diff options
Diffstat (limited to 'policy/modules/contrib/virt.if')
-rw-r--r-- | policy/modules/contrib/virt.if | 1190 |
1 files changed, 0 insertions, 1190 deletions
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if deleted file mode 100644 index e30a42e3e..000000000 --- a/policy/modules/contrib/virt.if +++ /dev/null @@ -1,1190 +0,0 @@ -## <summary>Libvirt virtualization API.</summary> - -####################################### -## <summary> -## The template to define a virt domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`virt_domain_template',` - gen_require(` - attribute_role virt_domain_roles; - attribute virt_image_type, virt_domain, virt_tmpfs_type; - attribute virt_ptynode, virt_tmp_type; - ') - - ######################################## - # - # Declarations - # - - type $1_t, virt_domain; - application_type($1_t) - domain_user_exemption_target($1_t) - mls_rangetrans_target($1_t) - mcs_constrained($1_t) - role virt_domain_roles types $1_t; - - type $1_devpts_t, virt_ptynode; - term_pty($1_devpts_t) - - type $1_tmp_t, virt_tmp_type; - files_tmp_file($1_tmp_t) - - type $1_tmpfs_t, virt_tmpfs_type; - files_tmpfs_file($1_tmpfs_t) - - optional_policy(` - pulseaudio_tmpfs_content($1_tmpfs_t) - ') - - type $1_image_t, virt_image_type; - files_type($1_image_t) - dev_node($1_image_t) - dev_associate_sysfs($1_image_t) - - ifdef(`distro_gentoo',` - optional_policy(` - qemu_entry_type($1_t) - ') - ') - - ######################################## - # - # Policy - # - - allow $1_t $1_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms }; - term_create_pty($1_t, $1_devpts_t) - - manage_dirs_pattern($1_t, $1_image_t, $1_image_t) - manage_files_pattern($1_t, $1_image_t, $1_image_t) - manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t) - read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) - manage_sock_files_pattern($1_t, $1_image_t, $1_image_t) - rw_chr_files_pattern($1_t, $1_image_t, $1_image_t) - rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) - fs_hugetlbfs_filetrans($1_t, $1_image_t, file) - - manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) - files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - - manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) - fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) - - optional_policy(` - pulseaudio_run($1_t, virt_domain_roles) - ') - - optional_policy(` - xserver_rw_shm($1_t) - ') -') - -####################################### -## <summary> -## The template to define a virt lxc domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`virt_lxc_domain_template',` - gen_require(` - attribute_role svirt_lxc_domain_roles; - attribute svirt_lxc_domain; - ') - - type $1_t, svirt_lxc_domain; - domain_type($1_t) - domain_user_exemption_target($1_t) - mls_rangetrans_target($1_t) - mcs_constrained($1_t) - role svirt_lxc_domain_roles types $1_t; -') - -######################################## -## <summary> -## Make the specified type virt image type. -## </summary> -## <param name="type"> -## <summary> -## Type to be used as a virtual image. -## </summary> -## </param> -# -interface(`virt_image',` - gen_require(` - attribute virt_image_type; - ') - - typeattribute $1 virt_image_type; - files_type($1) - dev_node($1) -') - -######################################## -## <summary> -## Execute a domain transition to run virtd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`virt_domtrans',` - gen_require(` - type virtd_t, virtd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, virtd_exec_t, virtd_t) -') - -######################################## -## <summary> -## Execute a domain transition to run virt qmf. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`virt_domtrans_qmf',` - gen_require(` - type virt_qmf_t, virt_qmf_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) -') - -######################################## -## <summary> -## Execute a domain transition to -## run virt bridgehelper. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`virt_domtrans_bridgehelper',` - gen_require(` - type virt_bridgehelper_t, virt_bridgehelper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) -') - -######################################## -## <summary> -## Execute bridgehelper in the bridgehelper -## domain, and allow the specified role -## the bridgehelper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`virt_run_bridgehelper',` - gen_require(` - attribute_role virt_bridgehelper_roles; - ') - - virt_domtrans_bridgehelper($1) - roleattribute $2 virt_bridgehelper_roles; -') - -######################################## -## <summary> -## Execute virt domain in the their -## domain, and allow the specified -## role that virt domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`virt_run_virt_domain',` - gen_require(` - attribute virt_domain; - attribute_role virt_domain_roles; - ') - - allow $1 virt_domain:process { signal transition }; - roleattribute $2 virt_domain_roles; - - allow virt_domain $1:fd use; - allow virt_domain $1:fifo_file rw_fifo_file_perms; - allow virt_domain $1:process sigchld; -') - -######################################## -## <summary> -## Send generic signals to all virt domains. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_signal_all_virt_domains',` - gen_require(` - attribute virt_domain; - ') - - allow $1 virt_domain:process signal; -') - -######################################## -## <summary> -## Send kill signals to all virt domains. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_kill_all_virt_domains',` - gen_require(` - attribute virt_domain; - ') - - allow $1 virt_domain:process sigkill; -') - -######################################## -## <summary> -## Execute svirt lxc domains in their -## domain, and allow the specified -## role that svirt lxc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`virt_run_svirt_lxc_domain',` - gen_require(` - attribute svirt_lxc_domain; - attribute_role svirt_lxc_domain_roles; - ') - - allow $1 svirt_lxc_domain:process { signal transition }; - roleattribute $2 svirt_lxc_domain_roles; - - allow svirt_lxc_domain $1:fd use; - allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms; - allow svirt_lxc_domain $1:process sigchld; -') - -####################################### -## <summary> -## Get attributes of virtd executable files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_getattr_virtd_exec_files',` - gen_require(` - type virtd_exec_t; - ') - - allow $1 virtd_exec_t:file getattr_file_perms; -') - -####################################### -## <summary> -## Connect to virt with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_stream_connect',` - gen_require(` - type virtd_t, virt_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) -') - -######################################## -## <summary> -## Attach to virt tun devices. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_attach_tun_iface',` - gen_require(` - type virtd_t; - ') - - allow $1 virtd_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; -') - -######################################## -## <summary> -## Read virt configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_read_config',` - gen_require(` - type virt_etc_t, virt_etc_rw_t; - ') - - files_search_etc($1) - allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms; - read_files_pattern($1, virt_etc_t, virt_etc_t) - read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_config',` - gen_require(` - type virt_etc_t, virt_etc_rw_t; - ') - - files_search_etc($1) - allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms; - manage_files_pattern($1, virt_etc_t, virt_etc_t) - manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) - manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt image files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_read_content',` - gen_require(` - type virt_content_t; - ') - - virt_search_lib($1) - allow $1 virt_content_t:dir list_dir_perms; - list_dirs_pattern($1, virt_content_t, virt_content_t) - read_files_pattern($1, virt_content_t, virt_content_t) - read_lnk_files_pattern($1, virt_content_t, virt_content_t) - read_blk_files_pattern($1, virt_content_t, virt_content_t) - - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) - ') -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_virt_content',` - gen_require(` - type virt_content_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 virt_content_t:dir manage_dir_perms; - allow $1 virt_content_t:file manage_file_perms; - allow $1 virt_content_t:fifo_file manage_fifo_file_perms; - allow $1 virt_content_t:lnk_file manage_lnk_file_perms; - allow $1 virt_content_t:sock_file manage_sock_file_perms; - allow $1 virt_content_t:blk_file manage_blk_file_perms; - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - fs_manage_cifs_symlinks($1) - ') -') - -######################################## -## <summary> -## Relabel virt content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_relabel_virt_content',` - gen_require(` - type virt_content_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 virt_content_t:dir relabel_dir_perms; - allow $1 virt_content_t:file relabel_file_perms; - allow $1 virt_content_t:fifo_file relabel_fifo_file_perms; - allow $1 virt_content_t:lnk_file relabel_lnk_file_perms; - allow $1 virt_content_t:sock_file relabel_sock_file_perms; - allow $1 virt_content_t:blk_file relabel_blk_file_perms; -') - -######################################## -## <summary> -## Create specified objects in user home -## directories with the virt content type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`virt_home_filetrans_virt_content',` - gen_require(` - type virt_content_t; - ') - - virt_home_filetrans($1, virt_content_t, $2, $3) -') - -######################################## -## <summary> -## Create, read, write, and delete -## svirt home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_svirt_home_content',` - gen_require(` - type svirt_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 svirt_home_t:dir manage_dir_perms; - allow $1 svirt_home_t:file manage_file_perms; - allow $1 svirt_home_t:fifo_file manage_fifo_file_perms; - allow $1 svirt_home_t:lnk_file manage_lnk_file_perms; - allow $1 svirt_home_t:sock_file manage_sock_file_perms; - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - fs_manage_cifs_symlinks($1) - ') -') - -######################################## -## <summary> -## Relabel svirt home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_relabel_svirt_home_content',` - gen_require(` - type svirt_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 svirt_home_t:dir relabel_dir_perms; - allow $1 svirt_home_t:file relabel_file_perms; - allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms; - allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms; - allow $1 svirt_home_t:sock_file relabel_sock_file_perms; -') - -######################################## -## <summary> -## Create specified objects in user home -## directories with the svirt home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`virt_home_filetrans_svirt_home',` - gen_require(` - type svirt_home_t; - ') - - virt_home_filetrans($1, svirt_home_t, $2, $3) -') - -######################################## -## <summary> -## Create specified objects in generic -## virt home directories with private -## home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private_type"> -## <summary> -## Private file type. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`virt_home_filetrans',` - gen_require(` - type virt_home_t; - ') - - userdom_search_user_home_dirs($1) - filetrans_pattern($1, virt_home_t, $2, $3, $4) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt home files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_home_files',` - gen_require(` - type virt_home_t; - ') - - userdom_search_user_home_dirs($1) - manage_files_pattern($1, virt_home_t, virt_home_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_generic_virt_home_content',` - gen_require(` - type virt_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 virt_home_t:dir manage_dir_perms; - allow $1 virt_home_t:file manage_file_perms; - allow $1 virt_home_t:fifo_file manage_fifo_file_perms; - allow $1 virt_home_t:lnk_file manage_lnk_file_perms; - allow $1 virt_home_t:sock_file manage_sock_file_perms; - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_manage_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs($1) - fs_manage_cifs_files($1) - fs_manage_cifs_symlinks($1) - ') -') - -######################################## -## <summary> -## Relabel virt home content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_relabel_generic_virt_home_content',` - gen_require(` - type virt_home_t; - ') - - userdom_search_user_home_dirs($1) - allow $1 virt_home_t:dir relabel_dir_perms; - allow $1 virt_home_t:file relabel_file_perms; - allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; - allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; - allow $1 virt_home_t:sock_file relabel_sock_file_perms; -') - -######################################## -## <summary> -## Create specified objects in user home -## directories with the generic virt -## home type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="object_class"> -## <summary> -## Class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -# -interface(`virt_home_filetrans_virt_home',` - gen_require(` - type virt_home_t; - ') - - userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) -') - -######################################## -## <summary> -## Read virt pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_read_pid_files',` - gen_require(` - type virt_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, virt_var_run_t, virt_var_run_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_pid_files',` - gen_require(` - type virt_var_run_t; - ') - - files_search_pids($1) - manage_files_pattern($1, virt_var_run_t, virt_var_run_t) -') - -######################################## -## <summary> -## Search virt lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_search_lib',` - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 virt_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read virt lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_read_lib_files',` - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_lib_files',` - gen_require(` - type virt_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -') - -######################################## -## <summary> -## Create objects in virt pid -## directories with a private type. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="private type"> -## <summary> -## The type of the object to be created. -## </summary> -## </param> -## <param name="object"> -## <summary> -## The object class of the object being created. -## </summary> -## </param> -## <param name="name" optional="true"> -## <summary> -## The name of the object being created. -## </summary> -## </param> -## <infoflow type="write" weight="10"/> -# -interface(`virt_pid_filetrans',` - gen_require(` - type virt_var_run_t; - ') - - files_search_pids($1) - filetrans_pattern($1, virt_var_run_t, $2, $3, $4) -') - -######################################## -## <summary> -## Read virt log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`virt_read_log',` - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - read_files_pattern($1, virt_log_t, virt_log_t) -') - -######################################## -## <summary> -## Append virt log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_append_log',` - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - append_files_pattern($1, virt_log_t, virt_log_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_log',` - gen_require(` - type virt_log_t; - ') - - logging_search_logs($1) - manage_dirs_pattern($1, virt_log_t, virt_log_t) - manage_files_pattern($1, virt_log_t, virt_log_t) - manage_lnk_files_pattern($1, virt_log_t, virt_log_t) -') - -######################################## -## <summary> -## Search virt image directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_search_images',` - gen_require(` - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir search_dir_perms; -') - -######################################## -## <summary> -## Read virt image files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_read_images',` - gen_require(` - type virt_var_lib_t; - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - list_dirs_pattern($1, virt_image_type, virt_image_type) - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) - ') -') - -######################################## -## <summary> -## Read and write all virt image -## character files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_rw_all_image_chr_files',` - gen_require(` - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - rw_chr_files_pattern($1, virt_image_type, virt_image_type) -') - -######################################## -## <summary> -## Create, read, write, and delete -## svirt cache files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_svirt_cache',` - refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') - virt_manage_virt_cache($1) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt cache content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_virt_cache',` - gen_require(` - type virt_cache_t; - ') - - files_search_var($1) - manage_dirs_pattern($1, virt_cache_t, virt_cache_t) - manage_files_pattern($1, virt_cache_t, virt_cache_t) - manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## virt image files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`virt_manage_images',` - gen_require(` - type virt_var_lib_t; - attribute virt_image_type; - ') - - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - manage_dirs_pattern($1, virt_image_type, virt_image_type) - manage_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - rw_blk_files_pattern($1, virt_image_type, virt_image_type) - - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_read_nfs_symlinks($1) - ') - - tunable_policy(`virt_use_samba',` - fs_manage_cifs_files($1) - fs_manage_cifs_files($1) - fs_read_cifs_symlinks($1) - ') -') - -######################################## -## <summary> -## All of the rules required to -## administrate an virt environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`virt_admin',` - gen_require(` - attribute virt_domain, virt_image_type, virt_tmpfs_type; - attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type; - type virtd_t, virtd_initrc_exec_t, virtd_lxc_t; - type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t; - type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t; - type virt_var_run_t, virt_tmp_t, virt_log_t; - type virt_lock_t, svirt_var_run_t, virt_etc_rw_t; - type virt_etc_t, svirt_cache_t; - ') - - allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms }; - allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t }) - ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }) - - init_labeled_script_domtrans($1, virtd_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 virtd_initrc_exec_t system_r; - allow $2 system_r; - - fs_search_tmpfs($1) - admin_pattern($1, virt_tmpfs_type) - - files_search_tmp($1) - admin_pattern($1, { virt_tmp_type virt_tmp_t }) - - files_search_etc($1) - admin_pattern($1, { virt_etc_t virt_etc_rw_t }) - - logging_search_logs($1) - admin_pattern($1, virt_log_t) - - files_search_pids($1) - admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) - - files_search_var($1) - admin_pattern($1, svirt_cache_t) - - files_search_var_lib($1) - admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) - - files_search_locks($1) - admin_pattern($1, virt_lock_t) - - dev_list_all_dev_nodes($1) - allow $1 virt_ptynode:chr_file rw_term_perms; -') |