-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add interfaces to virt and fix policy for nbdkit Resolves: rhbz#2182505
- Loading branch information
Showing
6 changed files
with
309 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
HOME_DIR/tmp(/.*)? gen_context(system_u:object_r:nbdkit_home_t,s0) | ||
|
||
/usr/sbin/nbdkit -- gen_context(system_u:object_r:nbdkit_exec_t,s0) | ||
|
||
/usr/lib/systemd/system/nbdkit.* gen_context(system_u:object_r:nbdkit_unit_file_t,s0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
[root@ci-vm-10-0-136-52 policy]# cat nbdkit.if | ||
|
||
## <summary>policy for nbdkit</summary> | ||
|
||
######################################## | ||
## <summary> | ||
## Execute nbdkit_exec_t in the nbdkit domain. | ||
## </summary> | ||
## <param name="domain"> | ||
## <summary> | ||
## Domain allowed to transition. | ||
## </summary> | ||
## </param> | ||
# | ||
interface(`nbdkit_domtrans',` | ||
gen_require(` | ||
type nbdkit_t, nbdkit_exec_t; | ||
') | ||
|
||
corecmd_search_bin($1) | ||
domtrans_pattern($1, nbdkit_exec_t, nbdkit_t) | ||
') | ||
|
||
###################################### | ||
## <summary> | ||
## Execute nbdkit in the caller domain. | ||
## </summary> | ||
## <param name="domain"> | ||
## <summary> | ||
## Domain allowed access. | ||
## </summary> | ||
## </param> | ||
# | ||
interface(`nbdkit_exec',` | ||
gen_require(` | ||
type nbdkit_exec_t; | ||
') | ||
|
||
corecmd_search_bin($1) | ||
can_exec($1, nbdkit_exec_t) | ||
') | ||
|
||
######################################## | ||
## <summary> | ||
## Execute nbdkit in the nbdkit domain, and | ||
## allow the specified role the nbdkit domain. | ||
## </summary> | ||
## <param name="domain"> | ||
## <summary> | ||
## Domain allowed to transition | ||
## </summary> | ||
## </param> | ||
## <param name="role"> | ||
## <summary> | ||
## The role to be allowed the nbdkit domain. | ||
## </summary> | ||
## </param> | ||
# | ||
interface(`nbdkit_run',` | ||
gen_require(` | ||
type nbdkit_t; | ||
attribute_role nbdkit_roles; | ||
') | ||
|
||
nbdkit_domtrans($1) | ||
roleattribute $2 nbdkit_roles; | ||
') | ||
|
||
######################################## | ||
## <summary> | ||
## Role access for nbdkit | ||
## </summary> | ||
## <param name="role"> | ||
## <summary> | ||
## Role allowed access | ||
## </summary> | ||
## </param> | ||
## <param name="domain"> | ||
## <summary> | ||
## User domain for the role | ||
## </summary> | ||
## </param> | ||
# | ||
interface(`nbdkit_role',` | ||
gen_require(` | ||
type nbdkit_t; | ||
attribute_role nbdkit_roles; | ||
') | ||
|
||
roleattribute $1 nbdkit_roles; | ||
|
||
nbdkit_domtrans($2) | ||
|
||
ps_process_pattern($2, nbdkit_t) | ||
allow $2 nbdkit_t:process { signull signal sigkill }; | ||
') | ||
|
||
######################################## | ||
## <summary> | ||
## Allow attempts to connect to nbdkit | ||
## with a unix stream socket. | ||
## </summary> | ||
## <param name="domain"> | ||
## <summary> | ||
## Domain to not audit. | ||
## </summary> | ||
## </param> | ||
# | ||
interface(`nbdkit_stream_connect',` | ||
gen_require(` | ||
type nbdkit_t; | ||
') | ||
|
||
allow $1 nbdkit_t:unix_stream_socket connectto; | ||
') | ||
|
||
######################################## | ||
## <summary> | ||
## Allow nbdkit_exec_t to be an entrypoint | ||
## of the specified domain | ||
## </summary> | ||
## <param name="domain"> | ||
## <summary> | ||
## Domain allowed access. | ||
## </summary> | ||
## </param> | ||
## <rolecap/> | ||
# | ||
interface(`nbdkit_entrypoint',` | ||
gen_require(` | ||
type nbdkit_exec_t; | ||
') | ||
allow $1 nbdkit_exec_t:file entrypoint; | ||
') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
policy_module(nbdkit, 1.0.0) | ||
|
||
######################################## | ||
# | ||
# Declarations | ||
# | ||
|
||
gen_require(` | ||
type unconfined_t; | ||
') | ||
|
||
type nbdkit_t; | ||
type nbdkit_exec_t; | ||
application_domain(nbdkit_t, nbdkit_exec_t) | ||
mcs_constrained(nbdkit_t) | ||
role system_r types nbdkit_t; | ||
|
||
type nbdkit_home_t; | ||
userdom_user_home_content(nbdkit_home_t) | ||
|
||
type nbdkit_tmp_t; | ||
files_tmp_file(nbdkit_tmp_t) | ||
|
||
type nbdkit_unit_file_t; | ||
systemd_unit_file(nbdkit_unit_file_t) | ||
|
||
permissive nbdkit_t; | ||
|
||
######################################## | ||
# | ||
# nbdkit local policy | ||
# | ||
allow nbdkit_t self:capability { setgid setuid }; | ||
allow nbdkit_t self:fifo_file rw_fifo_file_perms; | ||
allow nbdkit_t self:netlink_route_socket rw_netlink_socket_perms; | ||
allow nbdkit_t self:process { fork setsockcreate signal_perms }; | ||
allow nbdkit_t self:tcp_socket create_stream_socket_perms; | ||
allow nbdkit_t self:udp_socket create_socket_perms; | ||
|
||
manage_dirs_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t) | ||
manage_files_pattern(nbdkit_t, nbdkit_tmp_t, nbdkit_tmp_t) | ||
userdom_user_tmp_filetrans(nbdkit_t, nbdkit_tmp_t, { dir file }) | ||
|
||
manage_dirs_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t) | ||
manage_files_pattern(nbdkit_t, nbdkit_home_t, nbdkit_home_t) | ||
userdom_user_home_dir_filetrans(nbdkit_t, nbdkit_home_t, { dir file }) | ||
|
||
corenet_tcp_connect_http_port(nbdkit_t) | ||
corenet_tcp_connect_ssh_port(nbdkit_t) | ||
corenet_tcp_connect_tftp_port(nbdkit_t) | ||
corenet_tcp_bind_generic_port(nbdkit_t) | ||
corenet_tcp_bind_generic_node(nbdkit_t) | ||
|
||
domain_use_interactive_fds(nbdkit_t) | ||
|
||
files_read_etc_files(nbdkit_t) | ||
|
||
init_abstract_socket_activation(nbdkit_t) | ||
init_ioctl_stream_sockets(nbdkit_t) | ||
init_rw_stream_sockets(nbdkit_t) | ||
|
||
optional_policy(` | ||
auth_use_nsswitch(nbdkit_t) | ||
') | ||
|
||
optional_policy(` | ||
logging_send_syslog_msg(nbdkit_t) | ||
') | ||
|
||
optional_policy(` | ||
miscfiles_read_localization(nbdkit_t) | ||
miscfiles_read_generic_certs(nbdkit_t) | ||
') | ||
|
||
optional_policy(` | ||
sysnet_dns_name_resolve(nbdkit_t) | ||
sysnet_read_config(nbdkit_t) | ||
') | ||
|
||
optional_policy(` | ||
userdom_use_inherited_user_ptys(nbdkit_t) | ||
') | ||
|
||
optional_policy(` | ||
virt_create_svirt_image_sock_files(nbdkit_t) | ||
virt_read_qemu_pid_files(nbdkit_t) | ||
virtlogd_rw_pipes(nbdkit_t) | ||
virt_rw_svirt_image(nbdkit_t) | ||
virt_rw_svirt_image_dirs(nbdkit_t) | ||
virt_search_lib(nbdkit_t) | ||
virt_stream_connect_svirt(nbdkit_t) | ||
') | ||
|
||
|
||
# FIXME: It would be nice to allow libvirt to transition nbdkit_exec_t to | ||
# nbdkit_t when libvirtd was started manually from the commandline (i.e. in | ||
# unconfined_t), but we don't want this transition to happen automatically | ||
# when starting directly from the shell. I'm not sure how to achieve this... | ||
#nbdkit_domtrans(unconfined_t, nbdkit_exec_t, nbdkit_t) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters