Skip to content

Commit 394a8d9

Browse files
5umm3r155umm3r15
committed
fixup! fixup! Introduce SELinux policy for libvirt drivers
1 parent d4fee5f commit 394a8d9

File tree

1 file changed

+6
-41
lines changed

1 file changed

+6
-41
lines changed

virt.if

Lines changed: 6 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -246,7 +246,6 @@ interface(`virt_exec',`
246246
can_exec($1, virt_driver_executable)
247247
')
248248

249-
250249
#######################################
251250
## <summary>
252251
## Connect to virt over a unix domain stream socket.
@@ -259,31 +258,14 @@ interface(`virt_exec',`
259258
#
260259
interface(`virt_stream_connect',`
261260
gen_require(`
261+
attribute virt_driver_domain;
262+
attribute virt_driver_var_run;
262263
type virtd_t, virt_var_run_t;
263264
')
264265

265266
files_search_pids($1)
266267
stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
267-
')
268-
269-
#######################################
270-
## <summary>
271-
## Connect to virt driver over a unix domain stream socket.
272-
## </summary>
273-
## <param name="domain">
274-
## <summary>
275-
## Domain allowed access.
276-
## </summary>
277-
## </param>
278-
#
279-
interface(`virt_driver_stream_connect',`
280-
gen_require(`
281-
attribute virt_driver_domain;
282-
attribute virt_driver_var_run;
283-
')
284-
285-
files_search_pids($1)
286-
stream_connect_pattern($1, virt_driver_var_run, virt_driver_var_run, virt_driver_domain)
268+
stream_connect_pattern($1, virt_driver_var_run, virt_driver_var_run, virt_driver_domain)
287269
')
288270

289271
#######################################
@@ -1703,6 +1685,7 @@ interface(`virt_admin',`
17031685
virt_stream_connect_svirt($1)
17041686
virt_stream_connect($1)
17051687
')
1688+
17061689
#######################################
17071690
## <summary>
17081691
## Getattr on virt executable.
@@ -1721,7 +1704,6 @@ interface(`virt_default_capabilities',`
17211704
typeattribute $1 sandbox_caps_domain;
17221705
')
17231706

1724-
17251707
########################################
17261708
## <summary>
17271709
## Send and receive messages from
@@ -1735,33 +1717,16 @@ interface(`virt_default_capabilities',`
17351717
#
17361718
interface(`virt_dbus_chat',`
17371719
gen_require(`
1720+
attribute virt_driver_domain;
17381721
type virtd_t;
17391722
class dbus send_msg;
17401723
')
17411724

17421725
allow $1 virtd_t:dbus send_msg;
17431726
allow virtd_t $1:dbus send_msg;
1744-
ps_process_pattern(virtd_t, $1)
1745-
')
1746-
1747-
## <summary>
1748-
## Send and receive messages from
1749-
## virt drivers over dbus.
1750-
## </summary>
1751-
## <param name="domain">
1752-
## <summary>
1753-
## Domain allowed access.
1754-
## </summary>
1755-
## </param>
1756-
#
1757-
interface(`virt_driver_dbus_chat',`
1758-
gen_require(`
1759-
attribute virt_driver_domain;
1760-
class dbus send_msg;
1761-
')
1762-
17631727
allow $1 virt_driver_domain:dbus send_msg;
17641728
allow virt_driver_domain $1:dbus send_msg;
1729+
ps_process_pattern(virtd_t, $1)
17651730
ps_process_pattern(virt_driver_domain, $1)
17661731
')
17671732

0 commit comments

Comments
 (0)