Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow virtqemud relabel tun_socket #2503

Merged
merged 8 commits into from
Jan 3, 2025
Merged

Allow virtqemud relabel tun_socket #2503

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
252c692
Allow virtqemud relabel tun_socket
zpytela Jan 2, 2025
1a22a5a
Allow virtqemud relabelfrom virt_log_t files
zpytela Jan 2, 2025
6cf9059
Allow virtqemud manage nfs dirs when virt_use_nfs boolean is on
zpytela Jan 2, 2025
c36be41
Allow virtqemud the getpgid process permission
zpytela Jan 2, 2025
cf8bdb4
Allow virtqemud permissions needed for live migration
zpytela Jan 2, 2025
50def36
Support virt live migration using ssh
zpytela Jan 2, 2025
0b66c03
Allow virtqemud domain transition on numad execution
zpytela Jan 3, 2025
85f309c
Update virtqemud policy regarding the svirt_tcg_t domain
zpytela Jan 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions policy/modules/contrib/virt.if
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2180,3 +2180,22 @@ interface(`virt_manage_qemu_pid_sock_files',`
files_search_pids($1)
manage_sock_files_pattern($1, qemu_var_run_t, qemu_var_run_t)
')

########################################
## <summary>
## Allow the specified domain to ioctl
## virtqemud over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_virtqemud_ioctl_stream_sockets',`
gen_require(`
type virtqemud_t;
')

allow $1 virtqemud_t:unix_stream_socket ioctl;
')
25 changes: 18 additions & 7 deletions policy/modules/contrib/virt.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2109,20 +2109,22 @@ allow virtqemud_t self:bpf { map_create map_read map_write prog_load prog_run };
allow virtqemud_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill net_admin setpcap setgid setuid sys_admin sys_chroot sys_ptrace sys_rawio sys_resource };
allow virtqemud_t self:capability2 { bpf perfmon };
allow virtqemud_t self:cap_userns kill;

allow virtqemud_t self:netlink_audit_socket { nlmsg_relay read write };
allow virtqemud_t self:process { setcap setexec setrlimit setsched setsockcreate };
allow virtqemud_t self:process { getpgid setcap setexec setrlimit setsched setsockcreate };
allow virtqemud_t self:tcp_socket create_socket_perms;
allow virtqemud_t self:tun_socket create;
allow virtqemud_t self:tun_socket { create relabelfrom relabelto };
allow virtqemud_t self:udp_socket { connect create getattr };

allow virtqemud_t qemu_var_run_t:{ dir file sock_file } relabelfrom;

allow virtqemud_t svirt_t:process { getattr setsched signal signull transition };
allow virtqemud_t svirt_t:netlink_route_socket create_netlink_socket_perms;
allow virtqemud_t svirt_t:process { getattr getrlimit setsched signal signull transition };
allow virtqemud_t svirt_t:tcp_socket create_stream_socket_perms;
allow virtqemud_t svirt_t:udp_socket create_socket_perms;
allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms };
allow virtqemud_t svirt_socket_t:unix_stream_socket connectto;
allow virtqemud_t svirt_tcg_t: process { setsched signal signull transition };
allow virtqemud_t svirt_tcg_t: unix_stream_socket { connectto create_stream_socket_perms };
allow virtqemud_t svirt_tcg_t:process { getrlimit getsched setsched signal signull transition };
allow virtqemud_t svirt_tcg_t:unix_stream_socket { connectto create_stream_socket_perms };

allow virtqemud_t svirt_devpts_t:chr_file open;
allow virtqemud_t svirt_tmpfs_t:file { map write };
Expand Down Expand Up @@ -2151,7 +2153,7 @@ files_lock_filetrans(virtqemud_t, virtqemud_lock_t, file)

allow virtqemud_t virtqemud_var_run_t:dir relabelfrom;
allow virtqemud_t virtqemud_var_run_t:sock_file relabelfrom;
allow virtqemud_t virt_log_t:file relabelfrom;
allow virtqemud_t virt_log_t:file relabel_file_perms;

manage_dirs_pattern(virtqemud_t, virt_var_run_t, virt_var_run_t)
manage_dirs_pattern(virtqemud_t, virtqemud_var_run_t, virtqemud_var_run_t)
Expand Down Expand Up @@ -2179,6 +2181,7 @@ manage_sock_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
read_files_pattern(virtqemud_t, svirt_t, svirt_t)
read_lnk_files_pattern(virtqemud_t, svirt_t, svirt_t)
read_files_pattern(virtqemud_t, svirt_tcg_t, svirt_tcg_t)
read_lnk_files_pattern(virtqemud_t, svirt_tcg_t, svirt_tcg_t)

manage_files_pattern(virtqemud_t, virt_content_t, virt_content_t)

Expand Down Expand Up @@ -2267,7 +2270,10 @@ tunable_policy(`virtqemud_use_execmem',`
')

tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtqemud_t)
fs_manage_nfs_files(virtqemud_t)
fs_read_nfs_symlinks(virtqemud_t)
fs_mmap_nfs_files(virtqemud_t)
')

optional_policy(`
Expand All @@ -2278,6 +2284,10 @@ optional_policy(`
dnsmasq_filetrans_named_content_fromdir(virtqemud_t, virtqemud_var_run_t)
')

optional_policy(`
numad_domtrans(virtqemud_t)
')

optional_policy(`
qemu_exec(virtqemud_t)
')
Expand All @@ -2298,6 +2308,7 @@ optional_policy(`

optional_policy(`
ssh_domtrans_ssh(virtqemud_t)
ssh_signal(virtqemud_t)
')

optional_policy(`
Expand Down
4 changes: 4 additions & 0 deletions policy/modules/services/ssh.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,10 @@ optional_policy(`
systemd_read_conf_files(ssh_t)
')

optional_policy(`
virt_virtqemud_ioctl_stream_sockets(ssh_t)
')

optional_policy(`
xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
xserver_domtrans_xauth(ssh_t)
Expand Down
Loading