[refpolicy] [PATCH 0/3] Virtual Distributed Ethernet

[refpolicy] [PATCH 0/3] Virtual Distributed Ethernet

[Sven Vermeulen]

This patchset introduces VDE, the Virtual Distributed Ethernet application,
which allows administrators to create virtual networks for qemu.

[refpolicy] [PATCH 1/3] Introduce vde domain

[Sven Vermeulen]

VDE, or Virtual Distributed Ethernet, is a process that simulates a
hub/switch within a virtual network. It can be used to provide both
simple and complex network environments within a virtual scope.

We introduce the vde_t domain (and related types) here, and will later
patch qemu to (optionally) use VDE

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 vde.fc |   21 ++++++++++++++++++++
 vde.if |   65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 vde.te |   60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 146 insertions(+), 0 deletions(-)
 create mode 100644 vde.fc
 create mode 100644 vde.if
 create mode 100644 vde.te

diff --git a/vde.fc b/vde.fc
new file mode 100644
index 0000000..00e7e36
--- /dev/null
+++ b/vde.fc
@@ -0,0 +1,21 @@
+#
+# /etc
+#
+/etc/init.d/vde		--	gen_context(system_u:object_r:vde_initrc_exec_t,s0)
+/etc/vde2(/.*)?			gen_context(system_u:object_r:vde_conf_t,s0)
+
+#
+# /usr
+#
+/usr/bin/vde_switch	--	gen_context(system_u:object_r:vde_exec_t,s0)
+/usr/sbin/vde_tunctl	--	gen_context(system_u:object_r:vde_exec_t,s0)
+
+#
+# /var
+#
+/var/run/vde\.ctl(/.*)?		gen_context(system_u:object_r:vde_var_run_t,s0)
+
+#
+# /tmp
+#
+/tmp/vde.[0-9-]*	-s	gen_context(system_u:object_r:vde_tmp_t,s0)
diff --git a/vde.if b/vde.if
new file mode 100644
index 0000000..987a8c2
--- /dev/null
+++ b/vde.if
@@ -0,0 +1,65 @@
+## <summary>Virtual Distributed Ethernet switch service</summary>
+
+########################################
+## <summary>
+##   The rules needed to manage the VDE switches
+## </summary>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the vde domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vde_role',`
+	gen_require(`
+		type vde_t, vde_tmp_t;
+		type vde_conf_t, vde_var_run_t;
+		type vde_initrc_exec_t, vde_exec_t;
+	')
+
+	role $1 types vde_t;
+
+	allow $2 vde_t:process { ptrace signal_perms };
+	allow vde_t $2:process { sigchld signull };
+	allow vde_t $2:fd use;
+	allow vde_t $2:tun_socket { relabelfrom };
+	allow vde_t self:tun_socket { relabelfrom relabelto };
+	ps_process_pattern($2, vde_t)
+
+	domain_auto_trans($2, vde_exec_t, vde_t)
+')
+
+########################################
+## <summary>
+##   Allow communication with the VDE service 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`vde_connect',`
+	gen_require(`
+		type vde_t, vde_var_run_t, vde_tmp_t;
+	')
+	
+	allow $1 vde_var_run_t:sock_file write_sock_file_perms;
+	allow $1 vde_t:unix_stream_socket { connectto };
+	allow $1 vde_t:unix_dgram_socket { sendto };
+	allow vde_t $1:unix_dgram_socket { sendto };
+
+	allow $1 vde_tmp_t:sock_file manage_sock_file_perms;
+	files_tmp_filetrans($1, vde_tmp_t, sock_file)
+
+	tunable_policy(`gentoo_try_dontaudit',`
+		dontaudit $1 vde_var_run_t:sock_file { setattr };
+	')
+')
diff --git a/vde.te b/vde.te
new file mode 100644
index 0000000..af00640
--- /dev/null
+++ b/vde.te
@@ -0,0 +1,60 @@
+policy_module(vde, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type vde_t;
+type vde_exec_t;
+init_daemon_domain(vde_t, vde_exec_t)
+
+type vde_initrc_exec_t;
+init_script_file(vde_initrc_exec_t)
+
+type vde_conf_t;
+files_type(vde_conf_t);
+
+type vde_var_lib_t;
+files_type(vde_var_lib_t)
+
+type vde_var_run_t;
+files_pid_file(vde_var_run_t)
+
+type vde_tmp_t;
+files_tmp_file(vde_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow vde_t self:process { signal_perms getcap setcap };
+allow vde_t self:capability { chown net_admin dac_override fowner fsetid };
+allow vde_t self:unix_stream_socket {  create_stream_socket_perms connectto };
+allow vde_t self:unix_dgram_socket create_socket_perms;
+allow vde_t vde_conf_t:dir list_dir_perms;
+allow vde_t vde_tmp_t:sock_file manage_sock_file_perms;
+
+manage_dirs_pattern(vde_t, vde_var_run_t, vde_var_run_t)
+manage_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
+manage_sock_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
+files_pid_filetrans(vde_t, vde_var_run_t, { dir file sock_file unix_dgram_socket })
+
+files_tmp_filetrans(vde_t, vde_tmp_t, sock_file)
+
+read_files_pattern(vde_t, vde_conf_t, vde_conf_t)
+read_lnk_files_pattern(vde_t, vde_conf_t, vde_conf_t)
+
+corenet_rw_tun_tap_dev(vde_t)
+
+domain_use_interactive_fds(vde_t)
+
+files_read_etc_files(vde_t)
+
+logging_send_syslog_msg(vde_t)
+
+miscfiles_read_localization(vde_t)
+
+userdom_use_user_terminals(vde_t)
+
-- 
1.7.3.4

[refpolicy] [PATCH 1/3] Introduce vde domain

[Christopher J. PeBenito]

On 10/23/11 10:08, Sven Vermeulen wrote:
> 
> VDE, or Virtual Distributed Ethernet, is a process that simulates a
> hub/switch within a virtual network. It can be used to provide both
> simple and complex network environments within a virtual scope.
> 
> We introduce the vde_t domain (and related types) here, and will later
> patch qemu to (optionally) use VDE
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  vde.fc |   21 ++++++++++++++++++++
>  vde.if |   65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  vde.te |   60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 146 insertions(+), 0 deletions(-)
>  create mode 100644 vde.fc
>  create mode 100644 vde.if
>  create mode 100644 vde.te
> 

> diff --git a/vde.if b/vde.if
> new file mode 100644
> index 0000000..987a8c2
> --- /dev/null
> +++ b/vde.if
> @@ -0,0 +1,65 @@
> +## <summary>Virtual Distributed Ethernet switch service</summary>
> +
> +########################################
> +## <summary>
> +##   The rules needed to manage the VDE switches
> +## </summary>
> +## <param name="role">
> +##	<summary>
> +##	The role to be allowed to manage the vde domain.
> +##	</summary>
> +## </param>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`vde_role',`
> +	gen_require(`
> +		type vde_t, vde_tmp_t;
> +		type vde_conf_t, vde_var_run_t;
> +		type vde_initrc_exec_t, vde_exec_t;
> +	')
> +
> +	role $1 types vde_t;
> +
> +	allow $2 vde_t:process { ptrace signal_perms };
> +	allow vde_t $2:process { sigchld signull };
> +	allow vde_t $2:fd use;
> +	allow vde_t $2:tun_socket { relabelfrom };
> +	allow vde_t self:tun_socket { relabelfrom relabelto };
> +	ps_process_pattern($2, vde_t)
> +
> +	domain_auto_trans($2, vde_exec_t, vde_t)
> +')
> +
> +########################################
> +## <summary>
> +##   Allow communication with the VDE service 
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`vde_connect',`
> +	gen_require(`
> +		type vde_t, vde_var_run_t, vde_tmp_t;
> +	')
> +	
> +	allow $1 vde_var_run_t:sock_file write_sock_file_perms;
> +	allow $1 vde_t:unix_stream_socket { connectto };
> +	allow $1 vde_t:unix_dgram_socket { sendto };
> +	allow vde_t $1:unix_dgram_socket { sendto };
> +
> +	allow $1 vde_tmp_t:sock_file manage_sock_file_perms;
> +	files_tmp_filetrans($1, vde_tmp_t, sock_file)
> +
> +	tunable_policy(`gentoo_try_dontaudit',`
> +		dontaudit $1 vde_var_run_t:sock_file { setattr };
> +	')

Remember to remove these testing rules.  Its also unnecessary to have the braces for single permissions.

> +')
> diff --git a/vde.te b/vde.te
> new file mode 100644
> index 0000000..af00640
> --- /dev/null
> +++ b/vde.te
> @@ -0,0 +1,60 @@
> +policy_module(vde, 0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type vde_t;
> +type vde_exec_t;
> +init_daemon_domain(vde_t, vde_exec_t)
> +
> +type vde_initrc_exec_t;
> +init_script_file(vde_initrc_exec_t)
> +
> +type vde_conf_t;
> +files_type(vde_conf_t);
> +
> +type vde_var_lib_t;
> +files_type(vde_var_lib_t)
> +
> +type vde_var_run_t;
> +files_pid_file(vde_var_run_t)
> +
> +type vde_tmp_t;
> +files_tmp_file(vde_tmp_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow vde_t self:process { signal_perms getcap setcap };
> +allow vde_t self:capability { chown net_admin dac_override fowner fsetid };
> +allow vde_t self:unix_stream_socket {  create_stream_socket_perms connectto };
> +allow vde_t self:unix_dgram_socket create_socket_perms;
> +allow vde_t vde_conf_t:dir list_dir_perms;
> +allow vde_t vde_tmp_t:sock_file manage_sock_file_perms;

Please move these down with the other rules.

> +
> +manage_dirs_pattern(vde_t, vde_var_run_t, vde_var_run_t)
> +manage_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
> +manage_sock_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
> +files_pid_filetrans(vde_t, vde_var_run_t, { dir file sock_file unix_dgram_socket })
> +
> +files_tmp_filetrans(vde_t, vde_tmp_t, sock_file)
> +
> +read_files_pattern(vde_t, vde_conf_t, vde_conf_t)
> +read_lnk_files_pattern(vde_t, vde_conf_t, vde_conf_t)
> +
> +corenet_rw_tun_tap_dev(vde_t)
> +
> +domain_use_interactive_fds(vde_t)
> +
> +files_read_etc_files(vde_t)

I'm not clear why there is a need for vde_conf_t.  It appears that it is only ever read, so it seems that etc_t would be fine.

> +logging_send_syslog_msg(vde_t)
> +
> +miscfiles_read_localization(vde_t)
> +
> +userdom_use_user_terminals(vde_t)
> +


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 1/3] Introduce vde domain

[Sven Vermeulen]

On Tue, Nov 08, 2011 at 10:01:38AM -0500, Christopher J. PeBenito wrote:
> > +	tunable_policy(`gentoo_try_dontaudit',`
> > +		dontaudit $1 vde_var_run_t:sock_file { setattr };
> > +	')
> 
> Remember to remove these testing rules.  Its also unnecessary to have the braces for single permissions.

Yeah, sorry about that.

> > +allow vde_t self:process { signal_perms getcap setcap };
> > +allow vde_t self:capability { chown net_admin dac_override fowner fsetid };
> > +allow vde_t self:unix_stream_socket {  create_stream_socket_perms connectto };
> > +allow vde_t self:unix_dgram_socket create_socket_perms;
> > +allow vde_t vde_conf_t:dir list_dir_perms;
> > +allow vde_t vde_tmp_t:sock_file manage_sock_file_perms;
> 
> Please move these down with the other rules.

You mean keep the "allow" statements with the general patterns? Like so?

  allow vde_t self:process { signal_perms getcap setcap };
  allow vde_t self:capability { chown net_admin dac_override fowner fsetid };
  allow vde_t self:unix_stream_socket {  create_stream_socket_perms connectto };
  allow vde_t self:unix_dgram_socket create_socket_perms;
  
  manage_dirs_pattern(vde_t, vde_var_run_t, vde_var_run_t)
  manage_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
  manage_sock_files_pattern(vde_t, vde_var_run_t, vde_var_run_t)
  files_pid_filetrans(vde_t, vde_var_run_t, { dir file sock_file unix_dgram_socket })
  
  allow vde_t vde_tmp_t:sock_file manage_sock_file_perms;
  
  files_tmp_filetrans(vde_t, vde_tmp_t, sock_file)
  

Is it okay to have a whitespace between allow blocks and other (general
pattern) blocks?

> I'm not clear why there is a need for vde_conf_t.  It appears that it is only
> ever read, so it seems that etc_t would be fine.

True. I had defined it to allow for third party applications to manage it,
but it seems that those that I expect to manage them also have etc_t write
privileges already (like puppet).

I'll remove it from the renewed submission.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 2/3] Allow qemu to interact with VDE

[Sven Vermeulen]

Optionally allow qemu to connect to the vde switch

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 qemu.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/qemu.te b/qemu.te
index 9cf9992..f9abc5e 100644
--- a/qemu.te
+++ b/qemu.te
@@ -99,6 +99,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	vde_connect(qemu_t)
+')
+
+optional_policy(`
 	virt_manage_images(qemu_t)
 	virt_append_log(qemu_t)
 ')
-- 
1.7.3.4

[refpolicy] [PATCH 3/3] Allow sysadm_r to manage vde switches

[Sven Vermeulen]

Assign the vde_role to sysadm_r so that the system administrator can
manage virtual distributed ethernet process(es).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/roles/sysadm.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 954417f..0e09153 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -386,6 +386,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	vde_role(sysadm_r, sysadm_t)
+')
+
+optional_policy(`
 	vmware_role(sysadm_r, sysadm_t)
 ')
 
-- 
1.7.3.4