[refpolicy] [PATCH 00/10] Various virt requirements

[refpolicy] [PATCH 00/10] Various virt requirements

[Dominick Grift]

These are required by the virt module

Dominick Grift (10):
  For svirt_lxc_domain
  For svirt_lxc_domain
  For svirt_lxc_domain
  For virtd lxc
  For virtd_lxc
  For virtd_lxc
  For virtd lxc
  For virtd lxc
  For virtd
  For virtd

 policy/modules/kernel/devices.if    |   18 +++++++++++
 policy/modules/kernel/files.if      |   57 ++++++++++++++++++++++++++++++++++-
 policy/modules/kernel/filesystem.if |   36 ++++++++++++++++++++++
 policy/modules/kernel/terminal.if   |   19 +++++++++++
 policy/modules/system/clock.if      |   19 +++++++++++
 policy/modules/system/sysnetwork.if |   19 +++++++++++
 policy/modules/system/udev.if       |   19 +++++++++++
 7 files changed, 186 insertions(+), 1 deletions(-)

-- 
1.7.7.6

[refpolicy] [PATCH 01/10] For svirt_lxc_domain

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/system/udev.if |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 77a13a5..9ccfd8a 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -224,6 +224,25 @@ interface(`udev_rw_db',`
 
 ########################################
 ## <summary>
+##	Read udev pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_read_pid_files',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, udev_var_run_t, udev_var_run_t)
+')
+
+########################################
+## <summary>
 ##	Search through udev pid content
 ## </summary>
 ## <param name="domain">
-- 
1.7.7.6

[refpolicy] [PATCH 02/10] For svirt_lxc_domain

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/system/clock.if |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index e2f6d93..2734f43 100644
--- a/policy/modules/system/clock.if
+++ b/policy/modules/system/clock.if
@@ -82,6 +82,25 @@ interface(`clock_dontaudit_write_adjtime',`
 
 ########################################
 ## <summary>
+##	Read clock drift adjustments.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clock_read_adjtime',`
+	gen_require(`
+		type adjtime_t;
+	')
+
+	files_list_etc($1)
+	allow $1 adjtime_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write clock drift adjustments.
 ## </summary>
 ## <param name="domain">
-- 
1.7.7.6

[refpolicy] [PATCH 03/10] For svirt_lxc_domain

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/kernel/files.if |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index d1e42ac..e188a21 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2913,7 +2913,7 @@ interface(`files_delete_boot_flag',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #
@@ -2927,6 +2927,25 @@ interface(`files_dontaudit_setattr_etc_runtime_files',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to write
+##	etc runtime files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_etc_runtime_files',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	dontaudit $1 etc_runtime_t:file write;
+')
+
+########################################
+## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
 ## </summary>
-- 
1.7.7.6

[refpolicy] [PATCH 04/10] For virtd lxc

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/kernel/terminal.if |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 01dd2f1..771bce1 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -384,6 +384,25 @@ interface(`term_getattr_pty_fs',`
 
 ########################################
 ## <summary>
+##	Relabel from and to pty filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_relabel_pty_fs',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:filesystem { relabelto relabelfrom };
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to get the
 ##	attributes of the /dev/pts directory.
 ## </summary>
-- 
1.7.7.6

[refpolicy] [PATCH 05/10] For virtd_lxc

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/kernel/filesystem.if |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 7c6b791..7463473 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3853,6 +3853,24 @@ interface(`fs_associate_tmpfs',`
 
 ########################################
 ## <summary>
+##	Relabel from tmpfs filesystem.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of tmpfs directories.
 ## </summary>
 ## <param name="domain">
-- 
1.7.7.6

[refpolicy] [PATCH 06/10] For virtd_lxc

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/kernel/filesystem.if |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 7463473..8416beb 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3908,6 +3908,24 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
 
 ########################################
 ## <summary>
+##	Mount on tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mounton_tmpfs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	allow $1 tmpfs_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Set the attributes of tmpfs directories.
 ## </summary>
 ## <param name="domain">
-- 
1.7.7.6

[refpolicy] [PATCH 07/10] For virtd lxc

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/kernel/files.if |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e188a21..96b91e0 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1874,6 +1874,24 @@ interface(`files_delete_root_dir_entry',`
 
 ########################################
 ## <summary>
+##	Relabel to and from rootfs file system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabel_rootfs',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:filesystem { relabelto relabelfrom };
+')
+
+########################################
+## <summary>
 ##	Unmount a rootfs filesystem.
 ## </summary>
 ## <param name="domain">
-- 
1.7.7.6

[refpolicy] [PATCH 08/10] For virtd lxc

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/kernel/files.if |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 96b91e0..5f61d5e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1874,6 +1874,24 @@ interface(`files_delete_root_dir_entry',`
 
 ########################################
 ## <summary>
+##	Associate to root file system.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Type of the file to associate.
+##	</summary>
+## </param>
+#
+interface(`files_associate_rootfs',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:filesystem associate;
+')
+
+########################################
+## <summary>
 ##	Relabel to and from rootfs file system.
 ## </summary>
 ## <param name="domain">
-- 
1.7.7.6

[refpolicy] [PATCH 09/10] For virtd

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/system/sysnetwork.if |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 41a1853..fcefe61 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -561,6 +561,25 @@ interface(`sysnet_signal_ifconfig',`
 
 ########################################
 ## <summary>
+##	Send null signals to ifconfig.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_signull_ifconfig',`
+	gen_require(`
+		type ifconfig_t;
+	')
+
+	allow $1 ifconfig_t:process signull;
+')
+
+########################################
+## <summary>
 ##	Read the DHCP configuration files.
 ## </summary>
 ## <param name="domain">
-- 
1.7.7.6

[refpolicy] [PATCH 00/10] Various virt requirements

[Christopher J. PeBenito]

On 10/21/12 08:20, Dominick Grift wrote:
> These are required by the virt module
> 
> Dominick Grift (10):
>   For svirt_lxc_domain
>   For svirt_lxc_domain
>   For svirt_lxc_domain
>   For virtd lxc
>   For virtd_lxc
>   For virtd_lxc
>   For virtd lxc
>   For virtd lxc
>   For virtd
>   For virtd
> 
>  policy/modules/kernel/devices.if    |   18 +++++++++++
>  policy/modules/kernel/files.if      |   57 ++++++++++++++++++++++++++++++++++-
>  policy/modules/kernel/filesystem.if |   36 ++++++++++++++++++++++
>  policy/modules/kernel/terminal.if   |   19 +++++++++++
>  policy/modules/system/clock.if      |   19 +++++++++++
>  policy/modules/system/sysnetwork.if |   19 +++++++++++
>  policy/modules/system/udev.if       |   19 +++++++++++
>  7 files changed, 186 insertions(+), 1 deletions(-)

1-9 merged, I never received 10.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com