Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

C10s 20250103 build #2504

Merged
merged 13 commits into from
Jan 3, 2025
Merged

C10s 20250103 build #2504

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
0e9eb77
Allow request-key to manage all domains' keys
WOnder93 Dec 17, 2024
15295e4
Allow request-key to read /etc/passwd
WOnder93 Dec 17, 2024
6e070ec
Confine the ktls service
zpytela Oct 22, 2024
d745cf0
Update ktlsh policy
zpytela Dec 17, 2024
ae5b877
Allow gnome-remote-desktop dbus chat with policykit
zpytela Nov 18, 2024
23bf33c
Allow virtqemud relabel tun_socket
zpytela Jan 2, 2025
2de6b52
Allow virtqemud relabelfrom virt_log_t files
zpytela Jan 2, 2025
ca153a1
Allow virtqemud manage nfs dirs when virt_use_nfs boolean is on
zpytela Jan 2, 2025
acb91e2
Allow virtqemud the getpgid process permission
zpytela Jan 2, 2025
ccce0da
Allow virtqemud permissions needed for live migration
zpytela Jan 2, 2025
9304e84
Allow ssh_t read systemd config files
zpytela Dec 17, 2024
ad4a541
Support virt live migration using ssh
zpytela Jan 2, 2025
6d2ceaa
Allow virtqemud domain transition on numad execution
zpytela Jan 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions dist/targeted/modules.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3092,3 +3092,11 @@ iiosensorproxy = module
#
#
pcm = module

# Layer: contrib
# Module: ktls
#
# Policy for ktls - TLS handshake agent for kernel sockets
#
#
ktls = module
4 changes: 4 additions & 0 deletions policy/modules/contrib/gnome_remote_desktop.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ optional_policy(`
miscfiles_read_localization(gnome_remote_desktop_t)
')

optional_policy(`
policykit_dbus_chat(gnome_remote_desktop_t)
')

optional_policy(`
systemd_login_list_pid_dirs(gnome_remote_desktop_t)
systemd_login_read_pid_files(gnome_remote_desktop_t)
Expand Down
6 changes: 4 additions & 2 deletions policy/modules/contrib/keyutils.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,11 @@ allow keyutils_request_t keyutils_request_exec_t:file execute_no_trans;

corecmd_exec_bin(keyutils_request_t)

domain_read_view_all_domains_keyrings(keyutils_request_t)
domain_manage_all_domains_keyrings(keyutils_request_t)

init_write_key(keyutils_request_t)
optional_policy(`
auth_read_passwd(keyutils_request_t)
')

optional_policy(`
init_search_pid_dirs(keyutils_request_t)
Expand Down
1 change: 1 addition & 0 deletions policy/modules/contrib/ktls.fc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
/usr/sbin/tlshd -- gen_context(system_u:object_r:ktlshd_exec_t,s0)
1 change: 1 addition & 0 deletions policy/modules/contrib/ktls.if
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
## <summary>ktls - TLS handshake agent for kernel sockets</summary>
19 changes: 19 additions & 0 deletions policy/modules/contrib/ktls.te
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
policy_module(ktls, 1.0)

########################################
#
# Declarations
#

type ktlshd_t;
type ktlshd_exec_t;
init_daemon_domain(ktlshd_t, ktlshd_exec_t)

permissive ktlshd_t;

allow ktlshd_t self:netlink_generic_socket create_socket_perms;
allow ktlshd_t self:unix_dgram_socket create_socket_perms;

optional_policy(`
logging_send_syslog_msg(ktlshd_t)
')
19 changes: 19 additions & 0 deletions policy/modules/contrib/virt.if
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2141,3 +2141,22 @@ interface(`virt_manage_qemu_pid_sock_files',`
files_search_pids($1)
manage_sock_files_pattern($1, qemu_var_run_t, qemu_var_run_t)
')

########################################
## <summary>
## Allow the specified domain to ioctl
## virtqemud over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`virt_virtqemud_ioctl_stream_sockets',`
gen_require(`
type virtqemud_t;
')

allow $1 virtqemud_t:unix_stream_socket ioctl;
')
19 changes: 15 additions & 4 deletions policy/modules/contrib/virt.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2107,14 +2107,17 @@ allow virtqemud_t self:capability2 { bpf perfmon };
allow virtqemud_t self:cap_userns kill;

allow virtqemud_t self:netlink_audit_socket { nlmsg_relay read write };
allow virtqemud_t self:process { setcap setexec setrlimit setsched setsockcreate };
allow virtqemud_t self:process { getpgid setcap setexec setrlimit setsched setsockcreate };
allow virtqemud_t self:tcp_socket create_socket_perms;
allow virtqemud_t self:tun_socket create;
allow virtqemud_t self:tun_socket { create relabelfrom relabelto };
allow virtqemud_t self:udp_socket { connect create getattr };

allow virtqemud_t qemu_var_run_t:{ dir file sock_file } relabelfrom;

allow virtqemud_t svirt_t:process { getattr setsched signal signull transition };
allow virtqemud_t svirt_t:netlink_route_socket create_netlink_socket_perms;
allow virtqemud_t svirt_t:process { getattr getrlimit setsched signal signull transition };
allow virtqemud_t svirt_t:tcp_socket create_stream_socket_perms;
allow virtqemud_t svirt_t:udp_socket create_socket_perms;
allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms };
allow virtqemud_t svirt_socket_t:unix_stream_socket connectto;

Expand Down Expand Up @@ -2144,7 +2147,7 @@ files_lock_filetrans(virtqemud_t, virtqemud_lock_t, file)

allow virtqemud_t virtqemud_var_run_t:dir relabelfrom;
allow virtqemud_t virtqemud_var_run_t:sock_file relabelfrom;
allow virtqemud_t virt_log_t:file relabelfrom;
allow virtqemud_t virt_log_t:file relabel_file_perms;

manage_dirs_pattern(virtqemud_t, virt_var_run_t, virt_var_run_t)
manage_dirs_pattern(virtqemud_t, virtqemud_var_run_t, virtqemud_var_run_t)
Expand Down Expand Up @@ -2257,7 +2260,10 @@ tunable_policy(`virtqemud_use_execmem',`
')

tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtqemud_t)
fs_manage_nfs_files(virtqemud_t)
fs_read_nfs_symlinks(virtqemud_t)
fs_mmap_nfs_files(virtqemud_t)
')

optional_policy(`
Expand All @@ -2268,6 +2274,10 @@ optional_policy(`
dnsmasq_filetrans_named_content_fromdir(virtqemud_t, virtqemud_var_run_t)
')

optional_policy(`
numad_domtrans(virtqemud_t)
')

optional_policy(`
qemu_exec(virtqemud_t)
')
Expand All @@ -2288,6 +2298,7 @@ optional_policy(`

optional_policy(`
ssh_domtrans_ssh(virtqemud_t)
ssh_signal(virtqemud_t)
')

optional_policy(`
Expand Down
8 changes: 8 additions & 0 deletions policy/modules/services/ssh.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,14 @@ optional_policy(`
kerberos_read_keytab(ssh_t)
')

optional_policy(`
systemd_read_conf_files(ssh_t)
')

optional_policy(`
virt_virtqemud_ioctl_stream_sockets(ssh_t)
')

optional_policy(`
xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
xserver_domtrans_xauth(ssh_t)
Expand Down
Loading