Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/virt.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/virt.if')
-rw-r--r--policy/modules/contrib/virt.if1190
1 files changed, 0 insertions, 1190 deletions
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
deleted file mode 100644
index e30a42e3e..000000000
--- a/policy/modules/contrib/virt.if
+++ /dev/null
@@ -1,1190 +0,0 @@
-## <summary>Libvirt virtualization API.</summary>
-
-#######################################
-## <summary>
-## The template to define a virt domain.
-## </summary>
-## <param name="domain_prefix">
-## <summary>
-## Domain prefix to be used.
-## </summary>
-## </param>
-#
-template(`virt_domain_template',`
- gen_require(`
- attribute_role virt_domain_roles;
- attribute virt_image_type, virt_domain, virt_tmpfs_type;
- attribute virt_ptynode, virt_tmp_type;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type $1_t, virt_domain;
- application_type($1_t)
- domain_user_exemption_target($1_t)
- mls_rangetrans_target($1_t)
- mcs_constrained($1_t)
- role virt_domain_roles types $1_t;
-
- type $1_devpts_t, virt_ptynode;
- term_pty($1_devpts_t)
-
- type $1_tmp_t, virt_tmp_type;
- files_tmp_file($1_tmp_t)
-
- type $1_tmpfs_t, virt_tmpfs_type;
- files_tmpfs_file($1_tmpfs_t)
-
- optional_policy(`
- pulseaudio_tmpfs_content($1_tmpfs_t)
- ')
-
- type $1_image_t, virt_image_type;
- files_type($1_image_t)
- dev_node($1_image_t)
- dev_associate_sysfs($1_image_t)
-
- ifdef(`distro_gentoo',`
- optional_policy(`
- qemu_entry_type($1_t)
- ')
- ')
-
- ########################################
- #
- # Policy
- #
-
- allow $1_t $1_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms };
- term_create_pty($1_t, $1_devpts_t)
-
- manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
- manage_files_pattern($1_t, $1_image_t, $1_image_t)
- manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t)
- read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
- manage_sock_files_pattern($1_t, $1_image_t, $1_image_t)
- rw_chr_files_pattern($1_t, $1_image_t, $1_image_t)
- rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
- fs_hugetlbfs_filetrans($1_t, $1_image_t, file)
-
- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
- manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
- files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
-
- manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
- manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
-
- optional_policy(`
- pulseaudio_run($1_t, virt_domain_roles)
- ')
-
- optional_policy(`
- xserver_rw_shm($1_t)
- ')
-')
-
-#######################################
-## <summary>
-## The template to define a virt lxc domain.
-## </summary>
-## <param name="domain_prefix">
-## <summary>
-## Domain prefix to be used.
-## </summary>
-## </param>
-#
-template(`virt_lxc_domain_template',`
- gen_require(`
- attribute_role svirt_lxc_domain_roles;
- attribute svirt_lxc_domain;
- ')
-
- type $1_t, svirt_lxc_domain;
- domain_type($1_t)
- domain_user_exemption_target($1_t)
- mls_rangetrans_target($1_t)
- mcs_constrained($1_t)
- role svirt_lxc_domain_roles types $1_t;
-')
-
-########################################
-## <summary>
-## Make the specified type virt image type.
-## </summary>
-## <param name="type">
-## <summary>
-## Type to be used as a virtual image.
-## </summary>
-## </param>
-#
-interface(`virt_image',`
- gen_require(`
- attribute virt_image_type;
- ')
-
- typeattribute $1 virt_image_type;
- files_type($1)
- dev_node($1)
-')
-
-########################################
-## <summary>
-## Execute a domain transition to run virtd.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`virt_domtrans',`
- gen_require(`
- type virtd_t, virtd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, virtd_exec_t, virtd_t)
-')
-
-########################################
-## <summary>
-## Execute a domain transition to run virt qmf.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`virt_domtrans_qmf',`
- gen_require(`
- type virt_qmf_t, virt_qmf_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
-')
-
-########################################
-## <summary>
-## Execute a domain transition to
-## run virt bridgehelper.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`virt_domtrans_bridgehelper',`
- gen_require(`
- type virt_bridgehelper_t, virt_bridgehelper_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
-')
-
-########################################
-## <summary>
-## Execute bridgehelper in the bridgehelper
-## domain, and allow the specified role
-## the bridgehelper domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_run_bridgehelper',`
- gen_require(`
- attribute_role virt_bridgehelper_roles;
- ')
-
- virt_domtrans_bridgehelper($1)
- roleattribute $2 virt_bridgehelper_roles;
-')
-
-########################################
-## <summary>
-## Execute virt domain in the their
-## domain, and allow the specified
-## role that virt domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_run_virt_domain',`
- gen_require(`
- attribute virt_domain;
- attribute_role virt_domain_roles;
- ')
-
- allow $1 virt_domain:process { signal transition };
- roleattribute $2 virt_domain_roles;
-
- allow virt_domain $1:fd use;
- allow virt_domain $1:fifo_file rw_fifo_file_perms;
- allow virt_domain $1:process sigchld;
-')
-
-########################################
-## <summary>
-## Send generic signals to all virt domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_signal_all_virt_domains',`
- gen_require(`
- attribute virt_domain;
- ')
-
- allow $1 virt_domain:process signal;
-')
-
-########################################
-## <summary>
-## Send kill signals to all virt domains.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_kill_all_virt_domains',`
- gen_require(`
- attribute virt_domain;
- ')
-
- allow $1 virt_domain:process sigkill;
-')
-
-########################################
-## <summary>
-## Execute svirt lxc domains in their
-## domain, and allow the specified
-## role that svirt lxc domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_run_svirt_lxc_domain',`
- gen_require(`
- attribute svirt_lxc_domain;
- attribute_role svirt_lxc_domain_roles;
- ')
-
- allow $1 svirt_lxc_domain:process { signal transition };
- roleattribute $2 svirt_lxc_domain_roles;
-
- allow svirt_lxc_domain $1:fd use;
- allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms;
- allow svirt_lxc_domain $1:process sigchld;
-')
-
-#######################################
-## <summary>
-## Get attributes of virtd executable files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_getattr_virtd_exec_files',`
- gen_require(`
- type virtd_exec_t;
- ')
-
- allow $1 virtd_exec_t:file getattr_file_perms;
-')
-
-#######################################
-## <summary>
-## Connect to virt with a unix
-## domain stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_stream_connect',`
- gen_require(`
- type virtd_t, virt_var_run_t;
- ')
-
- files_search_pids($1)
- stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
-')
-
-########################################
-## <summary>
-## Attach to virt tun devices.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_attach_tun_iface',`
- gen_require(`
- type virtd_t;
- ')
-
- allow $1 virtd_t:tun_socket relabelfrom;
- allow $1 self:tun_socket relabelto;
-')
-
-########################################
-## <summary>
-## Read virt configuration content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_read_config',`
- gen_require(`
- type virt_etc_t, virt_etc_rw_t;
- ')
-
- files_search_etc($1)
- allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms;
- read_files_pattern($1, virt_etc_t, virt_etc_t)
- read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
- read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## virt configuration content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_manage_config',`
- gen_require(`
- type virt_etc_t, virt_etc_rw_t;
- ')
-
- files_search_etc($1)
- allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms;
- manage_files_pattern($1, virt_etc_t, virt_etc_t)
- manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
- manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## virt image files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_read_content',`
- gen_require(`
- type virt_content_t;
- ')
-
- virt_search_lib($1)
- allow $1 virt_content_t:dir list_dir_perms;
- list_dirs_pattern($1, virt_content_t, virt_content_t)
- read_files_pattern($1, virt_content_t, virt_content_t)
- read_lnk_files_pattern($1, virt_content_t, virt_content_t)
- read_blk_files_pattern($1, virt_content_t, virt_content_t)
-
- tunable_policy(`virt_use_nfs',`
- fs_list_nfs($1)
- fs_read_nfs_files($1)
- fs_read_nfs_symlinks($1)
- ')
-
- tunable_policy(`virt_use_samba',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
- ')
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## virt content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_manage_virt_content',`
- gen_require(`
- type virt_content_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 virt_content_t:dir manage_dir_perms;
- allow $1 virt_content_t:file manage_file_perms;
- allow $1 virt_content_t:fifo_file manage_fifo_file_perms;
- allow $1 virt_content_t:lnk_file manage_lnk_file_perms;
- allow $1 virt_content_t:sock_file manage_sock_file_perms;
- allow $1 virt_content_t:blk_file manage_blk_file_perms;
-
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_manage_nfs_symlinks($1)
- ')
-
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs($1)
- fs_manage_cifs_files($1)
- fs_manage_cifs_symlinks($1)
- ')
-')
-
-########################################
-## <summary>
-## Relabel virt content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_relabel_virt_content',`
- gen_require(`
- type virt_content_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 virt_content_t:dir relabel_dir_perms;
- allow $1 virt_content_t:file relabel_file_perms;
- allow $1 virt_content_t:fifo_file relabel_fifo_file_perms;
- allow $1 virt_content_t:lnk_file relabel_lnk_file_perms;
- allow $1 virt_content_t:sock_file relabel_sock_file_perms;
- allow $1 virt_content_t:blk_file relabel_blk_file_perms;
-')
-
-########################################
-## <summary>
-## Create specified objects in user home
-## directories with the virt content type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
-#
-interface(`virt_home_filetrans_virt_content',`
- gen_require(`
- type virt_content_t;
- ')
-
- virt_home_filetrans($1, virt_content_t, $2, $3)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## svirt home content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_manage_svirt_home_content',`
- gen_require(`
- type svirt_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 svirt_home_t:dir manage_dir_perms;
- allow $1 svirt_home_t:file manage_file_perms;
- allow $1 svirt_home_t:fifo_file manage_fifo_file_perms;
- allow $1 svirt_home_t:lnk_file manage_lnk_file_perms;
- allow $1 svirt_home_t:sock_file manage_sock_file_perms;
-
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_manage_nfs_symlinks($1)
- ')
-
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs($1)
- fs_manage_cifs_files($1)
- fs_manage_cifs_symlinks($1)
- ')
-')
-
-########################################
-## <summary>
-## Relabel svirt home content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_relabel_svirt_home_content',`
- gen_require(`
- type svirt_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 svirt_home_t:dir relabel_dir_perms;
- allow $1 svirt_home_t:file relabel_file_perms;
- allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms;
- allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms;
- allow $1 svirt_home_t:sock_file relabel_sock_file_perms;
-')
-
-########################################
-## <summary>
-## Create specified objects in user home
-## directories with the svirt home type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
-#
-interface(`virt_home_filetrans_svirt_home',`
- gen_require(`
- type svirt_home_t;
- ')
-
- virt_home_filetrans($1, svirt_home_t, $2, $3)
-')
-
-########################################
-## <summary>
-## Create specified objects in generic
-## virt home directories with private
-## home type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private_type">
-## <summary>
-## Private file type.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
-#
-interface(`virt_home_filetrans',`
- gen_require(`
- type virt_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- filetrans_pattern($1, virt_home_t, $2, $3, $4)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## virt home files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_manage_home_files',`
- gen_require(`
- type virt_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- manage_files_pattern($1, virt_home_t, virt_home_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## virt home content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_manage_generic_virt_home_content',`
- gen_require(`
- type virt_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 virt_home_t:dir manage_dir_perms;
- allow $1 virt_home_t:file manage_file_perms;
- allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
- allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
- allow $1 virt_home_t:sock_file manage_sock_file_perms;
-
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_manage_nfs_symlinks($1)
- ')
-
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_dirs($1)
- fs_manage_cifs_files($1)
- fs_manage_cifs_symlinks($1)
- ')
-')
-
-########################################
-## <summary>
-## Relabel virt home content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_relabel_generic_virt_home_content',`
- gen_require(`
- type virt_home_t;
- ')
-
- userdom_search_user_home_dirs($1)
- allow $1 virt_home_t:dir relabel_dir_perms;
- allow $1 virt_home_t:file relabel_file_perms;
- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
- allow $1 virt_home_t:sock_file relabel_sock_file_perms;
-')
-
-########################################
-## <summary>
-## Create specified objects in user home
-## directories with the generic virt
-## home type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## Class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
-#
-interface(`virt_home_filetrans_virt_home',`
- gen_require(`
- type virt_home_t;
- ')
-
- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
-')
-
-########################################
-## <summary>
-## Read virt pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_read_pid_files',`
- gen_require(`
- type virt_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## virt pid files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_manage_pid_files',`
- gen_require(`
- type virt_var_run_t;
- ')
-
- files_search_pids($1)
- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-')
-
-########################################
-## <summary>
-## Search virt lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_search_lib',`
- gen_require(`
- type virt_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 virt_var_lib_t:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read virt lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_read_lib_files',`
- gen_require(`
- type virt_var_lib_t;
- ')
-
- files_search_var_lib($1)
- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## virt lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_manage_lib_files',`
- gen_require(`
- type virt_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
-')
-
-########################################
-## <summary>
-## Create objects in virt pid
-## directories with a private type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private type">
-## <summary>
-## The type of the object to be created.
-## </summary>
-## </param>
-## <param name="object">
-## <summary>
-## The object class of the object being created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
-## <infoflow type="write" weight="10"/>
-#
-interface(`virt_pid_filetrans',`
- gen_require(`
- type virt_var_run_t;
- ')
-
- files_search_pids($1)
- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
-')
-
-########################################
-## <summary>
-## Read virt log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`virt_read_log',`
- gen_require(`
- type virt_log_t;
- ')
-
- logging_search_logs($1)
- read_files_pattern($1, virt_log_t, virt_log_t)
-')
-
-########################################
-## <summary>
-## Append virt log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_append_log',`
- gen_require(`
- type virt_log_t;
- ')
-
- logging_search_logs($1)
- append_files_pattern($1, virt_log_t, virt_log_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## virt log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_manage_log',`
- gen_require(`
- type virt_log_t;
- ')
-
- logging_search_logs($1)
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
- manage_files_pattern($1, virt_log_t, virt_log_t)
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-')
-
-########################################
-## <summary>
-## Search virt image directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_search_images',`
- gen_require(`
- attribute virt_image_type;
- ')
-
- virt_search_lib($1)
- allow $1 virt_image_type:dir search_dir_perms;
-')
-
-########################################
-## <summary>
-## Read virt image files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_read_images',`
- gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
- ')
-
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- list_dirs_pattern($1, virt_image_type, virt_image_type)
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
-
- tunable_policy(`virt_use_nfs',`
- fs_list_nfs($1)
- fs_read_nfs_files($1)
- fs_read_nfs_symlinks($1)
- ')
-
- tunable_policy(`virt_use_samba',`
- fs_list_cifs($1)
- fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
- ')
-')
-
-########################################
-## <summary>
-## Read and write all virt image
-## character files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_rw_all_image_chr_files',`
- gen_require(`
- attribute virt_image_type;
- ')
-
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## svirt cache files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_manage_svirt_cache',`
- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
- virt_manage_virt_cache($1)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## virt cache content.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_manage_virt_cache',`
- gen_require(`
- type virt_cache_t;
- ')
-
- files_search_var($1)
- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
- manage_files_pattern($1, virt_cache_t, virt_cache_t)
- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete
-## virt image files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`virt_manage_images',`
- gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
- ')
-
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- manage_dirs_pattern($1, virt_image_type, virt_image_type)
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
- ')
-
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_files($1)
- fs_manage_cifs_files($1)
- fs_read_cifs_symlinks($1)
- ')
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an virt environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`virt_admin',`
- gen_require(`
- attribute virt_domain, virt_image_type, virt_tmpfs_type;
- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
- type virtd_t, virtd_initrc_exec_t, virtd_lxc_t;
- type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t;
- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
- type virt_var_run_t, virt_tmp_t, virt_log_t;
- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
- type virt_etc_t, svirt_cache_t;
- ')
-
- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
-
- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 virtd_initrc_exec_t system_r;
- allow $2 system_r;
-
- fs_search_tmpfs($1)
- admin_pattern($1, virt_tmpfs_type)
-
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-
- files_search_etc($1)
- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
-
- logging_search_logs($1)
- admin_pattern($1, virt_log_t)
-
- files_search_pids($1)
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
-
- files_search_var($1)
- admin_pattern($1, svirt_cache_t)
-
- files_search_var_lib($1)
- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-
- files_search_locks($1)
- admin_pattern($1, virt_lock_t)
-
- dev_list_all_dev_nodes($1)
- allow $1 virt_ptynode:chr_file rw_term_perms;
-')