fixup! fixup! fixup! Introduce SELinux policy for libvirt drivers

virt.fc

@@ -38,6 +38,7 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
 /usr/sbin/virtxend	--	gen_context(system_u:object_r:virtxend_exec_t,s0)
 
 /var/cache/libvirt(/.*)?	gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
+/var/cache/libvirt-tck(/.*)? 	gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 
 /var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
 /var/lib/libvirt/boot(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
@@ -49,21 +50,30 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
 /var/log/log(/.*)?			gen_context(system_u:object_r:virt_log_t,s0)
 /var/log/libvirt(/.*)?			gen_context(system_u:object_r:virt_log_t,s0)
 /var/run/libvirtd\.pid		--	gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/virtlogd\.pid		--	gen_context(system_u:object_r:virtlogd_var_run_t,s0)
-/var/run/virtlxcd\.pid		--      gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
-/var/run/virtqemud\.pid		--	gen_context(system_u:object_r:qemu_var_run_t,s0)
-/var/run/virtvboxd\.pid		--	gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
+# Avoid calling m4's "interface" by using en empty string
+/var/run/libvirt/interfac(e)(/.*)?	gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
+/var/run/libvirt/nodedev(/.*)?		gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
+/var/run/libvirt/nwfilter(/.*)?		gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
+/var/run/libvirt/secrets(/.*)?		gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
+/var/run/libvirt/storage(/.*)?		gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
+
+/var/run/virtlogd\.pid			--	gen_context(system_u:object_r:virtlogd_var_run_t,s0)
+/var/run/virtlxcd\.pid			--      gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/virtqemud\.pid			--	gen_context(system_u:object_r:virtqemud_var_run_t,s0)
+/var/run/virtvboxd\.pid			--	gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
 /var/run/virtproxyd\.pid		--	gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
-/var/run/virtinterfaced\.pid	--	gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
-/var/run/virtnetworkd\.pid	--	gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
-/var/run/virtnodedevd\.pid	--	gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
-/var/run/virtnwfilterd\.pid	--	gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
-/var/run/virtsecretd\.pid	--	gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
-/var/run/virtstoraged\.pid	--	gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
+/var/run/virtinterfaced\.pid		--	gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
+/var/run/virtnetworkd\.pid		--	gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
+/var/run/virtnodedevd\.pid		--	gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
+/var/run/virtnwfilterd\.pid		--	gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
+/var/run/virtnwfilterd-binding\.pid     --	gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
+/var/run/virtsecretd\.pid		--	gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
+/var/run/virtstoraged\.pid		--	gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
 
-/var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt(/.*)?				gen_context(system_u:object_r:virt_var_run_t,s0)
 /var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
 /var/run/libvirt/lxc(/.*)?	gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
+/var/run/libvirt/libvirt-sock                  -s	gen_context(system_u:object_r:virt_var_run_t,s0)
 /var/run/libvirt/virtlogd-sock			-s	gen_context(system_u:object_r:virtlogd_var_run_t,s0)
 /var/run/libvirt/virtinterfaced-admin-sock	-s	gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
 /var/run/libvirt/virtinterfaced-sock		-s	gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
@@ -83,9 +93,9 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
 /var/run/libvirt/virtproxyd-admin-sock	-s	gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
 /var/run/libvirt/virtproxyd-sock		-s	gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
 /var/run/libvirt/virtproxyd-sock-ro		-s	gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
-/var/run/libvirt/virtqemud-admin-sock		-s	gen_context(system_u:object_r:qemu_var_run_t,s0)
-/var/run/libvirt/virtqemud-sock		-s	gen_context(system_u:object_r:qemu_var_run_t,s0)
-/var/run/libvirt/virtqemud-sock-ro		-s	gen_context(system_u:object_r:qemu_var_run_t,s0)
+/var/run/libvirt/virtqemud-admin-sock		-s	gen_context(system_u:object_r:virtqemud_var_run_t,s0)
+/var/run/libvirt/virtqemud-sock		-s	gen_context(system_u:object_r:virtqemud_var_run_t,s0)
+/var/run/libvirt/virtqemud-sock-ro		-s	gen_context(system_u:object_r:virtqemud_var_run_t,s0)
 /var/run/libvirt/virtsecretd-admin-sock	-s	gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
 /var/run/libvirt/virtsecretd-sock		-s	gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
 /var/run/libvirt/virtsecretd-sock-ro		-s	gen_context(system_u:object_r:virtsecretd_var_run_t,s0)

virt.if

@@ -114,13 +114,15 @@ template(`virt_driver_template',`
     gen_require(`
         attribute virt_driver_domain;
         attribute virt_driver_executable;
+        attribute virt_driver_var_run;
     ')
 
     type $1_t, virt_driver_domain;
+
     type $1_exec_t, virt_driver_executable;
     init_daemon_domain($1_t, $1_exec_t)
 
-    type $1_var_run_t;
+    type $1_var_run_t, virt_driver_var_run;
     files_pid_file($1_var_run_t)
 
     ##################################
@@ -134,17 +136,19 @@ template(`virt_driver_template',`
     allow $1_t self:rawip_socket create_socket_perms;
     allow $1_t self:unix_dgram_socket create_socket_perms;
 
-    allow $1_t virt_var_run_t:dir { create search_dir_perms };
+    manage_dirs_pattern($1_t, virt_var_run_t, virt_var_run_t)
     manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
     manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
     manage_sock_files_pattern($1_t, virt_var_run_t, $1_var_run_t)
     files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file } )
-    filetrans_pattern($1_t, virt_var_run_t, $1_var_run_t, { dir file sock_file } )
+    filetrans_pattern($1_t, virt_var_run_t, $1_var_run_t, { file sock_file } )
 
     read_files_pattern($1_t, virt_etc_t, virt_etc_t)
     manage_dirs_pattern($1_t, virt_etc_rw_t, virt_etc_rw_t)
     manage_files_pattern($1_t, virt_etc_rw_t, virt_etc_rw_t)
+    filetrans_pattern($1_t, virt_etc_t, virt_etc_rw_t, dir)
 
+    allow virt_driver_domain virtd_t:unix_stream_socket rw_stream_socket_perms;
     allow virt_driver_domain virtqemud_t:unix_stream_socket connectto;
     read_files_pattern(virt_driver_domain, virtqemud_t, virtqemud_t)
 
@@ -157,13 +161,28 @@ template(`virt_driver_template',`
 
     dev_read_sysfs($1_t)
 
+    files_read_non_security_files($1_t)
     init_read_utmp($1_t)
 
     logging_send_syslog_msg($1_t)
 
     miscfiles_read_generic_certs($1_t)
 
+    virt_manage_cache($1_t)
+    virt_manage_pid_files($1_t)
+    virt_stream_connect($1_t)
+
+    optional_policy(`
+        dbus_system_bus_client($1_t)
+    ')
+
+    optional_policy(`
+        dnsmasq_filetrans_named_content_fromdir($1_t, $1_var_run_t)
+    ')
+
     optional_policy(`
+        systemd_dbus_chat_logind($1_t)
+        systemd_machined_stream_connect($1_t)
         systemd_write_inhibit_pipes($1_t)
     ')
 ')
@@ -202,6 +221,7 @@ interface(`virt_image',`
 #
 interface(`virt_getattr_exec',`
     gen_require(`
+        attribute virt_driver_executable;
         type virtd_exec_t;
     ')
 
@@ -239,6 +259,7 @@ interface(`virt_domtrans',`
 #
 interface(`virt_exec',`
 	gen_require(`
+                attribute virt_driver_executable;
 		type virtd_exec_t;
 	')
 
@@ -261,13 +282,33 @@ interface(`virt_stream_connect',`
 		attribute virt_driver_domain;
 		attribute virt_driver_var_run;	
 		type virtd_t, virt_var_run_t;
-	')
+        ')
 
 	files_search_pids($1)
 	stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
-	stream_connect_pattern($1, virt_driver_var_run, virt_driver_var_run, virt_driver_domain)
+        stream_connect_pattern($1, virt_driver_var_run, virt_driver_var_run, virt_driver_domain)
+')
+
+########################################
+## <summary>
+##      Read and write to virt_domain unix
+##      stream sockets.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`virt_rw_stream_sockets_virt_domain',`
+        gen_require(`
+                attribute virt_domain;
+        ')
+
+	allow $1 virt_domain:unix_stream_socket { read write };
 ')
 
+
 #######################################
 ## <summary>
 ##	Connect to svirt process over a unix domain stream socket.
@@ -908,6 +949,24 @@ interface(`virt_manage_default_image_type',`
     read_lnk_files_pattern($1, virt_image_t, virt_image_t)
 ')
 
+#######################################
+## <summary>
+##  Get virtd services status
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`virtd_service_status',`
+    gen_require(`
+        type virtd_unit_file_t;
+    ')
+
+        allow $1 virtd_unit_file_t:service status;
+')
+
 ########################################
 ## <summary>
 ##	Execute virt server in the virt domain.
@@ -1252,7 +1311,7 @@ interface(`virt_signal',`
 #
 interface(`virt_signull',`
 	gen_require(`
-		virt_driver_domain;
+		attribute virt_driver_domain;
 		type virtd_t;
 	')
 
@@ -1402,6 +1461,43 @@ interface(`virt_dontaudit_read_chr_dev',`
 	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##      Make the specified type usable as a virt file type
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used as a virt file type
+##      </summary>
+## </param>
+#
+interface(`virt_file_types',`
+        gen_require(`
+                attribute virt_file_type;
+        ')
+
+        typeattribute  $1  virt_file_type;
+')
+
+########################################
+## <summary>
+##      Make the specified type usable as a svirt file type 
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used as a svirt file type
+##      </summary>
+## </param>
+#
+interface(`svirt_file_types',`
+        gen_require(`
+                attribute svirt_file_type;
+        ')
+
+	typeattribute  $1  svirt_file_type;
+')
+
+
 ########################################
 ## <summary>
 ##	Creates types and rules for a basic
@@ -1472,6 +1568,24 @@ template(`virt_sandbox_net_domain',`
 	typeattribute  $1 sandbox_net_domain;
 ')
 
+########################################
+## <summary>
+##      Make the specified type usable as a virt system domain
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used as a virt system domain
+##      </summary>
+## </param>
+#
+interface(`virt_system_domain_type',`
+        gen_require(`
+                attribute virt_system_domain;
+        ')
+
+        typeattribute  $1  virt_system_domain;
+')
+
 ########################################
 ## <summary>
 ##	Execute a qemu_exec_t in the callers domain
@@ -1802,6 +1916,26 @@ interface(`virt_dgram_send',`
 	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
 ')
 
+########################################
+## <summary>
+##  Manage svirt home files,dirs and sockfiles.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`virt_svirt_manage_home',`
+        gen_require(`
+                type svirt_home_t;
+        ')
+
+        manage_files_pattern($1, svirt_home_t, svirt_home_t)
+        manage_dirs_pattern($1, svirt_home_t, svirt_home_t)
+        manage_sock_files_pattern($1, svirt_home_t, svirt_home_t)
+')
+
 ########################################
 ## <summary>
 ##  Manage svirt tmp files,dirs and sockfiles.