Xen fixes from Russell Coker.

author: Chris PeBenito <pebenito@ieee.org> 2017-02-23 20:31:35 -0500
committer: Jason Zaman <jason@perfinion.com> 2017-02-25 22:50:53 +0800
commit: a0d699a7a8da9ce12233029519efd3581c448ad4 (patch)
tree: 73b9038685ae33e6d5e0f1beea92da705d764352
parent: Systemd fixes from Russell Coker. (diff)
download: hardened-refpolicy-a0d699a7.tar.gz
hardened-refpolicy-a0d699a7.tar.bz2
hardened-refpolicy-a0d699a7.zip
6 files changed, 134 insertions, 4 deletions
diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index db9ff368e..122ca70f5 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -7,6 +7,8 @@
 
 /usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 
+/var/run/xen/qmp.*	--	gen_context(system_u:object_r:qemu_var_run_t,s0)
+
 ifdef(`distro_gentoo',`
 /usr/bin/qemu-ga	--	gen_context(system_u:object_r:qemu_ga_exec_t,s0)
 
diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
index efdc5286e..b6d8e1c27 100644
--- a/policy/modules/contrib/qemu.if
+++ b/policy/modules/contrib/qemu.if
@@ -264,6 +264,44 @@ interface(`qemu_kill',`
 
 ########################################
 ## <summary>
+##	Connect to qemu with a unix
+##	domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_stream_connect',`
+	gen_require(`
+		type qemu_t, qemu_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, qemu_var_run_t, qemu_var_run_t, qemu_t)
+')
+
+########################################
+## <summary>
+##	Unlink qemu socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_delete_pid_sock_file',`
+	gen_require(`
+		type qemu_var_run_t;
+	')
+
+	allow $1 qemu_var_run_t:sock_file unlink;
+')
+
+########################################
+## <summary>
 ##	Execute a domain transition to
 ##	run qemu unconfined.
 ## </summary>
diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 9dc09977f..b2c843f55 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.9.0)
+policy_module(qemu, 1.9.1)
 
 ########################################
 #
@@ -25,11 +25,21 @@ role qemu_roles types qemu_t;
 type qemu_unit_t;
 init_unit_file(qemu_unit_t)
 
+type qemu_var_run_t;
+files_pid_file(qemu_var_run_t);
+
 ########################################
 #
 # Local policy
 #
 
+kernel_read_crypto_sysctls(qemu_t)
+
+dev_read_sysfs(qemu_t)
+
+allow qemu_t qemu_var_run_t:sock_file create_sock_file_perms;
+files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+
 tunable_policy(`qemu_full_network',`
 	corenet_udp_sendrecv_generic_if(qemu_t)
 	corenet_udp_sendrecv_generic_node(qemu_t)
@@ -41,6 +51,16 @@ tunable_policy(`qemu_full_network',`
 ')
 
 optional_policy(`
+	fs_manage_xenfs_files(qemu_t)
+
+	dev_rw_xen(qemu_t)
+
+	xen_stream_connect_xenstore(qemu_t)
+	xen_append_log(qemu_t)
+	xen_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+')
+
+optional_policy(`
 	xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
 ')
 
diff --git a/policy/modules/contrib/xen.fc b/policy/modules/contrib/xen.fc
index 657a94acc..be0374df9 100644
--- a/policy/modules/contrib/xen.fc
+++ b/policy/modules/contrib/xen.fc
@@ -5,6 +5,7 @@
 /usr/lib/xen-[^/]*/bin/xenstored	--	gen_context(system_u:object_r:xenstored_exec_t,s0)
 /usr/lib/xen-[^/]*/bin/xl	--	gen_context(system_u:object_r:xm_exec_t,s0)
 /usr/lib/xen-[^/]*/bin/xm	--	gen_context(system_u:object_r:xm_exec_t,s0)
+/usr/lib/xen-[^/]*/xl --	gen_context(system_u:object_r:xm_exec_t,s0)
 
 /usr/sbin/blktapctrl	--	gen_context(system_u:object_r:blktap_exec_t,s0)
 /usr/sbin/evtchnd	--	gen_context(system_u:object_r:evtchnd_exec_t,s0)
@@ -20,6 +21,8 @@
 /var/lib/xend(/.*)?	gen_context(system_u:object_r:xend_var_lib_t,s0)
 /var/lib/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_lib_t,s0)
 
+/var/lock/xl	--	gen_context(system_u:object_r:xen_lock_t,s0)
+
 /var/log/evtchnd\.log.*	--	gen_context(system_u:object_r:evtchnd_var_log_t,s0)
 /var/log/xen(/.*)?	gen_context(system_u:object_r:xend_var_log_t,s0)
 /var/log/xen-hotplug\.log.*	--	gen_context(system_u:object_r:xend_var_log_t,s0)
@@ -30,6 +33,7 @@
 /run/evtchnd\.pid	--	gen_context(system_u:object_r:evtchnd_var_run_t,s0)
 /run/xenconsoled\.pid	--	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
 /run/xend(/.*)?	gen_context(system_u:object_r:xend_var_run_t,s0)
+/run/xen		-d	gen_context(system_u:object_r:xend_var_run_t,s0)
 /run/xend\.pid	--	gen_context(system_u:object_r:xend_var_run_t,s0)
 /run/xenner(/.*)?	gen_context(system_u:object_r:xend_var_run_t,s0)
 /run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
diff --git a/policy/modules/contrib/xen.if b/policy/modules/contrib/xen.if
index f93558c5a..441162920 100644
--- a/policy/modules/contrib/xen.if
+++ b/policy/modules/contrib/xen.if
@@ -259,6 +259,34 @@ interface(`xen_stream_connect',`
 
 ########################################
 ## <summary>
+##	Create in a xend_var_run_t directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##      <summary>
+##      The type of the object to be created.
+##      </summary>
+## </param>
+## <param name="object">
+##      <summary>
+##      The object class of the object being created.
+##      </summary>
+## </param>
+#
+interface(`xen_pid_filetrans',`
+	gen_require(`
+		type xend_var_run_t;
+	')
+
+	filetrans_pattern($1, xend_var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Execute a domain transition to run xm.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index 383c00a79..0d680116a 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.15.0)
+policy_module(xen, 1.15.1)
 
 ########################################
 #
@@ -75,6 +75,9 @@ type xend_t;
 type xend_exec_t;
 init_daemon_domain(xend_t, xend_exec_t)
 
+type xen_lock_t;
+files_lock_file(xen_lock_t)
+
 type xend_tmp_t;
 files_tmp_file(xend_tmp_t)
 
@@ -224,6 +227,7 @@ kernel_write_xen_state(xend_t)
 kernel_read_xen_state(xend_t)
 kernel_rw_net_sysctls(xend_t)
 kernel_read_network_state(xend_t)
+kernel_read_vm_sysctls(xend_t)
 
 corecmd_exec_bin(xend_t)
 corecmd_exec_shell(xend_t)
@@ -281,6 +285,8 @@ fs_manage_xenfs_dirs(xend_t)
 fs_manage_xenfs_files(xend_t)
 
 storage_read_scsi_generic(xend_t)
+# for lsscsi
+storage_getattr_fixed_disk_dev(xend_t)
 
 term_setattr_generic_ptys(xend_t)
 term_getattr_all_ptys(xend_t)
@@ -444,6 +450,8 @@ stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchn
 kernel_write_xen_state(xenstored_t)
 kernel_read_xen_state(xenstored_t)
 
+corecmd_search_bin(xenstored_t)
+
 dev_filetrans_xen(xenstored_t)
 dev_rw_xen(xenstored_t)
 dev_read_sysfs(xenstored_t)
@@ -470,12 +478,19 @@ xen_append_log(xenstored_t)
 # xm local policy
 #
 
-allow xm_t self:capability { dac_override ipc_lock setpcap sys_nice sys_tty_config };
-allow xm_t self:process { getcap getsched setsched setcap signal };
+allow xm_t self:capability { dac_override ipc_lock net_admin setpcap sys_nice sys_tty_config };
+allow xm_t self:process { getcap getsched setsched setcap signal sigkill };
 allow xm_t self:fifo_file rw_fifo_file_perms;
 allow xm_t self:unix_stream_socket { accept connectto listen };
 allow xm_t self:tcp_socket { accept listen };
 
+allow xm_t xend_var_run_t:dir rw_dir_perms;
+
+allow xm_t xen_lock_t:file manage_file_perms;
+files_lock_filetrans(xm_t, xen_lock_t, file)
+
+manage_files_pattern(xm_t, xend_var_log_t, xend_var_log_t)
+
 manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
 manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
 manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
@@ -494,6 +509,8 @@ xen_stream_connect_xenstore(xm_t)
 
 can_exec(xm_t, xm_exec_t)
 
+kernel_load_module(xm_t)
+kernel_request_load_module(xm_t)
 kernel_read_system_state(xm_t)
 kernel_read_network_state(xm_t)
 kernel_read_kernel_sysctls(xm_t)
@@ -517,8 +534,11 @@ dev_read_rand(xm_t)
 dev_read_urand(xm_t)
 dev_read_sysfs(xm_t)
 
+domain_use_interactive_fds(xm_t)
+
 files_read_etc_runtime_files(xm_t)
 files_read_etc_files(xm_t)
+files_read_kernel_img(xm_t)
 files_read_usr_files(xm_t)
 files_search_pids(xm_t)
 files_search_var_lib(xm_t)
@@ -543,6 +563,13 @@ logging_send_syslog_msg(xm_t)
 miscfiles_read_localization(xm_t)
 
 sysnet_dns_name_resolve(xm_t)
+sysnet_domtrans_ifconfig(xm_t)
+
+# for vif-bridge to write to /run/xen-hotplug/iptables
+# maybe we need a different label for /run/xen-hotplug
+udev_manage_pid_files(xm_t)
+
+userdom_dontaudit_search_user_home_content(xm_t)
 
 tunable_policy(`xen_use_fusefs',`
 	fs_manage_fusefs_dirs(xm_t)
@@ -563,6 +590,17 @@ tunable_policy(`xen_use_samba',`
 ')
 
 optional_policy(`
+	qemu_domtrans(xm_t)
+	qemu_signal(xm_t)
+	qemu_stream_connect(xm_t)
+	qemu_delete_pid_sock_file(xm_t)
+')
+
+optional_policy(`
+	iptables_domtrans(xm_t)
+')
+
+optional_policy(`
 	cron_system_entry(xm_t, xm_exec_t)
 ')
author	Chris PeBenito <pebenito@ieee.org>	2017-02-23 20:31:35 -0500
committer	Jason Zaman <jason@perfinion.com>	2017-02-25 22:50:53 +0800
commit	a0d699a7a8da9ce12233029519efd3581c448ad4 (patch)
tree	73b9038685ae33e6d5e0f1beea92da705d764352
parent	Systemd fixes from Russell Coker. (diff)
download	hardened-refpolicy-a0d699a7.tar.gz hardened-refpolicy-a0d699a7.tar.bz2 hardened-refpolicy-a0d699a7.zip