|
 |
06d521d |
## <summary>Libvirt virtualization API</summary>
|
|
|
1ec3d1a |
|
|
|
06d521d |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Creates types and rules for a basic
|
|
|
06d521d |
## qemu process domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
06d521d |
## <param name="prefix">
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Prefix for the domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
template(`virt_domain_template',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
attribute virt_image_type, virt_domain;
|
|
|
1ec3d1a |
attribute virt_tmpfs_type;
|
|
|
1ec3d1a |
attribute virt_ptynode;
|
|
|
1ec3d1a |
type qemu_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type $1_t, virt_domain;
|
|
|
1ec3d1a |
application_domain($1_t, qemu_exec_t)
|
|
|
1ec3d1a |
domain_user_exemption_target($1_t)
|
|
|
1ec3d1a |
mls_rangetrans_target($1_t)
|
|
|
1f86dac |
mcs_constrained($1_t)
|
|
|
1ec3d1a |
role system_r types $1_t;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type $1_devpts_t, virt_ptynode;
|
|
|
1ec3d1a |
term_pty($1_devpts_t)
|
|
|
1ec3d1a |
|
|
|
1bafb67 |
kernel_read_system_state($1_t)
|
|
|
1bafb67 |
|
|
 |
1eebd6a |
auth_read_passwd($1_t)
|
|
|
1ec3d1a |
|
|
|
05b4f84 |
logging_send_syslog_msg($1_t)
|
|
|
05b4f84 |
|
|
|
1ec3d1a |
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
|
|
1ec3d1a |
term_create_pty($1_t, $1_devpts_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Make the specified type usable as a virt image
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="type">
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Type to be used as a virtual image
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_image',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
attribute virt_image_type;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
typeattribute $1 virt_image_type;
|
|
|
1ec3d1a |
files_type($1)
|
|
|
06d521d |
|
|
|
06d521d |
# virt images can be assigned to blk devices
|
|
|
1ec3d1a |
dev_node($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#######################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Getattr on virt executable.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_getattr_exec',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virtd_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 virtd_exec_t:file getattr;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Execute a domain transition to run virt.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_domtrans',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virtd_t, virtd_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
domtrans_pattern($1, virtd_exec_t, virtd_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Transition to virt_qmf.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_domtrans_qmf',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_qmf_t, virt_qmf_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
corecmd_search_bin($1)
|
|
|
1ec3d1a |
domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Transition to virt_bridgehelper.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
interface(`virt_domtrans_bridgehelper',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_bridgehelper_t, virt_bridgehelper_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#######################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Connect to virt over a unix domain stream socket.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_stream_connect',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virtd_t, virt_var_run_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_pids($1)
|
|
|
1ec3d1a |
stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Allow domain to attach to virt TUN devices
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_attach_tun_iface',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virtd_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 virtd_t:tun_socket relabelfrom;
|
|
|
1ec3d1a |
allow $1 self:tun_socket relabelto;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Read virt config files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_read_config',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_etc_t, virt_etc_rw_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_etc($1)
|
|
|
1ec3d1a |
read_files_pattern($1, virt_etc_t, virt_etc_t)
|
|
|
1ec3d1a |
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
|
|
|
1ec3d1a |
read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## manage virt config files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_manage_config',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_etc_t, virt_etc_rw_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_etc($1)
|
|
|
1ec3d1a |
manage_files_pattern($1, virt_etc_t, virt_etc_t)
|
|
|
1ec3d1a |
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
|
|
|
1ec3d1a |
manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Allow domain to manage virt image files
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_read_content',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_content_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
virt_search_lib($1)
|
|
|
1ec3d1a |
allow $1 virt_content_t:dir list_dir_perms;
|
|
|
1ec3d1a |
list_dirs_pattern($1, virt_content_t, virt_content_t)
|
|
|
1ec3d1a |
read_files_pattern($1, virt_content_t, virt_content_t)
|
|
|
1ec3d1a |
read_lnk_files_pattern($1, virt_content_t, virt_content_t)
|
|
|
1ec3d1a |
read_blk_files_pattern($1, virt_content_t, virt_content_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
tunable_policy(`virt_use_nfs',`
|
|
|
1ec3d1a |
fs_list_nfs($1)
|
|
|
1ec3d1a |
fs_read_nfs_files($1)
|
|
|
1ec3d1a |
fs_read_nfs_symlinks($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
tunable_policy(`virt_use_samba',`
|
|
|
1ec3d1a |
fs_list_cifs($1)
|
|
|
1ec3d1a |
fs_read_cifs_files($1)
|
|
|
1ec3d1a |
fs_read_cifs_symlinks($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Allow domain to write virt image files
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_write_content',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_content_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 virt_content_t:file write_file_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Read virt PID files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_read_pid_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_var_run_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_pids($1)
|
|
|
1ec3d1a |
read_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Manage virt pid directories.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_manage_pid_dirs',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_var_run_t;
|
|
|
1ec3d1a |
type virt_lxc_var_run_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_pids($1)
|
|
|
1ec3d1a |
manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
|
|
|
1ec3d1a |
manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
|
|
1ec3d1a |
virt_filetrans_named_content($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Manage virt pid files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_manage_pid_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_var_run_t;
|
|
|
1ec3d1a |
type virt_lxc_var_run_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_pids($1)
|
|
|
1ec3d1a |
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
|
|
1ec3d1a |
manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Create objects in the pid directory
|
|
|
1ec3d1a |
## with a private type with a type transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <param name="file">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Type to which the created node will be transitioned.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <param name="class">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Object class(es) (single or set including {}) for which this
|
|
|
1ec3d1a |
## the transition will occur.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
e96ffe5 |
## <param name="name" optional="true">
|
|
|
e96ffe5 |
## <summary>
|
|
|
e96ffe5 |
## The name of the object being created.
|
|
|
e96ffe5 |
## </summary>
|
|
|
e96ffe5 |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_pid_filetrans',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_var_run_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Search virt lib directories.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_search_lib',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_var_lib_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
Dominick Grift |
163313a |
allow $1 virt_var_lib_t:dir search_dir_perms;
|
|
|
06d521d |
files_search_var_lib($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Read virt lib files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_read_lib_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_var_lib_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_var_lib($1)
|
|
|
1ec3d1a |
read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
|
|
|
1ec3d1a |
read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Dontaudit inherited read virt lib files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain to not audit.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_dontaudit_read_lib_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_var_lib_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Create, read, write, and delete
|
|
|
1ec3d1a |
## virt lib files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_manage_lib_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_var_lib_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_var_lib($1)
|
|
|
1ec3d1a |
manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Allow the specified domain to read virt's log files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <rolecap/>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_read_log',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_log_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_search_logs($1)
|
|
|
1ec3d1a |
read_files_pattern($1, virt_log_t, virt_log_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Allow the specified domain to append
|
|
|
06d521d |
## virt log files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_append_log',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_log_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_search_logs($1)
|
|
|
1ec3d1a |
append_files_pattern($1, virt_log_t, virt_log_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Allow domain to manage virt log files
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_manage_log',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_log_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
manage_dirs_pattern($1, virt_log_t, virt_log_t)
|
|
|
1ec3d1a |
manage_files_pattern($1, virt_log_t, virt_log_t)
|
|
|
1ec3d1a |
manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Allow domain to search virt image direcories
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_search_images',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
attribute virt_image_type;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
virt_search_lib($1)
|
|
|
1ec3d1a |
allow $1 virt_image_type:dir search_dir_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Allow domain to read virt image files
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_read_images',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_var_lib_t;
|
|
|
1ec3d1a |
attribute virt_image_type;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
virt_search_lib($1)
|
|
|
1ec3d1a |
allow $1 virt_image_type:dir list_dir_perms;
|
|
|
1ec3d1a |
list_dirs_pattern($1, virt_image_type, virt_image_type)
|
|
|
1ec3d1a |
read_files_pattern($1, virt_image_type, virt_image_type)
|
|
|
1ec3d1a |
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
|
|
|
1ec3d1a |
read_blk_files_pattern($1, virt_image_type, virt_image_type)
|
|
|
1ec3d1a |
read_chr_files_pattern($1, virt_image_type, virt_image_type)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
tunable_policy(`virt_use_nfs',`
|
|
|
1ec3d1a |
fs_list_nfs($1)
|
|
|
1ec3d1a |
fs_read_nfs_files($1)
|
|
|
1ec3d1a |
fs_read_nfs_symlinks($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
tunable_policy(`virt_use_samba',`
|
|
|
1ec3d1a |
fs_list_cifs($1)
|
|
|
1ec3d1a |
fs_read_cifs_files($1)
|
|
|
1ec3d1a |
fs_read_cifs_symlinks($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Allow domain to read virt blk image files
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_read_blk_images',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
attribute virt_image_type;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
read_blk_files_pattern($1, virt_image_type, virt_image_type)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
41198a6 |
## Allow domain to read/write virt image chr files
|
|
|
41198a6 |
## </summary>
|
|
|
41198a6 |
## <param name="domain">
|
|
|
41198a6 |
## <summary>
|
|
|
41198a6 |
## Domain allowed access.
|
|
|
41198a6 |
## </summary>
|
|
|
41198a6 |
## </param>
|
|
|
41198a6 |
#
|
|
|
41198a6 |
interface(`virt_rw_chr_files',`
|
|
|
41198a6 |
gen_require(`
|
|
|
41198a6 |
attribute virt_image_type;
|
|
|
41198a6 |
')
|
|
|
41198a6 |
|
|
|
41198a6 |
rw_chr_files_pattern($1, virt_image_type, virt_image_type)
|
|
|
41198a6 |
')
|
|
|
41198a6 |
|
|
|
41198a6 |
########################################
|
|
|
41198a6 |
## <summary>
|
|
|
1ec3d1a |
## Create, read, write, and delete
|
|
|
1ec3d1a |
## svirt cache files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_manage_cache',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_cache_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_var($1)
|
|
|
1ec3d1a |
manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
|
|
|
1ec3d1a |
manage_files_pattern($1, virt_cache_t, virt_cache_t)
|
|
|
1ec3d1a |
manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Allow domain to manage virt image files
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_manage_images',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_var_lib_t;
|
|
|
1ec3d1a |
attribute virt_image_type;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
virt_search_lib($1)
|
|
|
1ec3d1a |
allow $1 virt_image_type:dir list_dir_perms;
|
|
|
1ec3d1a |
manage_dirs_pattern($1, virt_image_type, virt_image_type)
|
|
|
1ec3d1a |
manage_files_pattern($1, virt_image_type, virt_image_type)
|
|
|
1ec3d1a |
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
|
|
|
1ec3d1a |
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
|
|
|
1ec3d1a |
rw_chr_files_pattern($1, virt_image_type, virt_image_type)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
e0b1582 |
#######################################
|
|
|
e0b1582 |
## <summary>
|
|
|
e0b1582 |
## Allow domain to manage virt image files
|
|
|
e0b1582 |
## </summary>
|
|
|
e0b1582 |
## <param name="domain">
|
|
|
e0b1582 |
## <summary>
|
|
|
e0b1582 |
## Domain allowed access.
|
|
|
e0b1582 |
## </summary>
|
|
|
e0b1582 |
## </param>
|
|
|
e0b1582 |
#
|
|
|
e0b1582 |
interface(`virt_manage_default_image_type',`
|
|
|
e0b1582 |
gen_require(`
|
|
|
e0b1582 |
type virt_var_lib_t;
|
|
|
e0b1582 |
type virt_image_t;
|
|
|
e0b1582 |
')
|
|
|
e0b1582 |
|
|
|
e0b1582 |
virt_search_lib($1)
|
|
|
e0b1582 |
manage_dirs_pattern($1, virt_image_t, virt_image_t)
|
|
|
e0b1582 |
manage_files_pattern($1, virt_image_t, virt_image_t)
|
|
|
e0b1582 |
read_lnk_files_pattern($1, virt_image_t, virt_image_t)
|
|
|
e0b1582 |
')
|
|
|
e0b1582 |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
7736298 |
## Execute virt server in the virt domain.
|
|
|
7736298 |
## </summary>
|
|
|
7736298 |
## <param name="domain">
|
|
|
7736298 |
## <summary>
|
|
|
7736298 |
## Domain allowed to transition.
|
|
|
7736298 |
## </summary>
|
|
|
7736298 |
## </param>
|
|
|
7736298 |
#
|
|
|
7736298 |
interface(`virt_systemctl',`
|
|
|
7736298 |
gen_require(`
|
|
|
7736298 |
type virtd_unit_file_t;
|
|
|
7736298 |
type virtd_t;
|
|
|
7736298 |
')
|
|
|
7736298 |
|
|
|
7736298 |
systemd_exec_systemctl($1)
|
|
|
7736298 |
allow $1 virtd_unit_file_t:file read_file_perms;
|
|
|
7736298 |
allow $1 virtd_unit_file_t:service manage_service_perms;
|
|
|
7736298 |
|
|
|
7736298 |
ps_process_pattern($1, virtd_t)
|
|
|
7736298 |
')
|
|
|
7736298 |
|
|
|
7736298 |
########################################
|
|
|
7736298 |
## <summary>
|
|
|
08157e6 |
## Ptrace the svirt domain
|
|
|
08157e6 |
## </summary>
|
|
|
08157e6 |
## <param name="domain">
|
|
|
08157e6 |
## <summary>
|
|
|
08157e6 |
## Domain allowed to transition.
|
|
|
08157e6 |
## </summary>
|
|
|
08157e6 |
## </param>
|
|
|
08157e6 |
#
|
|
|
08157e6 |
interface(`virt_ptrace',`
|
|
|
08157e6 |
gen_require(`
|
|
|
08157e6 |
attribute virt_domain;
|
|
|
08157e6 |
')
|
|
|
08157e6 |
|
|
|
de22608 |
allow $1 virt_domain:process ptrace;
|
|
|
08157e6 |
')
|
|
|
08157e6 |
|
|
|
08157e6 |
########################################
|
|
|
08157e6 |
## <summary>
|
|
|
06d521d |
## All of the rules required to administrate
|
|
|
06d521d |
## an virt environment
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <param name="role">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Role allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <rolecap/>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_admin',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virtd_t, virtd_initrc_exec_t;
|
|
|
1ec3d1a |
attribute virt_domain;
|
|
|
1ec3d1a |
type virt_lxc_t;
|
|
|
7736298 |
type virtd_unit_file_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 virtd_t:process signal_perms;
|
|
|
1ec3d1a |
ps_process_pattern($1, virtd_t)
|
|
|
1ec3d1a |
tunable_policy(`deny_ptrace',`',`
|
|
|
c0896ae |
allow $1 virtd_t:process ptrace;
|
|
|
c0896ae |
allow $1 virt_lxc_t:process ptrace;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 virt_lxc_t:process signal_perms;
|
|
|
1ec3d1a |
ps_process_pattern($1, virt_lxc_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
|
|
|
1ec3d1a |
domain_system_change_exemption($1)
|
|
|
1ec3d1a |
role_transition $2 virtd_initrc_exec_t system_r;
|
|
|
1ec3d1a |
allow $2 system_r;
|
|
|
1ec3d1a |
|
|
|
06d521d |
virt_manage_pid_files($1)
|
|
|
1ec3d1a |
|
|
|
06d521d |
virt_manage_lib_files($1)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
virt_manage_log($1)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
virt_manage_images($1)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 virt_domain:process signal_perms;
|
|
|
7736298 |
|
|
|
7736298 |
virt_systemctl($1)
|
|
|
7736298 |
admin_pattern($1, virtd_unit_file_t)
|
|
|
7736298 |
allow $1 virtd_unit_file_t:service all_service_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Execute qemu in the svirt domain, and
|
|
|
1ec3d1a |
## allow the specified role the svirt domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <param name="role">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## The role to be allowed the sandbox domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <rolecap/>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_transition_svirt',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
0ec3868 |
attribute virt_domain;
|
|
|
9c6953b |
type virt_bridgehelper_t;
|
|
|
6cfa7e7 |
type svirt_image_t;
|
|
|
f003e42 |
type svirt_socket_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
0ec3868 |
allow $1 virt_domain:process transition;
|
|
|
0ec3868 |
role $2 types virt_domain;
|
|
|
9c6953b |
role $2 types virt_bridgehelper_t;
|
|
|
f003e42 |
role $2 types svirt_socket_t;
|
|
|
1ec3d1a |
|
|
|
3b7c70f |
allow $1 virt_domain:process { sigkill sigstop signull signal };
|
|
|
190dc88 |
allow $1 svirt_image_t:file { relabelfrom relabelto };
|
|
|
190dc88 |
allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
|
|
|
0824cb9 |
allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
|
|
|
f003e42 |
allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
|
|
|
190dc88 |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
0ec3868 |
ptchown_run(virt_domain, $2)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Do not audit attempts to write virt daemon unnamed pipes.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain to not audit.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_dontaudit_write_pipes',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virtd_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
dontaudit $1 virtd_t:fd use;
|
|
|
1ec3d1a |
dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Send a sigkill to virtual machines
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_kill_svirt',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
attribute virt_domain;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 virt_domain:process sigkill;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Send a signal to virtual machines
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_signal_svirt',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
attribute virt_domain;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 virt_domain:process signal;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Manage virt home files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_manage_home_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_home_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
userdom_search_user_home_dirs($1)
|
|
|
1ec3d1a |
manage_files_pattern($1, virt_home_t, virt_home_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## allow domain to read
|
|
|
1ec3d1a |
## virt tmpfs files
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_read_tmpfs_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
attribute virt_tmpfs_type;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 virt_tmpfs_type:file read_file_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## allow domain to manage
|
|
|
1ec3d1a |
## virt tmpfs files
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_manage_tmpfs_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
attribute virt_tmpfs_type;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 virt_tmpfs_type:file manage_file_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Create .virt directory in the user home directory
|
|
|
1ec3d1a |
## with an correct label.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_filetrans_home_content',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_home_t;
|
|
|
6cfa7e7 |
type svirt_home_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
|
|
|
1ec3d1a |
userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
|
|
|
6cfa7e7 |
filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
|
|
|
9d36b8e |
|
|
|
9d36b8e |
optional_policy(`
|
|
|
9d36b8e |
gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
|
|
|
9d36b8e |
gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
|
|
|
9d36b8e |
gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
|
|
|
9d36b8e |
gnome_data_filetrans($1, svirt_home_t, dir, "images")
|
|
|
9d36b8e |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Dontaudit attempts to Read virt_image_type devices.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_dontaudit_read_chr_dev',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
attribute virt_image_type;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Creates types and rules for a basic
|
|
|
1ec3d1a |
## virt_lxc process domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="prefix">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Prefix for the domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
template(`virt_lxc_domain_template',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
attribute svirt_lxc_domain;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type $1_t, svirt_lxc_domain;
|
|
|
1ec3d1a |
domain_type($1_t)
|
|
|
1ec3d1a |
domain_user_exemption_target($1_t)
|
|
|
1ec3d1a |
mls_rangetrans_target($1_t)
|
|
|
1f86dac |
mcs_constrained($1_t)
|
|
|
1ec3d1a |
role system_r types $1_t;
|
|
|
1bafb67 |
|
|
|
1bafb67 |
kernel_read_system_state($1_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Execute a qemu_exec_t in the callers domain
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_exec_qemu',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type qemu_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
can_exec($1, qemu_exec_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Transition to virt named content
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`virt_filetrans_named_content',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type virt_lxc_var_run_t;
|
|
|
432dac7 |
type virt_var_run_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
|
|
|
432dac7 |
files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
|
|
|
39a0b39 |
files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
|
|
|
1ec3d1a |
')
|
|
|
b6c47b6 |
|
|
|
b6c47b6 |
########################################
|
|
|
b6c47b6 |
## <summary>
|
|
|
b6c47b6 |
## Execute qemu in the svirt domain, and
|
|
|
b6c47b6 |
## allow the specified role the svirt domain.
|
|
|
b6c47b6 |
## </summary>
|
|
|
b6c47b6 |
## <param name="domain">
|
|
|
b6c47b6 |
## <summary>
|
|
|
b6c47b6 |
## Domain allowed access
|
|
|
b6c47b6 |
## </summary>
|
|
|
b6c47b6 |
## </param>
|
|
|
b6c47b6 |
## <param name="role">
|
|
|
b6c47b6 |
## <summary>
|
|
|
b6c47b6 |
## The role to be allowed the sandbox domain.
|
|
|
b6c47b6 |
## </summary>
|
|
|
b6c47b6 |
## </param>
|
|
|
b6c47b6 |
## <rolecap/>
|
|
|
b6c47b6 |
#
|
|
|
b6c47b6 |
interface(`virt_transition_svirt_lxc',`
|
|
|
b6c47b6 |
gen_require(`
|
|
|
b6c47b6 |
attribute svirt_lxc_domain;
|
|
|
b6c47b6 |
')
|
|
|
b6c47b6 |
|
|
|
b6c47b6 |
allow $1 svirt_lxc_domain:process transition;
|
|
|
b6c47b6 |
role $2 types svirt_lxc_domain;
|
|
|
b6c47b6 |
|
|
|
b6c47b6 |
allow svirt_lxc_domain $1:process sigchld;
|
|
|
b6c47b6 |
')
|