fixup! fixup! fixup! Introduce SELinux policy for libvirt drivers

fedora-selinux · Oct 6, 2020 · efecdd0 · efecdd0
1 parent 394a8d9
commit efecdd0
Show file tree

Hide file tree

Showing 3 changed files with 142 additions and 27 deletions.
diff --git a/virt.if b/virt.if
@@ -144,6 +144,7 @@ template(`virt_driver_template',`
     read_files_pattern($1_t, virt_etc_t, virt_etc_t)
     manage_dirs_pattern($1_t, virt_etc_rw_t, virt_etc_rw_t)
     manage_files_pattern($1_t, virt_etc_rw_t, virt_etc_rw_t)
+    filetrans_pattern($1_t, virt_etc_t, virt_etc_rw_t, dir)
 
     allow virt_driver_domain virtqemud_t:unix_stream_socket connectto;
     read_files_pattern(virt_driver_domain, virtqemud_t, virtqemud_t)
@@ -164,6 +165,11 @@ template(`virt_driver_template',`
     miscfiles_read_generic_certs($1_t)
 
     optional_policy(`
+        dbus_system_bus_client($1_t)
+    ')
+
+    optional_policy(`
+        systemd_dbus_chat_logind($1_t)
         systemd_write_inhibit_pipes($1_t)
     ')
 ')
@@ -202,6 +208,7 @@ interface(`virt_image',`
 #
 interface(`virt_getattr_exec',`
     gen_require(`
+        attribute virt_driver_executable;
         type virtd_exec_t;
     ')
 
@@ -239,6 +246,7 @@ interface(`virt_domtrans',`
 #
 interface(`virt_exec',`
 	gen_require(`
+                attribute virt_driver_executable;
 		type virtd_exec_t;
 	')
 
@@ -268,6 +276,26 @@ interface(`virt_stream_connect',`
 	stream_connect_pattern($1, virt_driver_var_run, virt_driver_var_run, virt_driver_domain)
 ')
 
+########################################
+## <summary>
+##      Read and write to virt_domain unix
+##      stream sockets.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`virt_rw_stream_sockets_virt_domain',`
+        gen_require(`
+                attribute virt_domain;
+        ')
+
+	allow $1 virt_domain:unix_stream_socket { read write };
+')
+
+
 #######################################
 ## <summary>
 ##	Connect to svirt process over a unix domain stream socket.
@@ -1252,7 +1280,7 @@ interface(`virt_signal',`
 #
 interface(`virt_signull',`
 	gen_require(`
-		virt_driver_domain;
+		attribute virt_driver_domain;
 		type virtd_t;
 	')
 
@@ -1402,6 +1430,43 @@ interface(`virt_dontaudit_read_chr_dev',`
 	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##      Make the specified type usable as a virt file type
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used as a virt file type
+##      </summary>
+## </param>
+#
+interface(`virt_file_types',`
+        gen_require(`
+                attribute virt_file_type;
+        ')
+
+        typeattribute  $1  virt_file_type;
+')
+
+########################################
+## <summary>
+##      Make the specified type usable as a svirt file type 
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used as a svirt file type
+##      </summary>
+## </param>
+#
+interface(`svirt_file_types',`
+        gen_require(`
+                attribute svirt_file_type;
+        ')
+
+	typeattribute  $1  svirt_file_type;
+')
+
+
 ########################################
 ## <summary>
 ##	Creates types and rules for a basic
@@ -1472,6 +1537,24 @@ template(`virt_sandbox_net_domain',`
 	typeattribute  $1 sandbox_net_domain;
 ')
 
+########################################
+## <summary>
+##      Make the specified type usable as a virt system domain
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used as a virt system domain
+##      </summary>
+## </param>
+#
+interface(`virt_system_domain_type',`
+        gen_require(`
+                attribute virt_system_domain;
+        ')
+
+        typeattribute  $1  virt_system_domain;
+')
+
 ########################################
 ## <summary>
 ##	Execute a qemu_exec_t in the callers domain
@@ -1802,6 +1885,26 @@ interface(`virt_dgram_send',`
 	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
 ')
 
+########################################
+## <summary>
+##  Manage svirt home files,dirs and sockfiles.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`virt_svirt_manage_home',`
+        gen_require(`
+                type svirt_home_t;
+        ')
+
+        manage_files_pattern($1, svirt_home_t, svirt_home_t)
+        manage_dirs_pattern($1, svirt_home_t, svirt_home_t)
+        manage_sock_files_pattern($1, svirt_home_t, svirt_home_t)
+')
+
 ########################################
 ## <summary>
 ##  Manage svirt tmp files,dirs and sockfiles.

diff --git a/virt.te b/virt.te
@@ -1762,8 +1762,12 @@ optional_policy(`
 #
 # virtproxyd local policy
 #
+allow virtproxyd_t self:tcp_socket create_stream_socket_perms;
 allow virtproxyd_t self:udp_socket create_socket_perms;
 
+corenet_tcp_bind_generic_node(virtproxyd_t)
+corenet_tcp_bind_virt_port(virtproxyd_t)
+
 userdom_read_all_users_state(virtproxyd_t)
 
 #######################################

diff --git a/virt_supplementary.te b/virt_supplementary.te
@@ -9,23 +9,14 @@ gen_require(`
     class passwd passwd;
 ')
 
-attribute virt_system_domain;
-attribute virt_domain;
-attribute virt_file_type;
-attribute svirt_file_type;
-
-type virtd_exec_t, virt_file_type;
-
-type svirt_home_t, svirt_file_type;
-
-type virt_qmf_t, virt_system_domain;
-type virt_qmf_exec_t, virt_file_type;
+type virt_qmf_t;
+type virt_qmf_exec_t;
 init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
 
-type virt_bridgehelper_t, virt_system_domain;
+type virt_bridgehelper_t;
 domain_type(virt_bridgehelper_t)
 
-type virt_bridgehelper_exec_t, virt_file_type;
+type virt_bridgehelper_exec_t;
 domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
 role system_r types virt_bridgehelper_t;
 
@@ -51,25 +42,34 @@ gen_tunable(virt_rw_qemu_ga_data, false)
 gen_tunable(virt_qemu_ga_read_nonsecurity_files, false)
 
 # policy for qemu_ga
-type virt_qemu_ga_t, virt_system_domain;
-type virt_qemu_ga_exec_t, virt_file_type;
+type virt_qemu_ga_t;
+type virt_qemu_ga_exec_t;
 init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
 
-type virt_qemu_ga_var_run_t, virt_file_type;
+type virt_qemu_ga_var_run_t;
 files_pid_file(virt_qemu_ga_var_run_t)
 
-type virt_qemu_ga_log_t, virt_file_type;
+type virt_qemu_ga_log_t;
 logging_log_file(virt_qemu_ga_log_t)
 
-type virt_qemu_ga_tmp_t, virt_file_type;
+type virt_qemu_ga_tmp_t;
 files_tmp_file(virt_qemu_ga_tmp_t)
 
-type virt_qemu_ga_data_t, virt_file_type;
+type virt_qemu_ga_data_t;
 files_type(virt_qemu_ga_data_t)
 
-type virt_qemu_ga_unconfined_exec_t, virt_file_type;
+type virt_qemu_ga_unconfined_exec_t;
 application_executable_file(virt_qemu_ga_unconfined_exec_t)
 
+optional_policy(`
+        virt_file_types(virt_qemu_ga_exec_t)
+        virt_file_types(virt_qemu_ga_var_run_t)
+        virt_file_types(virt_qemu_ga_log_t)
+        virt_file_types(virt_qemu_ga_tmp_t)
+        virt_file_types(virt_qemu_ga_data_t)
+        virt_file_types(virt_qemu_ga_unconfined_exec_t)
+')
+
 ########################################
 #
 # virt_qmf local policy
@@ -81,8 +81,6 @@ allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
 
-can_exec(virt_qmf_t, virtd_exec_t)
-
 kernel_read_system_state(virt_qmf_t)
 kernel_read_network_state(virt_qmf_t)
 
@@ -103,7 +101,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+        virt_exec(virt_qmf_t)
+        virt_file_types(virt_qmf_exec_t)
 	virt_stream_connect(virt_qmf_t)
+        virt_system_domain_type(virt_qmf_t)
 ')
 
 ########################################
@@ -117,10 +118,6 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
 
-allow virt_bridgehelper_t virt_domain:unix_stream_socket { read write };
-
-manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
-
 kernel_read_network_state(virt_bridgehelper_t)
 kernel_read_system_state(virt_bridgehelper_t)
 
@@ -132,6 +129,13 @@ corenet_rw_tun_tap_dev(virt_bridgehelper_t)
 
 userdom_use_inherited_user_ptys(virt_bridgehelper_t)
 
+optional_policy(`
+        virt_file_types(virt_bridgehelper_exec_t)
+        virt_rw_stream_sockets_virt_domain(virt_bridgehelper_t)
+        virt_svirt_manage_home(virt_bridgehelper_t)
+        virt_system_domain_type(virt_bridgehelper_t)
+')
+
 #######################################
 #
 # virt_qemu_ga local policy
@@ -254,6 +258,10 @@ optional_policy(`
 	udev_read_pid_files(virt_qemu_ga_t)
 ')
 
+optional_policy(`
+        virt_system_domain_type(virt_qemu_ga_t)
+')
+
 #######################################
 #
 # qemu-ga  unconfined hook script local policy