Split virt policy, introduce virt_supplementary module

Separate the services from the original virt files that are not libvirt related and create virt_supplementary policy module.
fedora-selinux · Sep 1, 2020 · 2cce9c3 · 2cce9c3
1 parent 81b62ec
commit 2cce9c3
Show file tree

Hide file tree

Showing 6 changed files with 372 additions and 302 deletions.
diff --git a/virt.fc b/virt.fc
@@ -1,15 +1,11 @@
 HOME_DIR/\.libvirt(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
 HOME_DIR/\.libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_home_t,s0)
-HOME_DIR/\.virtinst(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
 HOME_DIR/\.cache/libvirt(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
 HOME_DIR/\.cache/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_home_t,s0)
 HOME_DIR/\.config/libvirt(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
 HOME_DIR/\.config/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_home_t,s0)
 HOME_DIR/VirtualMachines(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
 HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
 HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
 HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_home_t,s0)
 
@@ -20,24 +16,13 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
 /etc/libvirt/.*/.*		gen_context(system_u:object_r:virt_etc_rw_t,s0)
 /etc/rc\.d/init\.d/libvirtd --	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/virtlogd --  gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0)
-/etc/xen		-d	gen_context(system_u:object_r:virt_etc_t,s0)
-/etc/xen/[^/]*		--	gen_context(system_u:object_r:virt_etc_t,s0)
-/etc/xen/[^/]*		-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
-/etc/xen/.*/.*			gen_context(system_u:object_r:virt_etc_rw_t,s0)
 
 /usr/libexec/libvirt_lxc --	gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
-/usr/libexec/qemu-bridge-helper		gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
-/usr/libexec/qemu-pr-helper	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 
 /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd --  gen_context(system_u:object_r:virtlogd_exec_t,s0)
 /usr/sbin/virtlogd --  gen_context(system_u:object_r:virtlogd_exec_t,s0)
-/usr/bin/virt-who   --  gen_context(system_u:object_r:virtd_exec_t,s0)
-/usr/bin/qemu-pr-helper   --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/bin/virsh		--	gen_context(system_u:object_r:virsh_exec_t,s0)
-/usr/sbin/condor_vm-gahp	--	gen_context(system_u:object_r:virtd_exec_t,s0)
-/usr/sbin/xl		--	gen_context(system_u:object_r:virsh_exec_t,s0)
-/usr/sbin/xm		--	gen_context(system_u:object_r:virsh_exec_t,s0)
 
 /usr/sbin/virtinterfaced	--	gen_context(system_u:object_r:virtinterfaced_exec_t,s0)
 /usr/sbin/virtlxcd     --      gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
@@ -61,10 +46,8 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
 /var/lib/libvirt/lockd(/.*)? 	gen_context(system_u:object_r:virt_var_lockd_t,s0)
 /var/lib/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
 
-/var/lock/xl			--	gen_context(system_u:object_r:virt_log_t,s0)
 /var/log/log(/.*)?			gen_context(system_u:object_r:virt_log_t,s0)
 /var/log/libvirt(/.*)?			gen_context(system_u:object_r:virt_log_t,s0)
-/var/log/vdsm(/.*)?			gen_context(system_u:object_r:virt_log_t,s0)
 /var/run/libvirtd\.pid		--	gen_context(system_u:object_r:virt_var_run_t,s0)
 /var/run/virtlogd\.pid		--	gen_context(system_u:object_r:virtlogd_var_run_t,s0)
 /var/run/virtlxcd\.pid		--      gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
@@ -112,57 +95,9 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
 /var/run/libvirt/virtvboxd-admin-sock		-s	gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
 /var/run/libvirt/virtvboxd-sock		-s	gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
 /var/run/libvirt/virtvboxd-sock-ro		-s	gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
-/var/run/libvirt-sandbox(/.*)?	gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
-/var/run/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/qemu-pr-helper\.sock			-s	gen_context(system_u:object_r:virt_var_run_t,s0)
-
-/var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
-
-# support for AEOLUS project
-/usr/bin/imagefactory		--			gen_context(system_u:object_r:virtd_exec_t,s0)
-/usr/bin/imgfac\.py		--			gen_context(system_u:object_r:virtd_exec_t,s0)
-/var/cache/oz(/.*)?					gen_context(system_u:object_r:virt_cache_t,s0)
-/var/lib/imagefactory/images(/.*)?	gen_context(system_u:object_r:virt_image_t,s0)
-/var/lib/oz(/.*)?					gen_context(system_u:object_r:virt_var_lib_t,s0)
-/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
-/var/lib/vdsm(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
-/var/lib/rkt/cas(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
-
-# add support vios-proxy-*
-/usr/bin/vios-proxy-host	--	gen_context(system_u:object_r:virtd_exec_t,s0)
-/usr/bin/vios-proxy-guest	--  gen_context(system_u:object_r:virtd_exec_t,s0)
-
-#support for vdsm
-/usr/share/vdsm/vdsm    --       gen_context(system_u:object_r:virtd_exec_t,s0)
-/usr/share/vdsm/respawn    --       gen_context(system_u:object_r:virtd_exec_t,s0)
-/usr/share/vdsm/supervdsmServer    --       gen_context(system_u:object_r:virtd_exec_t,s0)
-/usr/share/vdsm/daemonAdapter       --  gen_context(system_u:object_r:virtd_exec_t,s0)
-
-# support for nova-stack
-/usr/bin/nova-compute       --  gen_context(system_u:object_r:virtd_exec_t,s0)
-/usr/bin/qemu		--	gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/bin/qemu-system-.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
-
-/etc/qemu-ga/fsfreeze-hook.d(/.*)?      gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
-/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)?  gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
-/var/run/qemu-ga/fsfreeze-hook.d(/.*)?      gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
-
-/usr/libexec/qemu-ga(/.*)?	gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
-
-/usr/lib/virt-sysprep/firstboot.sh --  gen_context(system_u:object_r:virtd_exec_t,s0)
 
 /usr/lib/systemd/system/*virtlogd.*	gen_context(system_u:object_r:virtlogd_unit_file_t,s0)
 
 /usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
 /usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
 /usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
-
-/usr/bin/qemu-ga                --      gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
-
-/var/run/qemu-ga\.pid           --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
-/var/run/qga\.state             --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
-
-/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
-/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
@@ -68,7 +68,8 @@ interface(`virt_stub_svirt_sandbox_file',`
 #
 template(`virt_domain_template',`
 	gen_require(`
-		attribute virt_image_type, virt_domain;
+		attribute 
+		ge_type, virt_domain;
 		attribute virt_tmpfs_type;
 		attribute virt_ptynode;
 		type qemu_exec_t;
@@ -244,22 +245,6 @@ interface(`virt_exec',`
 	can_exec($1, virt_driver_executable)
 ')
 
-########################################
-## <summary>
-##  Transition to virt_bridgehelper.
-## </summary>
-## <param name="domain">
-## <summary>
-##  Domain allowed to transition.
-## </summary>
-## </param>
-interface(`virt_domtrans_bridgehelper',`
-	gen_require(`
-		type virt_bridgehelper_t, virt_bridgehelper_exec_t;
-	')
-
-	domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
-')
 
 #######################################
 ## <summary>

diff --git a/virt.te b/virt.te
@@ -172,34 +172,13 @@ gen_tunable(virt_sandbox_use_mknod, false)
 ## </desc>
 gen_tunable(virt_sandbox_use_all_caps, true)
 
-## <desc>
-## <p>
-## Allow qemu-ga to read qemu-ga date.
-## </p>
-## </desc>
-gen_tunable(virt_read_qemu_ga_data, false)
-
-## <desc>
-## <p>
-## Allow qemu-ga to manage qemu-ga date.
-## </p>
-## </desc>
-gen_tunable(virt_rw_qemu_ga_data, false)
-
 ## <desc>
 ## <p>
 ## Allow virtlockd read and lock block devices.
 ## </p>
 ## </desc>
 gen_tunable(virt_lockd_blk_devs, false)
 
-## <desc>
-## <p>
-## Allow qemu-ga read all non-security file types.
-## </p>
-## </desc>
-gen_tunable(virt_qemu_ga_read_nonsecurity_files, false)
-
 virt_domain_template(svirt)
 role system_r types svirt_t;
 typealias svirt_t alias qemu_t;
@@ -299,34 +278,6 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
 ')
 
-
-type virt_bridgehelper_t, virt_system_domain;
-domain_type(virt_bridgehelper_t)
-
-type virt_bridgehelper_exec_t, virt_file_type;
-domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
-role system_r types virt_bridgehelper_t;
-
-# policy for qemu_ga
-type virt_qemu_ga_t, virt_system_domain;
-type virt_qemu_ga_exec_t, virt_file_type;
-init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
-
-type virt_qemu_ga_var_run_t, virt_file_type;
-files_pid_file(virt_qemu_ga_var_run_t)
-
-type virt_qemu_ga_log_t, virt_file_type;
-logging_log_file(virt_qemu_ga_log_t)
-
-type virt_qemu_ga_tmp_t, virt_file_type;
-files_tmp_file(virt_qemu_ga_tmp_t)
-
-type virt_qemu_ga_data_t, virt_file_type;
-files_type(virt_qemu_ga_data_t)
-
-type virt_qemu_ga_unconfined_exec_t, virt_file_type;
-application_executable_file(virt_qemu_ga_unconfined_exec_t)
-
 # virtinterfaced
 virt_driver_template(virtinterfaced)
 
@@ -1706,31 +1657,6 @@ tunable_policy(`virt_sandbox_use_audit',`
 
 userdom_use_user_ptys(svirt_qemu_net_t)
 
-########################################
-#
-# virt_bridgehelper local policy
-#
-
-allow virt_bridgehelper_t self:process { setcap getcap };
-allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
-allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-allow virt_bridgehelper_t self:tun_socket create_socket_perms;
-allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
-
-allow virt_bridgehelper_t virt_domain:unix_stream_socket { read write };
-
-manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
-
-kernel_read_network_state(virt_bridgehelper_t)
-kernel_read_system_state(virt_bridgehelper_t)
-
-dev_read_urand(virt_bridgehelper_t)
-dev_read_rand(virt_bridgehelper_t)
-dev_read_sysfs(virt_bridgehelper_t)
-
-corenet_rw_tun_tap_dev(virt_bridgehelper_t)
-
-userdom_use_inherited_user_ptys(virt_bridgehelper_t)
 
 #######################################
 #
@@ -1920,152 +1846,6 @@ allow virtvboxd_t self:netlink_route_socket { bind create getattr setopt };
 allow virtvboxd_t self:unix_dgram_socket create;
 allow virtvboxd_t virt_etc_t:dir search;
 
-#######################################
-#
-# virt_qemu_ga local policy
-#
-
-allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config };
-
-allow virt_qemu_ga_t self:passwd passwd;
-
-allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
-allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
-
-allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms;
-can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t)
-
-manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
-manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
-files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir })
-
-manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
-manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
-files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } )
-
-manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
-manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
-logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file })
-
-kernel_read_system_state(virt_qemu_ga_t)
-kernel_read_network_state(virt_qemu_ga_t)
-kernel_rw_kernel_sysctl(virt_qemu_ga_t)
-
-corecmd_exec_shell(virt_qemu_ga_t)
-corecmd_exec_bin(virt_qemu_ga_t)
-
-clock_read_adjtime(virt_qemu_ga_t)
-
-dev_getattr_apm_bios_dev(virt_qemu_ga_t)
-dev_rw_sysfs(virt_qemu_ga_t)
-dev_rw_realtime_clock(virt_qemu_ga_t)
-
-files_list_all_mountpoints(virt_qemu_ga_t)
-files_write_all_mountpoints(virt_qemu_ga_t)
-
-fs_list_all(virt_qemu_ga_t)
-fs_getattr_all_fs(virt_qemu_ga_t)
-
-term_use_virtio_console(virt_qemu_ga_t)
-term_use_all_ttys(virt_qemu_ga_t)
-term_use_unallocated_ttys(virt_qemu_ga_t)
-
-auth_use_nsswitch(virt_qemu_ga_t)
-
-logging_send_syslog_msg(virt_qemu_ga_t)
-logging_send_audit_msgs(virt_qemu_ga_t)
-
-init_read_utmp(virt_qemu_ga_t)
-
-modutils_exec_kmod(virt_qemu_ga_t)
-
-sysnet_dns_name_resolve(virt_qemu_ga_t)
-
-systemd_exec_systemctl(virt_qemu_ga_t)
-systemd_start_power_services(virt_qemu_ga_t)
-systemd_dbus_chat_logind(virt_qemu_ga_t)
-
-userdom_use_user_ptys(virt_qemu_ga_t)
-
-usermanage_domtrans_passwd(virt_qemu_ga_t)
-
-tunable_policy(`virt_qemu_ga_read_nonsecurity_files',`
-	files_read_non_security_files(virt_qemu_ga_t)
-')
-
-tunable_policy(`virt_read_qemu_ga_data',`
-    read_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
-    read_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
-')
-
-tunable_policy(`virt_rw_qemu_ga_data',`
-    manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
-    manage_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
-    manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
-')
-
-optional_policy(`
-    bootloader_domtrans(virt_qemu_ga_t)
-')
-
-optional_policy(`
-    clock_domtrans(virt_qemu_ga_t)
-')
-
-optional_policy(`
-    dbus_system_bus_client(virt_qemu_ga_t)
-')
-
-optional_policy(`
-    cron_initrc_domtrans(virt_qemu_ga_t)
-    cron_domtrans(virt_qemu_ga_t)
-')
-
-optional_policy(`
-    devicekit_manage_pid_files(virt_qemu_ga_t)
-    devicekit_read_log_files(virt_qemu_ga_t)
-')
-
-optional_policy(`
-    fstools_domtrans(virt_qemu_ga_t)
-')
-
-optional_policy(`
-    rpm_dbus_chat(virt_qemu_ga_t)
-')
-
-optional_policy(`
-    shutdown_domtrans(virt_qemu_ga_t)
-')
-
-optional_policy(`
-	udev_read_pid_files(virt_qemu_ga_t)
-')
-
-#######################################
-#
-# qemu-ga  unconfined hook script local policy
-#
-
-optional_policy(`
-    type virt_qemu_ga_unconfined_t;
-    domain_type(virt_qemu_ga_unconfined_t)
-
-    domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
-    role system_r types virt_qemu_ga_unconfined_t;
-
-    domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t)
-
-    allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
-    allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
-    allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
-
-    init_domtrans_script(virt_qemu_ga_unconfined_t)
-
-    optional_policy(`
-        unconfined_domain(virt_qemu_ga_unconfined_t)
-    ')
-')
 
 #######################################
 #