fixup! Introduce SELinux policy for libvirt drivers

5umm3r15 · 5umm3r15 · commit d4fee5f25613 · 2020-09-14T15:50:58.000+02:00
diff --git a/virt.if b/virt.if
@@ -137,13 +137,15 @@ template(`virt_driver_template',`
     allow $1_t virt_var_run_t:dir { create search_dir_perms };
     manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
     manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
-    files_pid_filetrans($1_t, $1_var_run_t, { dir file } )
-    filetrans_pattern($1_t, virt_var_run_t, $1_var_run_t, { dir file } )
+    manage_sock_files_pattern($1_t, virt_var_run_t, $1_var_run_t)
+    files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file } )
+    filetrans_pattern($1_t, virt_var_run_t, $1_var_run_t, { dir file sock_file } )
 
     read_files_pattern($1_t, virt_etc_t, virt_etc_t)
     manage_dirs_pattern($1_t, virt_etc_rw_t, virt_etc_rw_t)
     manage_files_pattern($1_t, virt_etc_rw_t, virt_etc_rw_t)
 
+    allow virt_driver_domain virtqemud_t:unix_stream_socket connectto;
     read_files_pattern(virt_driver_domain, virtqemud_t, virtqemud_t)
 
     kernel_dgram_send($1_t)
diff --git a/virt.te b/virt.te
@@ -302,6 +302,9 @@ virt_driver_template(virtsecretd)
 # virtstoraged
 virt_driver_template(virtstoraged)
 
+type virtstoraged_tmp_t;
+files_tmp_file(virtstoraged_tmp_t)
+
 # virtvboxd
 virt_driver_template(virtvboxd)
 
@@ -814,6 +817,8 @@ allow virtlogd_t virtd_t:dir list_dir_perms;
 allow virtlogd_t virtd_t:file read_file_perms;
 allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
 
+read_files_pattern(virtlogd_t, virtqemud_t, virtqemud_t)
+
 virt_manage_lib_files(virtlogd_t)
 
 tunable_policy(`virt_lockd_blk_devs',`
@@ -1657,26 +1662,32 @@ tunable_policy(`virt_sandbox_use_audit',`
 
 userdom_use_user_ptys(svirt_qemu_net_t)
 
-
 #######################################
 #
 # virtinterfaced local policy
 #
 allow virtinterfaced_t self:tcp_socket create_stream_socket_perms;
 
+corecmd_exec_bin(virtinterfaced_t)
+
+fs_getattr_all_fs(virtinterfaced_t)
+
 modutils_read_module_config(virtinterfaced_t)
 
 sysnet_read_config(virtinterfaced_t)
+
+userdom_read_all_users_state(virtinterfaced_t)
+
 #######################################
 #
 # virtnetworkd local policy
 #
 allow virtnetworkd_t self:capability { kill sys_ptrace };
 allow virtnetworkd_t self:netlink_netfilter_socket create_socket_perms;
 allow virtnetworkd_t self:process setcap;
-allow virtnetworkd_t self:tun_socket create;
+allow virtnetworkd_t self:tun_socket { create relabelfrom relabelto };
 
-read_lnk_files_pattern(virtnetworkd_t, virt_etc_rw_t, virt_etc_rw_t)
+manage_lnk_files_pattern(virtnetworkd_t, virt_etc_rw_t, virt_etc_rw_t)
 
 manage_dirs_pattern(virtnetworkd_t, virt_var_lib_t, virt_var_lib_t)
 manage_files_pattern(virtnetworkd_t, virt_var_lib_t, virt_var_lib_t)
@@ -1694,6 +1705,9 @@ sysnet_read_config(virtnetworkd_t)
 optional_policy(`
         dnsmasq_domtrans(virtnetworkd_t)
         dnsmasq_manage_pid_files(virtnetworkd_t)
+        dnsmasq_read_state(virtnetworkd_t)
+        dnsmasq_signal(virtnetworkd_t)
+        dnsmasq_signull(virtnetworkd_t)
 ')
 
 optional_policy(`
@@ -1709,6 +1723,8 @@ optional_policy(`
 allow virtnodedevd_t self:capability sys_admin;
 allow virtnodedevd_t self:netlink_generic_socket create_socket_perms;
 
+kernel_request_load_module(virtnodedevd_t)
+
 dev_rw_mtrr(virtnodedevd_t)
 
 miscfiles_read_hwdata(virtnodedevd_t)
@@ -1723,8 +1739,12 @@ optional_policy(`
 #
 allow virtnwfilterd_t self:capability net_raw;
 allow virtnwfilterd_t self:netlink_netfilter_socket create_socket_perms;
+allow virtnwfilterd_t self:packet_socket { bind create getopt ioctl map setopt };
 allow virtnwfilterd_t self:rawip_socket create_socket_perms;
 
+kernel_read_net_sysctls(virtnwfilterd_t)
+kernel_request_load_module(virtnwfilterd_t)
+
 manage_dirs_pattern(virtnwfilterd_t, virtnetworkd_var_run_t, virtnetworkd_var_run_t)
 manage_files_pattern(virtnwfilterd_t, virtnetworkd_var_run_t, virtnetworkd_var_run_t)
 
@@ -1744,12 +1764,14 @@ optional_policy(`
 #
 allow virtproxyd_t self:udp_socket create_socket_perms;
 
+userdom_read_all_users_state(virtproxyd_t)
+
 #######################################
 #
 # virtqemud local policy
 #
 allow virtqemud_t self:bpf { map_create map_read map_write prog_load prog_run };
-allow virtqemud_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_admin sys_chroot sys_ptrace };
+allow virtqemud_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_admin sys_chroot sys_ptrace sys_rawio };
 allow virtqemud_t self:netlink_audit_socket nlmsg_relay;
 allow virtqemud_t self:process { setcap setexec setrlimit setsockcreate };
 allow virtqemud_t self:tcp_socket { bind create setopt };
@@ -1762,9 +1784,12 @@ allow virtqemud_t virt_driver_domain:unix_stream_socket connectto;
 
 manage_files_pattern(virtqemud_t, virt_image_t, virt_image_t)
 
+read_files_pattern(virtqemud_t, virtproxyd_t, virtproxyd_t)
+
 allow virtqemud_t svirt_t:process { setsched signal signull transition };
-allow virtqemud_t svirt_t:unix_stream_socket create_socket_perms;
+allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms };
 read_files_pattern(virtqemud_t, svirt_t, svirt_t)
+read_lnk_files_pattern(virtqemud_t, svirt_t, svirt_t)
 
 manage_dirs_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
 manage_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
@@ -1789,6 +1814,7 @@ corenet_rw_tun_tap_dev(virtqemud_t)
 corenet_tcp_bind_generic_node(virtqemud_t)
 corenet_tcp_bind_vnc_port(virtqemud_t)
 
+dev_read_cpuid(virtqemud_t)
 dev_read_sysfs(virtqemud_t)
 dev_read_urand(virtqemud_t)
 dev_relabel_all_dev_nodes(virtqemud_t)
@@ -1803,13 +1829,19 @@ fs_manage_hugetlbfs_dirs(virtqemud_t)
 fs_manage_cgroup_dirs(virtqemud_t)
 fs_manage_cgroup_files(virtqemud_t)
 fs_manage_tmpfs_chr_files(virtqemud_t)
+fs_manage_tmpfs_dirs(virtqemud_t)
+fs_manage_tmpfs_symlinks(virtqemud_t)
+fs_mount_tmpfs(virtqemud_t)
 fs_read_nsfs_files(virtqemud_t)
+fs_relabel_tmpfs_chr_file(virtqemud_t)
 
+init_stream_connect(virtqemud_t)
 init_stream_connect_script(virtqemud_t)
 
 seutil_read_default_contexts(virtqemud_t)
 seutil_read_file_contexts(virtqemud_t)
 
+userdom_read_all_users_state(virtqemud_t)
 userdom_read_user_home_content_files(virtqemud_t)
 userdom_relabel_user_home_files(virtqemud_t)
 
@@ -1825,14 +1857,22 @@ optional_policy(`
 #
 # virtstoraged local policy
 #
-manage_files_pattern(virtstoraged_t, virt_image_t, virt_image_t)
+allow virtstoraged_t self:capability { dac_override dac_read_search };
+
+files_tmp_filetrans(virtstoraged_t, virtstoraged_tmp_t, { file dir })
 
 manage_lnk_files_pattern(virtstoraged_t, virt_etc_rw_t, virt_etc_rw_t)
 
+manage_files_pattern(virtstoraged_t, virt_image_t, virt_image_t)
+
+manage_files_pattern(virtstoraged_t, svirt_image_t, svirt_image_t)
+
 manage_dirs_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t)
 manage_files_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t)
 
-fs_getattr_xattr_fs(virtstoraged_t)
+corecmd_exec_bin(virtstoraged_t)
+
+fs_getattr_all_fs(virtstoraged_t)
 
 userdom_read_user_home_content_files(virtstoraged_t)
 
