Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Introduce SELinux policy for libvirt drivers
Browse files Browse the repository at this point in the history 
New SELinux policy for libvirt drivers:
Hypervisor drivers:
 - virtqemud  (QEMU/KVM)
 - virtlxcd   (LXC)
 - virtvboxd  (VirtualBox)

Secondary drivers:
 - virtstoraged   (host storage mgmt)
 - virtnetworkd   (virtual network mgmt)
 - virtinterface  (network interface mgmt)
 - virtnodedevd   (physical device mgmt)
 - virtsecretd    (security credential mgmt)
 - virtnwfilterd  (ip[6]tables/ebtables mgmt)
 - virtproxyd     (proxy daemon)

SELinux policy for virtvxz and virtxend has not been created yet.
@5umm3r15
5umm3r15 committed Jul 30, 2020

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
1 parent 27225b9 commit 256681c
Showing 3 changed files with 430 additions and 19 deletions.
79 changes: 61 additions & 18 deletions virt.fc
View file
Original file line number Diff line number Diff line change
@@ -28,6 +28,7 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_
/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)

/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0)
@@ -38,17 +39,18 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_
/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0)
/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0)

/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtnwfilterd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtqemud -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtvboxd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtinterfaced -- gen_context(system_u:object_r:virtinterfaced_exec_t,s0)
/usr/sbin/virtlxcd -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
/usr/sbin/virtnetworkd -- gen_context(system_u:object_r:virtnetworkd_exec_t,s0)
/usr/sbin/virtnodedevd -- gen_context(system_u:object_r:virtnodedevd_exec_t,s0)
/usr/sbin/virtnwfilterd -- gen_context(system_u:object_r:virtnwfilterd_exec_t,s0)
/usr/sbin/virtproxyd -- gen_context(system_u:object_r:virtproxyd_exec_t,s0)
/usr/sbin/virtqemud -- gen_context(system_u:object_r:virtqemud_exec_t,s0)
/usr/sbin/virtsecretd -- gen_context(system_u:object_r:virtsecretd_exec_t,s0)
/usr/sbin/virtstoraged -- gen_context(system_u:object_r:virtstoraged_exec_t,s0)
/usr/sbin/virtvboxd -- gen_context(system_u:object_r:virtvboxd_exec_t,s0)
/usr/sbin/virtvzd -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtxend -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/virtxend -- gen_context(system_u:object_r:virtxend_exec_t,s0)

/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)

@@ -58,19 +60,60 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)? gen_context(system_u:object_r:svirt_
/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)

/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0)
/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0)
/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0)
/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0)
/var/run/virtlxcd\.pid -- gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
/var/run/virtqemud\.pid -- gen_context(system_u:object_r:qemu_var_run_t,s0)
/var/run/virtvboxd\.pid -- gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
/var/run/virtproxyd\.pid -- gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
/var/run/virtinterfaced\.pid -- gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
/var/run/virtnetworkd\.pid -- gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
/var/run/virtnodedevd\.pid -- gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
/var/run/virtnwfilterd\.pid -- gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
/var/run/virtsecretd\.pid -- gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
/var/run/virtstoraged\.pid -- gen_context(system_u:object_r:virtstoraged_var_run_t,s0)

/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
/var/run/libvirt/virtlogd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0)
/var/run/libvirt/virtlogd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0)
/var/run/libvirt/virtinterfaced-admin-sock -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
/var/run/libvirt/virtinterfaced-sock -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
/var/run/libvirt/virtinterfaced-sock-ro -s gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
/var/run/libvirt/virtlxcd-admin-sock -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
/var/run/libvirt/virtlxcd-sock -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
/var/run/libvirt/virtlxcd-sock-ro -s gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
/var/run/libvirt/virtnetworkd-admin-sock -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
/var/run/libvirt/virtnetworkd-sock -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
/var/run/libvirt/virtnetworkd-sock-ro -s gen_context(system_u:object_r:virtnetworkd_var_run_t,s0)
/var/run/libvirt/virtnodedevd-admin-sock -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
/var/run/libvirt/virtnodedevd-sock -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
/var/run/libvirt/virtnodedevd-sock-ro -s gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
/var/run/libvirt/virtnwfilterd-admin-sock -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
/var/run/libvirt/virtnwfilterd-sock -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
/var/run/libvirt/virtnwfilterd-sock-ro -s gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
/var/run/libvirt/virtproxyd-admin-sock -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
/var/run/libvirt/virtproxyd-sock -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
/var/run/libvirt/virtproxyd-sock-ro -s gen_context(system_u:object_r:virtproxyd_var_run_t,s0)
/var/run/libvirt/virtqemud-admin-sock -s gen_context(system_u:object_r:qemu_var_run_t,s0)
/var/run/libvirt/virtqemud-sock -s gen_context(system_u:object_r:qemu_var_run_t,s0)
/var/run/libvirt/virtqemud-sock-ro -s gen_context(system_u:object_r:qemu_var_run_t,s0)
/var/run/libvirt/virtsecretd-admin-sock -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
/var/run/libvirt/virtsecretd-sock -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
/var/run/libvirt/virtsecretd-sock-ro -s gen_context(system_u:object_r:virtsecretd_var_run_t,s0)
/var/run/libvirt/virtstoraged-admin-sock -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
/var/run/libvirt/virtstoraged-sock -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
/var/run/libvirt/virtstoraged-sock-ro -s gen_context(system_u:object_r:virtstoraged_var_run_t,s0)
/var/run/libvirt/virtvboxd-admin-sock -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
/var/run/libvirt/virtvboxd-sock -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
/var/run/libvirt/virtvboxd-sock-ro -s gen_context(system_u:object_r:virtvboxd_var_run_t,s0)
/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
/var/run/qemu-pr-helper\.sock -s gen_context(system_u:object_r:virt_var_run_t,s0)
/var/run/qemu-pr-helper\.sock -s gen_context(system_u:object_r:virt_var_run_t,s0)

/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)

64 changes: 64 additions & 0 deletions virt.if
View file
Original file line number Diff line number Diff line change
@@ -99,6 +99,51 @@ template(`virt_domain_template',`
allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
')

######################################
## <summary>
## Creates types and rules for a basic
## virt driver domain.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
template(`virt_driver_template',`
gen_require(`
attribute virt_driver_domain;
')

type $1_t, virt_driver_domain;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)

allow $1_t self:netlink_audit_socket create;
allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
allow $1_t self:netlink_route_socket create_netlink_socket_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;

kernel_dgram_send($1_t)

auth_read_passwd($1_t)

dbus_read_pid_files($1_t)
dbus_stream_connect_system_dbusd($1_t)

dev_read_sysfs($1_t)

init_read_utmp($1_t)

logging_send_syslog_msg($1_t)

miscfiles_read_generic_certs($1_t)

optional_policy(`
systemd_write_inhibit_pipes($1_t)
')
')

########################################
## <summary>
## Make the specified type usable as a virt image
@@ -175,6 +220,25 @@ interface(`virt_exec',`
can_exec($1, virtd_exec_t)
')

########################################
## <summary>
## Transition to virt_qmf.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`virt_domtrans_qmf',`
gen_require(`
type virt_qmf_t, virt_qmf_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
')

########################################
## <summary>
## Transition to virt_bridgehelper.
Loading

0 comments on commit 256681c

Please sign in to comment.