entry(xm_t, xm_exec_t) ') From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BE554139083 for ; Sat, 25 Feb 2017 14:59:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F03A1E0CE9; Sat, 25 Feb 2017 14:59:43 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C29F9E0CE9 for ; Sat, 25 Feb 2017 14:59:43 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 022333413B7 for ; Sat, 25 Feb 2017 14:59:42 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 886E6543D for ; Sat, 25 Feb 2017 14:59:39 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1488034253.a0d699a7a8da9ce12233029519efd3581c448ad4.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/qemu.fc policy/modules/contrib/qemu.if policy/modules/contrib/qemu.te policy/modules/contrib/xen.fc policy/modules/contrib/xen.if policy/modules/contrib/xen.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: a0d699a7a8da9ce12233029519efd3581c448ad4 X-VCS-Branch: next Date: Sat, 25 Feb 2017 14:59:39 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 0bbec2f8-00d0-44f7-992d-45288a07d5d8 X-Archives-Hash: cc03fbc3df6163edbbfdbe8733284817 Message-ID: <20170225145939.4Z1Uuy1o8xyiB0qnbJB1Rf9e8um1FIM8pJtSXtExOSo@z> commit: a0d699a7a8da9ce12233029519efd3581c448ad4 Author: Chris PeBenito ieee org> AuthorDate: Fri Feb 24 01:31:35 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 14:50:53 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a0d699a7 Xen fixes from Russell Coker. policy/modules/contrib/qemu.fc | 2 ++ policy/modules/contrib/qemu.if | 38 ++++++++++++++++++++++++++++++++++++ policy/modules/contrib/qemu.te | 22 ++++++++++++++++++++- policy/modules/contrib/xen.fc | 4 ++++ policy/modules/contrib/xen.if | 28 +++++++++++++++++++++++++++ policy/modules/contrib/xen.te | 44 +++++++++++++++++++++++++++++++++++++++--- 6 files changed, 134 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc index db9ff368..122ca70f 100644 --- a/policy/modules/contrib/qemu.fc +++ b/policy/modules/contrib/qemu.fc @@ -7,6 +7,8 @@ /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/var/run/xen/qmp.* -- gen_context(system_u:object_r:qemu_var_run_t,s0) + ifdef(`distro_gentoo',` /usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0) diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if index efdc5286..b6d8e1c2 100644 --- a/policy/modules/contrib/qemu.if +++ b/policy/modules/contrib/qemu.if @@ -264,6 +264,44 @@ interface(`qemu_kill',` ######################################## ## +## Connect to qemu with a unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_stream_connect',` + gen_require(` + type qemu_t, qemu_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t) +') + +######################################## +## +## Unlink qemu socket +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_delete_pid_sock_file',` + gen_require(` + type qemu_var_run_t; + ') + + allow $1 qemu_var_run_t:sock_file unlink; +') + +######################################## +## ## Execute a domain transition to ## run qemu unconfined. ## diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te index 9dc09977..b2c843f5 100644 --- a/policy/modules/contrib/qemu.te +++ b/policy/modules/contrib/qemu.te @@ -1,4 +1,4 @@ -policy_module(qemu, 1.9.0) +policy_module(qemu, 1.9.1) ######################################## # @@ -25,11 +25,21 @@ role qemu_roles types qemu_t; type qemu_unit_t; init_unit_file(qemu_unit_t) +type qemu_var_run_t; +files_pid_file(qemu_var_run_t); + ######################################## # # Local policy # +kernel_read_crypto_sysctls(qemu_t) + +dev_read_sysfs(qemu_t) + +allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms; +files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) + tunable_policy(`qemu_full_network',` corenet_udp_sendrecv_generic_if(qemu_t) corenet_udp_sendrecv_generic_node(qemu_t) @@ -41,6 +51,16 @@ tunable_policy(`qemu_full_network',` ') optional_policy(` + fs_manage_xenfs_files(qemu_t) + + dev_rw_xen(qemu_t) + + xen_stream_connect_xenstore(qemu_t) + xen_append_log(qemu_t) + xen_pid_filetrans(qemu_t, qemu_var_run_t, sock_file) +') + +optional_policy(` xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) ') diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc index 657a94ac..be0374df 100644 --- a/policy/modules/contrib/xen.fc +++ b/policy/modules/contrib/xen.fc @@ -5,6 +5,7 @@ /usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0) /usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0) /usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0) +/usr/lib/xen-[^/]*/xl -- gen_context(system_u:object_r:xm_exec_t,s0) /usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0) /usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0) @@ -20,6 +21,8 @@ /var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0) /var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0) +/var/lock/xl -- gen_context(system_u:object_r:xen_lock_t,s0) + /var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0) /var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0) /var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0) @@ -30,6 +33,7 @@ /run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0) /run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0) /run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) +/run/xen -d gen_context(system_u:object_r:xend_var_run_t,s0) /run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0) /run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0) /run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0) diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if index f93558c5..44116292 100644 --- a/policy/modules/contrib/xen.if +++ b/policy/modules/contrib/xen.if @@ -259,6 +259,34 @@ interface(`xen_stream_connect',` ######################################## ## +## Create in a xend_var_run_t directory +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +# +interface(`xen_pid_filetrans',` + gen_require(` + type xend_var_run_t; + ') + + filetrans_pattern($1, xend_var_run_t, $2, $3) +') + +######################################## +## ## Execute a domain transition to run xm. ## ## diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te index 383c00a7..0d680116 100644 --- a/policy/modules/contrib/xen.te +++ b/policy/modules/contrib/xen.te @@ -1,4 +1,4 @@ -policy_module(xen, 1.15.0) +policy_module(xen, 1.15.1) ######################################## # @@ -75,6 +75,9 @@ type xend_t; type xend_exec_t; init_daemon_domain(xend_t, xend_exec_t) +type xen_lock_t; +files_lock_file(xen_lock_t) + type xend_tmp_t; files_tmp_file(xend_tmp_t) @@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t) kernel_read_xen_state(xend_t) kernel_rw_net_sysctls(xend_t) kernel_read_network_state(xend_t) +kernel_read_vm_sysctls(xend_t) corecmd_exec_bin(xend_t) corecmd_exec_shell(xend_t) @@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t) fs_manage_xenfs_files(xend_t) storage_read_scsi_generic(xend_t) +# for lsscsi +storage_getattr_fixed_disk_dev(xend_t) term_setattr_generic_ptys(xend_t) term_getattr_all_ptys(xend_t) @@ -444,6 +450,8 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn kernel_write_xen_state(xenstored_t) kernel_read_xen_state(xenstored_t) +corecmd_search_bin(xenstored_t) + dev_filetrans_xen(xenstored_t) dev_rw_xen(xenstored_t) dev_read_sysfs(xenstored_t) @@ -470,12 +478,19 @@ xen_append_log(xenstored_t) # xm local policy # -allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config }; -allow xm_t self:process { getcap getsched setsched setcap signal }; +allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config }; +allow xm_t self:process { getcap getsched setsched setcap signal sigkill }; allow xm_t self:fifo_file rw_fifo_file_perms; allow xm_t self:unix_stream_socket { accept connectto listen }; allow xm_t self:tcp_socket { accept listen }; +allow xm_t xend_var_run_t:dir rw_dir_perms; + +allow xm_t xen_lock_t:file manage_file_perms; +files_lock_filetrans(xm_t, xen_lock_t, file) + +manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t) + manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t) @@ -494,6 +509,8 @@ xen_stream_connect_xenstore(xm_t) can_exec(xm_t, xm_exec_t) +kernel_load_module(xm_t) +kernel_request_load_module(xm_t) kernel_read_system_state(xm_t) kernel_read_network_state(xm_t) kernel_read_kernel_sysctls(xm_t) @@ -517,8 +534,11 @@ dev_read_rand(xm_t) dev_read_urand(xm_t) dev_read_sysfs(xm_t) +domain_use_interactive_fds(xm_t) + files_read_etc_runtime_files(xm_t) files_read_etc_files(xm_t) +files_read_kernel_img(xm_t) files_read_usr_files(xm_t) files_search_pids(xm_t) files_search_var_lib(xm_t) @@ -543,6 +563,13 @@ logging_send_syslog_msg(xm_t) miscfiles_read_localization(xm_t) sysnet_dns_name_resolve(xm_t) +sysnet_domtrans_ifconfig(xm_t) + +# for vif-bridge to write to /run/xen-hotplug/iptables +# maybe we need a different label for /run/xen-hotplug +udev_manage_pid_files(xm_t) + +userdom_dontaudit_search_user_home_content(xm_t) tunable_policy(`xen_use_fusefs',` fs_manage_fusefs_dirs(xm_t) @@ -563,6 +590,17 @@ tunable_policy(`xen_use_samba',` ') optional_policy(` + qemu_domtrans(xm_t) + qemu_signal(xm_t) + qemu_stream_connect(xm_t) + qemu_delete_pid_sock_file(xm_t) +') + +optional_policy(` + iptables_domtrans(xm_t) +') + +optional_policy(` cron_system_entry(xm_t, xm_exec_t) ')