From 5c2783a3075448651704eaae54270e6b9d5e5250 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Feb 02 2015 14:55:14 +0000
Subject: * Mon Feb 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-199

- Allow svirt sandbox domains to read /proc/mtrr

---

diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 31e36be..c5539eb 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -6210,7 +6210,7 @@ index b31c054..0ad8553 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..a5b4426 100644
+index 76f285e..830c1c5 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6988,7 +6988,7 @@ index 76f285e..a5b4426 100644
  ##	range registers (MTRR).
  ## </summary>
  ## <param name="domain">
-@@ -2970,13 +3329,13 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3329,32 @@ interface(`dev_write_mtrr',`
  ##	</summary>
  ## </param>
  #
@@ -7002,10 +7002,29 @@ index 76f285e..a5b4426 100644
 -	dontaudit $1 mtrr_device_t:chr_file write;
 +	dontaudit $1 mtrr_device_t:file { open read };
 +	dontaudit $1 mtrr_device_t:chr_file { open read };
++')
++
++########################################
++## <summary>
++##	Read the memory type range registers (MTRR).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_mtrr',`
++	gen_require(`
++		type device_t, mtrr_device_t;
++	')
++
++	read_files_pattern($1, device_t, mtrr_device_t)
++	read_chr_files_pattern($1, device_t, mtrr_device_t)
  ')
  
  ########################################
-@@ -3144,6 +3503,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3522,42 @@ interface(`dev_create_null_dev',`
  
  ########################################
  ## <summary>
@@ -7048,7 +7067,7 @@ index 76f285e..a5b4426 100644
  ##	Do not audit attempts to get the attributes
  ##	of the BIOS non-volatile RAM device.
  ## </summary>
-@@ -3163,6 +3558,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3577,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
  
  ########################################
  ## <summary>
@@ -7073,7 +7092,7 @@ index 76f285e..a5b4426 100644
  ##	Read and write BIOS non-volatile RAM.
  ## </summary>
  ## <param name="domain">
-@@ -3254,7 +3667,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3686,25 @@ interface(`dev_rw_printer',`
  
  ########################################
  ## <summary>
@@ -7100,7 +7119,7 @@ index 76f285e..a5b4426 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3262,12 +3693,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3712,13 @@ interface(`dev_rw_printer',`
  ##	</summary>
  ## </param>
  #
@@ -7117,7 +7136,7 @@ index 76f285e..a5b4426 100644
  ')
  
  ########################################
-@@ -3399,7 +3831,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +3850,7 @@ interface(`dev_dontaudit_read_rand',`
  
  ########################################
  ## <summary>
@@ -7126,7 +7145,7 @@ index 76f285e..a5b4426 100644
  ##	number generator devices (e.g., /dev/random)
  ## </summary>
  ## <param name="domain">
-@@ -3413,7 +3845,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +3864,7 @@ interface(`dev_dontaudit_append_rand',`
  		type random_device_t;
  	')
  
@@ -7135,7 +7154,7 @@ index 76f285e..a5b4426 100644
  ')
  
  ########################################
-@@ -3855,7 +4287,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4306,7 @@ interface(`dev_getattr_sysfs_dirs',`
  
  ########################################
  ## <summary>
@@ -7144,7 +7163,7 @@ index 76f285e..a5b4426 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3863,53 +4295,53 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,53 +4314,53 @@ interface(`dev_getattr_sysfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -7209,7 +7228,7 @@ index 76f285e..a5b4426 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3917,37 +4349,35 @@ interface(`dev_list_sysfs',`
+@@ -3917,22 +4368,113 @@ interface(`dev_list_sysfs',`
  ##	</summary>
  ## </param>
  #
@@ -7233,44 +7252,37 @@ index 76f285e..a5b4426 100644
  ##	<summary>
 -##	Domain to not audit.
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`dev_dontaudit_write_sysfs_dirs',`
++##	</summary>
++## </param>
++#
 +interface(`dev_unmount_sysfs_fs',`
- 	gen_require(`
- 		type sysfs_t;
- 	')
- 
--	dontaudit $1 sysfs_t:dir write;
++	gen_require(`
++		type sysfs_t;
++	')
++
 +	allow $1 sysfs_t:filesystem unmount;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete sysfs
--##	directories.
++')
++
++########################################
++## <summary>
 +##	Search the sysfs directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -3955,26 +4385,145 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_manage_sysfs_dirs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`dev_search_sysfs',`
- 	gen_require(`
- 		type sysfs_t;
- 	')
- 
--	manage_dirs_pattern($1, sysfs_t, sysfs_t)
++	gen_require(`
++		type sysfs_t;
++	')
++
 +	search_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read hardware state information.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to search sysfs.
 +## </summary>
 +## <param name="domain">
@@ -7309,15 +7321,7 @@ index 76f285e..a5b4426 100644
 +########################################
 +## <summary>
 +##	Write in a sysfs directories.
- ## </summary>
--## <desc>
--##	<p>
--##	Allow the specified domain to read the contents of
--##	the sysfs filesystem.  This filesystem contains
--##	information, parameters, and other settings on the
--##	hardware installed on the system.
--##	</p>
--## </desc>
++## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
@@ -7340,34 +7344,31 @@ index 76f285e..a5b4426 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_dontaudit_write_sysfs_dirs',`
-+	gen_require(`
-+		type sysfs_t;
-+	')
-+
-+	dontaudit $1 sysfs_t:dir write;
-+')
-+
-+########################################
-+## <summary>
+ ##	</summary>
+ ## </param>
+ #
+@@ -3946,23 +4488,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete sysfs
+-##	directories.
 +##	Read cpu online hardware state information.
-+## </summary>
+ ## </summary>
 +## <desc>
 +##	<p>
 +##	Allow the specified domain to read /sys/devices/system/cpu/online file.
 +##	</p>
 +## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_manage_sysfs_dirs',`
 +interface(`dev_read_cpu_online',`
-+	gen_require(`
+ 	gen_require(`
 +		type cpu_online_t;
 +	')
 +
@@ -7388,30 +7389,19 @@ index 76f285e..a5b4426 100644
 +interface(`dev_relabel_cpu_online',`
 +	gen_require(`
 +		type cpu_online_t;
-+		type sysfs_t;
-+	')
-+
+ 		type sysfs_t;
+ 	')
+ 
+-	manage_dirs_pattern($1, sysfs_t, sysfs_t)
 +	dev_search_sysfs($1)
 +	allow $1 cpu_online_t:file relabel_file_perms;
-+')
-+
+ ')
+ 
 +
-+########################################
-+## <summary>
-+##	Read hardware state information.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Allow the specified domain to read the contents of
-+##	the sysfs filesystem.  This filesystem contains
-+##	information, parameters, and other settings on the
-+##	hardware installed on the system.
-+##	</p>
-+## </desc>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
-@@ -4016,6 +4565,62 @@ interface(`dev_rw_sysfs',`
+ ########################################
+ ## <summary>
+ ##	Read hardware state information.
+@@ -4016,6 +4584,62 @@ interface(`dev_rw_sysfs',`
  
  ########################################
  ## <summary>
@@ -7474,7 +7464,7 @@ index 76f285e..a5b4426 100644
  ##	Read and write the TPM device.
  ## </summary>
  ## <param name="domain">
-@@ -4113,6 +4718,25 @@ interface(`dev_write_urand',`
+@@ -4113,6 +4737,25 @@ interface(`dev_write_urand',`
  
  ########################################
  ## <summary>
@@ -7500,7 +7490,7 @@ index 76f285e..a5b4426 100644
  ##	Getattr generic the USB devices.
  ## </summary>
  ## <param name="domain">
-@@ -4409,9 +5033,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5052,9 @@ interface(`dev_rw_usbfs',`
  	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
  ')
  
@@ -7512,7 +7502,7 @@ index 76f285e..a5b4426 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4419,17 +5043,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5062,17 @@ interface(`dev_rw_usbfs',`
  ##	</summary>
  ## </param>
  #
@@ -7535,7 +7525,7 @@ index 76f285e..a5b4426 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4437,12 +5061,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5080,12 @@ interface(`dev_getattr_video_dev',`
  ##	</summary>
  ## </param>
  #
@@ -7551,7 +7541,7 @@ index 76f285e..a5b4426 100644
  ')
  
  ########################################
-@@ -4539,6 +5163,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5182,134 @@ interface(`dev_write_video_dev',`
  
  ########################################
  ## <summary>
@@ -7686,7 +7676,7 @@ index 76f285e..a5b4426 100644
  ##	Allow read/write the vhost net device
  ## </summary>
  ## <param name="domain">
-@@ -4557,6 +5309,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5328,24 @@ interface(`dev_rw_vhost',`
  
  ########################################
  ## <summary>
@@ -7711,7 +7701,7 @@ index 76f285e..a5b4426 100644
  ##	Read and write VMWare devices.
  ## </summary>
  ## <param name="domain">
-@@ -4762,6 +5532,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5551,44 @@ interface(`dev_rw_xserver_misc',`
  
  ########################################
  ## <summary>
@@ -7756,7 +7746,7 @@ index 76f285e..a5b4426 100644
  ##	Read and write to the zero device (/dev/zero).
  ## </summary>
  ## <param name="domain">
-@@ -4851,3 +5659,964 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5678,964 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 1028ce6..474801e 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -103614,7 +103614,7 @@ index 9dec06c..c7a2d97 100644
 +	typeattribute $1 sandbox_caps_domain;
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..e8ed215 100644
+index 1f22fba..92d1a81 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,147 +1,224 @@
@@ -104671,7 +104671,7 @@ index 1f22fba..e8ed215 100644
 +
 +corecmd_exec_bin(virt_domain)
 +corecmd_exec_shell(virt_domain)
- 
++
 +corenet_tcp_sendrecv_generic_if(virt_domain)
 +corenet_tcp_sendrecv_generic_node(virt_domain)
 +corenet_tcp_sendrecv_all_ports(virt_domain)
@@ -104823,7 +104823,7 @@ index 1f22fba..e8ed215 100644
 +init_system_domain(virsh_t, virsh_exec_t)
 +typealias virsh_t alias xm_t;
 +typealias virsh_exec_t alias xm_exec_t;
-+
+ 
 +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
 +allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
 +allow virsh_t self:fifo_file rw_fifo_file_perms;
@@ -104911,10 +104911,10 @@ index 1f22fba..e8ed215 100644
  
 -logging_send_syslog_msg(virsh_t)
 +systemd_exec_systemctl(virsh_t)
++
++auth_read_passwd(virsh_t)
  
 -miscfiles_read_localization(virsh_t)
-+auth_read_passwd(virsh_t)
-+
 +logging_send_syslog_msg(virsh_t)
  
  sysnet_dns_name_resolve(virsh_t)
@@ -105374,38 +105374,22 @@ index 1f22fba..e8ed215 100644
 -allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
 -
 -kernel_read_network_state(svirt_lxc_net_t)
--kernel_read_irq_sysctls(svirt_lxc_net_t)
 +allow svirt_lxc_net_t self:process { execstack execmem };
 +manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
- 
--corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
--corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
--corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
--corenet_udp_sendrecv_generic_if(svirt_lxc_net_t)
--corenet_tcp_sendrecv_generic_node(svirt_lxc_net_t)
--corenet_udp_sendrecv_generic_node(svirt_lxc_net_t)
--corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
--corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_generic_node(svirt_lxc_net_t)
--corenet_udp_bind_generic_node(svirt_lxc_net_t)
++
 +tunable_policy(`virt_sandbox_use_sys_admin',`
 +	allow svirt_lxc_net_t self:capability sys_admin;
 +')
- 
--corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
--corenet_udp_bind_all_ports(svirt_lxc_net_t)
--corenet_tcp_bind_all_ports(svirt_lxc_net_t)
++
 +tunable_policy(`virt_sandbox_use_mknod',`
 +	allow svirt_lxc_net_t self:capability mknod;
 +')
- 
--corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
--corenet_tcp_connect_all_ports(svirt_lxc_net_t)
++
 +tunable_policy(`virt_sandbox_use_all_caps',`
 +	allow svirt_lxc_net_t self:capability all_capability_perms;
 +	allow svirt_lxc_net_t self:capability2 all_capability2_perms;
 +')
- 
++
 +tunable_policy(`virt_sandbox_use_netlink',`
 +	allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 +	allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
@@ -105417,13 +105401,32 @@ index 1f22fba..e8ed215 100644
 +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
 +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
 +
-+kernel_read_irq_sysctls(svirt_lxc_net_t)
+ kernel_read_irq_sysctls(svirt_lxc_net_t)
 +kernel_read_messages(svirt_lxc_net_t)
-+
-+dev_read_sysfs(svirt_lxc_net_t)
- dev_getattr_mtrr_dev(svirt_lxc_net_t)
- dev_read_rand(svirt_lxc_net_t)
--dev_read_sysfs(svirt_lxc_net_t)
+ 
+-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
+-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
+-corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
+-corenet_udp_sendrecv_generic_if(svirt_lxc_net_t)
+-corenet_tcp_sendrecv_generic_node(svirt_lxc_net_t)
+-corenet_udp_sendrecv_generic_node(svirt_lxc_net_t)
+-corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
+-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
+-corenet_udp_bind_generic_node(svirt_lxc_net_t)
+-
+-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
+-corenet_udp_bind_all_ports(svirt_lxc_net_t)
+-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
+-
+-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
+-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
+-
+-dev_getattr_mtrr_dev(svirt_lxc_net_t)
+-dev_read_rand(svirt_lxc_net_t)
+ dev_read_sysfs(svirt_lxc_net_t)
++dev_read_mtrr(svirt_lxc_net_t)
++dev_read_rand(svirt_lxc_net_t)
  dev_read_urand(svirt_lxc_net_t)
  
  files_read_kernel_modules(svirt_lxc_net_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fd2b127..1f213e9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 198%{?dist}
+Release: 199%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -582,6 +582,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Feb 02 2015 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-199
+- Allow svirt sandbox domains to read /proc/mtrr
+
 * Fri Jan 29 2015 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-198
 -  Dontaudit couchdb search in gconf_home_t. BZ(1177717)
 - Allow pingd to read /dev/urandom. BZ(1181831)