fixup! fixup! fixup! Introduce SELinux policy for libvirt drivers

fedora-selinux · Sep 14, 2020 · 0fa96eb · 0fa96eb
1 parent 394a8d9
commit 0fa96eb
Show file tree

Hide file tree

Showing 2 changed files with 131 additions and 26 deletions.
diff --git a/virt.if b/virt.if
@@ -202,6 +202,7 @@ interface(`virt_image',`
 #
 interface(`virt_getattr_exec',`
     gen_require(`
+        attribute virt_driver_executable;
         type virtd_exec_t;
     ')
 
@@ -239,6 +240,7 @@ interface(`virt_domtrans',`
 #
 interface(`virt_exec',`
 	gen_require(`
+                attribute virt_driver_executable;
 		type virtd_exec_t;
 	')
 
@@ -268,6 +270,26 @@ interface(`virt_stream_connect',`
 	stream_connect_pattern($1, virt_driver_var_run, virt_driver_var_run, virt_driver_domain)
 ')
 
+########################################
+## <summary>
+##      Read and write to virt_domain unix
+##      stream sockets.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`virt_rw_stream_sockets_virt_domain',`
+        gen_require(`
+                attribute virt_domain;
+        ')
+
+	allow $1 virt_domain:unix_stream_socket { read write };
+')
+
+
 #######################################
 ## <summary>
 ##	Connect to svirt process over a unix domain stream socket.
@@ -1402,6 +1424,43 @@ interface(`virt_dontaudit_read_chr_dev',`
 	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##      Make the specified type usable as a virt file type
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used as a virt file type
+##      </summary>
+## </param>
+#
+interface(`virt_file_types',`
+        gen_require(`
+                attribute virt_file_type;
+        ')
+
+        typeattribute  $1  virt_file_type;
+')
+
+########################################
+## <summary>
+##      Make the specified type usable as a svirt file type 
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used as a svirt file type
+##      </summary>
+## </param>
+#
+interface(`svirt_file_types',`
+        gen_require(`
+                attribute svirt_file_type;
+        ')
+
+	typeattribute  $1  svirt_file_type;
+')
+
+
 ########################################
 ## <summary>
 ##	Creates types and rules for a basic
@@ -1472,6 +1531,24 @@ template(`virt_sandbox_net_domain',`
 	typeattribute  $1 sandbox_net_domain;
 ')
 
+########################################
+## <summary>
+##      Make the specified type usable as a virt system domain
+## </summary>
+## <param name="type">
+##      <summary>
+##      Type to be used as a virt system domain
+##      </summary>
+## </param>
+#
+interface(`virt_system_domain_type',`
+        gen_require(`
+                attribute virt_system_domain;
+        ')
+
+        typeattribute  $1  virt_system_domain;
+')
+
 ########################################
 ## <summary>
 ##	Execute a qemu_exec_t in the callers domain
@@ -1802,6 +1879,26 @@ interface(`virt_dgram_send',`
 	dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
 ')
 
+########################################
+## <summary>
+##  Manage svirt home files,dirs and sockfiles.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`virt_svirt_manage_home',`
+        gen_require(`
+                type svirt_home_t;
+        ')
+
+        manage_files_pattern($1, svirt_home_t, svirt_home_t)
+        manage_dirs_pattern($1, svirt_home_t, svirt_home_t)
+        manage_sock_files_pattern($1, svirt_home_t, svirt_home_t)
+')
+
 ########################################
 ## <summary>
 ##  Manage svirt tmp files,dirs and sockfiles.

diff --git a/virt_supplementary.te b/virt_supplementary.te
@@ -9,23 +9,14 @@ gen_require(`
     class passwd passwd;
 ')
 
-attribute virt_system_domain;
-attribute virt_domain;
-attribute virt_file_type;
-attribute svirt_file_type;
-
-type virtd_exec_t, virt_file_type;
-
-type svirt_home_t, svirt_file_type;
-
-type virt_qmf_t, virt_system_domain;
-type virt_qmf_exec_t, virt_file_type;
+type virt_qmf_t;
+type virt_qmf_exec_t;
 init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
 
-type virt_bridgehelper_t, virt_system_domain;
+type virt_bridgehelper_t;
 domain_type(virt_bridgehelper_t)
 
-type virt_bridgehelper_exec_t, virt_file_type;
+type virt_bridgehelper_exec_t;
 domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
 role system_r types virt_bridgehelper_t;
 
@@ -51,25 +42,34 @@ gen_tunable(virt_rw_qemu_ga_data, false)
 gen_tunable(virt_qemu_ga_read_nonsecurity_files, false)
 
 # policy for qemu_ga
-type virt_qemu_ga_t, virt_system_domain;
-type virt_qemu_ga_exec_t, virt_file_type;
+type virt_qemu_ga_t;
+type virt_qemu_ga_exec_t;
 init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
 
-type virt_qemu_ga_var_run_t, virt_file_type;
+type virt_qemu_ga_var_run_t;
 files_pid_file(virt_qemu_ga_var_run_t)
 
-type virt_qemu_ga_log_t, virt_file_type;
+type virt_qemu_ga_log_t;
 logging_log_file(virt_qemu_ga_log_t)
 
-type virt_qemu_ga_tmp_t, virt_file_type;
+type virt_qemu_ga_tmp_t;
 files_tmp_file(virt_qemu_ga_tmp_t)
 
-type virt_qemu_ga_data_t, virt_file_type;
+type virt_qemu_ga_data_t;
 files_type(virt_qemu_ga_data_t)
 
-type virt_qemu_ga_unconfined_exec_t, virt_file_type;
+type virt_qemu_ga_unconfined_exec_t;
 application_executable_file(virt_qemu_ga_unconfined_exec_t)
 
+optional_policy(`
+        virt_file_types(virt_qemu_ga_exec_t)
+        virt_file_types(virt_qemu_ga_var_run_t)
+        virt_file_types(virt_qemu_ga_log_t)
+        virt_file_types(virt_qemu_ga_tmp_t)
+        virt_file_types(virt_qemu_ga_data_t)
+        virt_file_types(virt_qemu_ga_unconfined_exec_t)
+')
+
 ########################################
 #
 # virt_qmf local policy
@@ -81,8 +81,6 @@ allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
 allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
 
-can_exec(virt_qmf_t, virtd_exec_t)
-
 kernel_read_system_state(virt_qmf_t)
 kernel_read_network_state(virt_qmf_t)
 
@@ -103,7 +101,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+        virt_exec(virt_qmf_t)
+        virt_file_types(virt_qmf_exec_t)
 	virt_stream_connect(virt_qmf_t)
+        virt_system_domain_type(virt_qmf_t)
 ')
 
 ########################################
@@ -117,10 +118,6 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
 
-allow virt_bridgehelper_t virt_domain:unix_stream_socket { read write };
-
-manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
-
 kernel_read_network_state(virt_bridgehelper_t)
 kernel_read_system_state(virt_bridgehelper_t)
 
@@ -132,6 +129,13 @@ corenet_rw_tun_tap_dev(virt_bridgehelper_t)
 
 userdom_use_inherited_user_ptys(virt_bridgehelper_t)
 
+optional_policy(`
+        virt_file_types(virt_bridgehelper_exec_t)
+        virt_rw_stream_sockets_virt_domain(virt_bridgehelper_t)
+        virt_svirt_manage_home(virt_bridgehelper_t)
+        virt_system_domain_type(virt_bridgehelper_t)
+')
+
 #######################################
 #
 # virt_qemu_ga local policy
@@ -254,6 +258,10 @@ optional_policy(`
 	udev_read_pid_files(virt_qemu_ga_t)
 ')
 
+optional_policy(`
+        virt_system_domain_type(virt_qemu_ga_t)
+')
+
 #######################################
 #
 # qemu-ga  unconfined hook script local policy