## Libvirt virtualization API
########################################
##
## Creates types and rules for a basic
## qemu process domain.
##
##
##
## Prefix for the domain.
##
##
#
template(`virt_domain_template',`
gen_require(`
attribute virt_image_type, virt_domain;
attribute virt_tmpfs_type;
attribute virt_ptynode;
type qemu_exec_t;
')
type $1_t, virt_domain;
application_domain($1_t, qemu_exec_t)
domain_user_exemption_target($1_t)
mls_rangetrans_target($1_t)
mcs_constrained($1_t)
role system_r types $1_t;
type $1_devpts_t, virt_ptynode;
term_pty($1_devpts_t)
kernel_read_system_state($1_t)
auth_read_passwd($1_t)
logging_send_syslog_msg($1_t)
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty($1_t, $1_devpts_t)
')
########################################
##
## Make the specified type usable as a virt image
##
##
##
## Type to be used as a virtual image
##
##
#
interface(`virt_image',`
gen_require(`
attribute virt_image_type;
')
typeattribute $1 virt_image_type;
files_type($1)
# virt images can be assigned to blk devices
dev_node($1)
')
#######################################
##
## Getattr on virt executable.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`virt_getattr_exec',`
gen_require(`
type virtd_exec_t;
')
allow $1 virtd_exec_t:file getattr;
')
########################################
##
## Execute a domain transition to run virt.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`virt_domtrans',`
gen_require(`
type virtd_t, virtd_exec_t;
')
domtrans_pattern($1, virtd_exec_t, virtd_t)
')
########################################
##
## Transition to virt_qmf.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`virt_domtrans_qmf',`
gen_require(`
type virt_qmf_t, virt_qmf_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
')
########################################
##
## Transition to virt_bridgehelper.
##
##
##
## Domain allowed to transition.
##
##
interface(`virt_domtrans_bridgehelper',`
gen_require(`
type virt_bridgehelper_t, virt_bridgehelper_exec_t;
')
domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
')
#######################################
##
## Connect to virt over a unix domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_stream_connect',`
gen_require(`
type virtd_t, virt_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
')
########################################
##
## Allow domain to attach to virt TUN devices
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_attach_tun_iface',`
gen_require(`
type virtd_t;
')
allow $1 virtd_t:tun_socket relabelfrom;
allow $1 self:tun_socket relabelto;
')
########################################
##
## Read virt config files.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_read_config',`
gen_require(`
type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
read_files_pattern($1, virt_etc_t, virt_etc_t)
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
')
########################################
##
## manage virt config files.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_manage_config',`
gen_require(`
type virt_etc_t, virt_etc_rw_t;
')
files_search_etc($1)
manage_files_pattern($1, virt_etc_t, virt_etc_t)
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
')
########################################
##
## Allow domain to manage virt image files
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_read_content',`
gen_require(`
type virt_content_t;
')
virt_search_lib($1)
allow $1 virt_content_t:dir list_dir_perms;
list_dirs_pattern($1, virt_content_t, virt_content_t)
read_files_pattern($1, virt_content_t, virt_content_t)
read_lnk_files_pattern($1, virt_content_t, virt_content_t)
read_blk_files_pattern($1, virt_content_t, virt_content_t)
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
fs_read_nfs_files($1)
fs_read_nfs_symlinks($1)
')
tunable_policy(`virt_use_samba',`
fs_list_cifs($1)
fs_read_cifs_files($1)
fs_read_cifs_symlinks($1)
')
')
########################################
##
## Allow domain to write virt image files
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_write_content',`
gen_require(`
type virt_content_t;
')
allow $1 virt_content_t:file write_file_perms;
')
########################################
##
## Read virt PID files.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_read_pid_files',`
gen_require(`
type virt_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
########################################
##
## Manage virt pid directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_manage_pid_dirs',`
gen_require(`
type virt_var_run_t;
type virt_lxc_var_run_t;
')
files_search_pids($1)
manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
virt_filetrans_named_content($1)
')
########################################
##
## Manage virt pid files.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_manage_pid_files',`
gen_require(`
type virt_var_run_t;
type virt_lxc_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
')
########################################
##
## Create objects in the pid directory
## with a private type with a type transition.
##
##
##
## Domain allowed access.
##
##
##
##
## Type to which the created node will be transitioned.
##
##
##
##
## Object class(es) (single or set including {}) for which this
## the transition will occur.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`virt_pid_filetrans',`
gen_require(`
type virt_var_run_t;
')
filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
')
########################################
##
## Search virt lib directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_search_lib',`
gen_require(`
type virt_var_lib_t;
')
allow $1 virt_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
##
## Read virt lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_read_lib_files',`
gen_require(`
type virt_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
')
########################################
##
## Dontaudit inherited read virt lib files.
##
##
##
## Domain to not audit.
##
##
#
interface(`virt_dontaudit_read_lib_files',`
gen_require(`
type virt_var_lib_t;
')
dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
')
########################################
##
## Create, read, write, and delete
## virt lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_manage_lib_files',`
gen_require(`
type virt_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
')
########################################
##
## Allow the specified domain to read virt's log files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`virt_read_log',`
gen_require(`
type virt_log_t;
')
logging_search_logs($1)
read_files_pattern($1, virt_log_t, virt_log_t)
')
########################################
##
## Allow the specified domain to append
## virt log files.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_append_log',`
gen_require(`
type virt_log_t;
')
logging_search_logs($1)
append_files_pattern($1, virt_log_t, virt_log_t)
')
########################################
##
## Allow domain to manage virt log files
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_manage_log',`
gen_require(`
type virt_log_t;
')
manage_dirs_pattern($1, virt_log_t, virt_log_t)
manage_files_pattern($1, virt_log_t, virt_log_t)
manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
')
########################################
##
## Allow domain to search virt image direcories
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_search_images',`
gen_require(`
attribute virt_image_type;
')
virt_search_lib($1)
allow $1 virt_image_type:dir search_dir_perms;
')
########################################
##
## Allow domain to read virt image files
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_read_images',`
gen_require(`
type virt_var_lib_t;
attribute virt_image_type;
')
virt_search_lib($1)
allow $1 virt_image_type:dir list_dir_perms;
list_dirs_pattern($1, virt_image_type, virt_image_type)
read_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
read_blk_files_pattern($1, virt_image_type, virt_image_type)
read_chr_files_pattern($1, virt_image_type, virt_image_type)
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
fs_read_nfs_files($1)
fs_read_nfs_symlinks($1)
')
tunable_policy(`virt_use_samba',`
fs_list_cifs($1)
fs_read_cifs_files($1)
fs_read_cifs_symlinks($1)
')
')
########################################
##
## Allow domain to read virt blk image files
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_read_blk_images',`
gen_require(`
attribute virt_image_type;
')
read_blk_files_pattern($1, virt_image_type, virt_image_type)
')
########################################
##
## Allow domain to read/write virt image chr files
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_rw_chr_files',`
gen_require(`
attribute virt_image_type;
')
rw_chr_files_pattern($1, virt_image_type, virt_image_type)
')
########################################
##
## Create, read, write, and delete
## svirt cache files.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_manage_cache',`
gen_require(`
type virt_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
manage_files_pattern($1, virt_cache_t, virt_cache_t)
manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
')
########################################
##
## Allow domain to manage virt image files
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_manage_images',`
gen_require(`
type virt_var_lib_t;
attribute virt_image_type;
')
virt_search_lib($1)
allow $1 virt_image_type:dir list_dir_perms;
manage_dirs_pattern($1, virt_image_type, virt_image_type)
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
rw_chr_files_pattern($1, virt_image_type, virt_image_type)
')
#######################################
##
## Allow domain to manage virt image files
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_manage_default_image_type',`
gen_require(`
type virt_var_lib_t;
type virt_image_t;
')
virt_search_lib($1)
manage_dirs_pattern($1, virt_image_t, virt_image_t)
manage_files_pattern($1, virt_image_t, virt_image_t)
read_lnk_files_pattern($1, virt_image_t, virt_image_t)
')
########################################
##
## Execute virt server in the virt domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`virt_systemctl',`
gen_require(`
type virtd_unit_file_t;
type virtd_t;
')
systemd_exec_systemctl($1)
allow $1 virtd_unit_file_t:file read_file_perms;
allow $1 virtd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, virtd_t)
')
########################################
##
## Ptrace the svirt domain
##
##
##
## Domain allowed to transition.
##
##
#
interface(`virt_ptrace',`
gen_require(`
attribute virt_domain;
')
allow $1 virt_domain:process ptrace;
')
########################################
##
## All of the rules required to administrate
## an virt environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
attribute virt_domain;
type virt_lxc_t;
type virtd_unit_file_t;
')
allow $1 virtd_t:process signal_perms;
ps_process_pattern($1, virtd_t)
tunable_policy(`deny_ptrace',`',`
allow $1 virtd_t:process ptrace;
allow $1 virt_lxc_t:process ptrace;
')
allow $1 virt_lxc_t:process signal_perms;
ps_process_pattern($1, virt_lxc_t)
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 virtd_initrc_exec_t system_r;
allow $2 system_r;
virt_manage_pid_files($1)
virt_manage_lib_files($1)
virt_manage_log($1)
virt_manage_images($1)
allow $1 virt_domain:process signal_perms;
virt_systemctl($1)
admin_pattern($1, virtd_unit_file_t)
allow $1 virtd_unit_file_t:service all_service_perms;
')
########################################
##
## Execute qemu in the svirt domain, and
## allow the specified role the svirt domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the sandbox domain.
##
##
##
#
interface(`virt_transition_svirt',`
gen_require(`
attribute virt_domain;
type virt_bridgehelper_t;
type svirt_image_t;
type svirt_socket_t;
')
allow $1 virt_domain:process transition;
role $2 types virt_domain;
role $2 types virt_bridgehelper_t;
role $2 types svirt_socket_t;
allow $1 virt_domain:process { sigkill sigstop signull signal };
allow $1 svirt_image_t:file { relabelfrom relabelto };
allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
optional_policy(`
ptchown_run(virt_domain, $2)
')
')
########################################
##
## Do not audit attempts to write virt daemon unnamed pipes.
##
##
##
## Domain to not audit.
##
##
#
interface(`virt_dontaudit_write_pipes',`
gen_require(`
type virtd_t;
')
dontaudit $1 virtd_t:fd use;
dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
')
########################################
##
## Send a sigkill to virtual machines
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_kill_svirt',`
gen_require(`
attribute virt_domain;
')
allow $1 virt_domain:process sigkill;
')
########################################
##
## Send a signal to virtual machines
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_signal_svirt',`
gen_require(`
attribute virt_domain;
')
allow $1 virt_domain:process signal;
')
########################################
##
## Manage virt home files.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_manage_home_files',`
gen_require(`
type virt_home_t;
')
userdom_search_user_home_dirs($1)
manage_files_pattern($1, virt_home_t, virt_home_t)
')
########################################
##
## allow domain to read
## virt tmpfs files
##
##
##
## Domain allowed access
##
##
#
interface(`virt_read_tmpfs_files',`
gen_require(`
attribute virt_tmpfs_type;
')
allow $1 virt_tmpfs_type:file read_file_perms;
')
########################################
##
## allow domain to manage
## virt tmpfs files
##
##
##
## Domain allowed access
##
##
#
interface(`virt_manage_tmpfs_files',`
gen_require(`
attribute virt_tmpfs_type;
')
allow $1 virt_tmpfs_type:file manage_file_perms;
')
########################################
##
## Create .virt directory in the user home directory
## with an correct label.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_filetrans_home_content',`
gen_require(`
type virt_home_t;
type svirt_home_t;
')
userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
optional_policy(`
gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
gnome_data_filetrans($1, svirt_home_t, dir, "images")
')
')
########################################
##
## Dontaudit attempts to Read virt_image_type devices.
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_dontaudit_read_chr_dev',`
gen_require(`
attribute virt_image_type;
')
dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
########################################
##
## Creates types and rules for a basic
## virt_lxc process domain.
##
##
##
## Prefix for the domain.
##
##
#
template(`virt_lxc_domain_template',`
gen_require(`
attribute svirt_lxc_domain;
')
type $1_t, svirt_lxc_domain;
domain_type($1_t)
domain_user_exemption_target($1_t)
mls_rangetrans_target($1_t)
mcs_constrained($1_t)
role system_r types $1_t;
kernel_read_system_state($1_t)
')
########################################
##
## Execute a qemu_exec_t in the callers domain
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_exec_qemu',`
gen_require(`
type qemu_exec_t;
')
can_exec($1, qemu_exec_t)
')
########################################
##
## Transition to virt named content
##
##
##
## Domain allowed access.
##
##
#
interface(`virt_filetrans_named_content',`
gen_require(`
type virt_lxc_var_run_t;
type virt_var_run_t;
')
files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
')
########################################
##
## Execute qemu in the svirt domain, and
## allow the specified role the svirt domain.
##
##
##
## Domain allowed access
##
##
##
##
## The role to be allowed the sandbox domain.
##
##
##
#
interface(`virt_transition_svirt_lxc',`
gen_require(`
attribute svirt_lxc_domain;
')
allow $1 svirt_lxc_domain:process transition;
role $2 types svirt_lxc_domain;
allow svirt_lxc_domain $1:process sigchld;
')