From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 379AE1396D9 for ; Tue, 31 Oct 2017 05:40:18 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6B6E4E0EAF; Tue, 31 Oct 2017 05:40:17 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3D196E0EAF for ; Tue, 31 Oct 2017 05:40:16 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7A67533BEB4 for ; Tue, 31 Oct 2017 05:40:15 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 0DCCD83F for ; Tue, 31 Oct 2017 05:40:14 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1509426922.570a767ab83e4540059afccfd833590cecba9a95.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/virt.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 570a767ab83e4540059afccfd833590cecba9a95 X-VCS-Branch: master Date: Tue, 31 Oct 2017 05:40:14 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 2672da21-5785-40ba-ab41-f22a9e212d05 X-Archives-Hash: 85917d731f5411fa76afd415f00b0083 commit: 570a767ab83e4540059afccfd833590cecba9a95 Author: Jason Zaman perfinion com> AuthorDate: Mon Oct 30 06:38:45 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Oct 31 05:15:22 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=570a767a virt: updated perms for starting guests virtlockd doesnt need ps_process_pattern need to relabel to set categories and allow mount root in slave mode allow mounting devfs in run Already has dac_override so read_search is harmless libvirt errors: libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to switch root mount into slave mode: Permission denied Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to mount devfs on /var/run/libvirt/qemu/selinux.dev type tmpfs (mode=755,size=65536): Permission denied Error starting domain: internal error: Process exited prior to exec: libvirt: error : Failed to mount devfs on /var/run/libvirt/qemu/selinux.dev type tmpfs (mode=755,size=65536): Permission denied Error starting domain: internal error: Process exited prior to exec: libvirt: QEMU Driver error : Failed to make device /var/run/libvirt/qemu/selinux.dev/null: Permission denied Error starting domain: internal error: Process exited prior to exec: libvirt: QEMU Driver error : Unable to set SELinux label on /var/run/libvirt/qemu/selinux.dev/null: Permission denied avc denials: avc: denied { mounton } for pid=11279 comm="libvirtd" path="/run/libvirt/qemu/selinux.dev" dev="tmpfs" ino=4428609 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_var_run_t:s0 tclass=dir permissive=0 avc: denied { mount } for pid=17844 comm="libvirtd" name="/" dev="tmpfs" ino=4436959 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 avc: denied { create } for pid=24198 comm="libvirtd" name="null" scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_tmpfs_t:s0 tclass=chr_file permissive=0 avc: denied { relabelfrom } for pid=539 comm="libvirtd" name="null" dev="tmpfs" ino=4452253 scontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:virt_tmpfs_t:s0 tclass=chr_file permissive=0 policy/modules/contrib/virt.te | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 1de48461..98d510fd 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -467,8 +467,8 @@ tunable_policy(`virt_use_vfio',` # virtd local policy # -allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -478,7 +478,7 @@ allow virtd_t self:packet_socket create_socket_perms; allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; allow virtd_t self:netlink_route_socket nlmsg_write; -allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; +allow virtd_t virt_domain:process { getattr getsched setsched transition rlimitinh signal signull sigkill }; dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir { mounton relabel_dir_perms }; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) @@ -529,9 +530,10 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; +allow virtd_t virt_image_type:sock_file manage_sock_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -541,7 +543,14 @@ files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +manage_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +manage_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +manage_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +relabel_blk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +relabel_chr_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) +relabel_lnk_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir }) +allow virtd_t virt_tmpfs_t:dir mounton; # This needs a file context specification manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) @@ -571,7 +580,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -620,6 +629,9 @@ dev_rw_mtrr(virtd_t) dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) +dev_relabel_all_dev_nodes(virtd_t) +dev_relabel_generic_symlinks(virtd_t) +dev_mounton(virtd_t) domain_use_interactive_fds(virtd_t) domain_read_all_domains_state(virtd_t) @@ -629,6 +641,7 @@ files_read_etc_runtime_files(virtd_t) files_search_all(virtd_t) files_read_kernel_modules(virtd_t) files_read_usr_src_files(virtd_t) +files_mounton_root(virtd_t) # Manages /etc/sysconfig/system-config-firewall # files_relabelto_system_conf_files(virtd_t) @@ -643,6 +656,8 @@ fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) fs_manage_hugetlbfs_dirs(virtd_t) fs_rw_hugetlbfs_files(virtd_t) +fs_read_nsfs_files(virtd_t) +fs_mount_tmpfs(virtd_t) mls_fd_share_all_levels(virtd_t) mls_file_read_to_clearance(virtd_t) @@ -713,8 +728,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; - allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ') @@ -1308,6 +1321,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,7 +1343,7 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) +kernel_read_system_state(virtlockd_t) files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)