rpms / selinux-policy

Clone
Source Code
GIT

#268 [DO NOT MERGE] Test new libvirt policy ( https://github.com/fedora-selinux/selinux-policy/pull/492 )
Opened 2 years ago by vmojzis. Modified 2 years ago
rpms/ vmojzis/selinux-policy libvirt  into  rawhide

Merge
file added
+802 
@@ -0,0 +1,802 @@ 
 

+ From 250944465f590ee23737cf05d59f625974573cc0 Mon Sep 17 00:00:00 2001
 

+ From: 5umm3r15 <nknazeko@redhat.com>
 

+ Date: Thu, 17 Dec 2020 14:00:34 +0100
 

+ Subject: [PATCH] Split virt policy, introduce virt_supplementary module
 

+ 

+ Separate the services from the original virt files that are not libvirt related and create virt_supplementary policy module.
 

+ ---
 

+  policy/modules/contrib/virt.fc               |  67 -----
 

+  policy/modules/contrib/virt.if               |  17 --
 

+  policy/modules/contrib/virt.te               | 219 --------------
 

+  policy/modules/contrib/virt_supplementary.fc |  64 +++++
 

+  policy/modules/contrib/virt_supplementary.if |  17 ++
 

+  policy/modules/contrib/virt_supplementary.te | 288 +++++++++++++++++++
 

+  6 files changed, 369 insertions(+), 303 deletions(-)
 

+  create mode 100644 policy/modules/contrib/virt_supplementary.fc
 

+  create mode 100644 policy/modules/contrib/virt_supplementary.if
 

+  create mode 100644 policy/modules/contrib/virt_supplementary.te
 

+ 

+ diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
 

+ index baaf9ffde..0f7ef55bd 100644
 

+ --- a/policy/modules/contrib/virt.fc
 

+ +++ b/policy/modules/contrib/virt.fc
 

+ @@ -1,15 +1,11 @@
 

+  HOME_DIR/\.libvirt(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
 

+  HOME_DIR/\.libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_home_t,s0)
 

+ -HOME_DIR/\.virtinst(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
 

+  HOME_DIR/\.cache/libvirt(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
 

+ -HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
 

+ -HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
 

+  HOME_DIR/\.cache/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_home_t,s0)
 

+  HOME_DIR/\.config/libvirt(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
 

+  HOME_DIR/\.config/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_home_t,s0)
 

+  HOME_DIR/VirtualMachines(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
 

+  HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
 

+ -HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
 

+  HOME_DIR/\.local/share/libvirt/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
 

+  HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_home_t,s0)
 

+  

+ @@ -20,25 +16,13 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
 

+  /etc/libvirt/.*/.*		gen_context(system_u:object_r:virt_etc_rw_t,s0)
 

+  /etc/rc\.d/init\.d/libvirtd --	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
 

+  /etc/rc\.d/init\.d/virtlogd --  gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0)
 

+ -/etc/xen		-d	gen_context(system_u:object_r:virt_etc_t,s0)
 

+ -/etc/xen/[^/]*		--	gen_context(system_u:object_r:virt_etc_t,s0)
 

+ -/etc/xen/[^/]*		-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 

+ -/etc/xen/.*/.*			gen_context(system_u:object_r:virt_etc_rw_t,s0)
 

+  

+  /usr/libexec/libvirt_lxc --	gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
 

+ -/usr/libexec/qemu-bridge-helper		gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
 

+ -/usr/libexec/qemu-pr-helper	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ -/usr/bin/qemu-storage-daemon -- gen_context(system_u:object_r:virtd_exec_t,s0)
 

+  

+  /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+  /usr/sbin/virtlockd --  gen_context(system_u:object_r:virtlogd_exec_t,s0)
 

+  /usr/sbin/virtlogd --  gen_context(system_u:object_r:virtlogd_exec_t,s0)
 

+ -/usr/bin/virt-who   --  gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ -/usr/bin/qemu-pr-helper   --  gen_context(system_u:object_r:virtd_exec_t,s0)
 

+  /usr/bin/virsh		--	gen_context(system_u:object_r:virsh_exec_t,s0)
 

+ -/usr/sbin/condor_vm-gahp	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ -/usr/sbin/xl		--	gen_context(system_u:object_r:virsh_exec_t,s0)
 

+ -/usr/sbin/xm		--	gen_context(system_u:object_r:virsh_exec_t,s0)
 

+  

+  /usr/sbin/virtinterfaced	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+  /usr/sbin/virtlxcd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ @@ -62,10 +46,8 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
 

+  /var/lib/libvirt/lockd(/.*)? 	gen_context(system_u:object_r:virt_var_lockd_t,s0)
 

+  /var/lib/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
 

+  

+ -/var/lock/xl		--	gen_context(system_u:object_r:virt_log_t,s0)
 

+  /var/log/log(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
 

+  /var/log/libvirt(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
 

+ -/var/log/vdsm(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
 

+  /var/run/libvirtd\.pid	--	gen_context(system_u:object_r:virt_var_run_t,s0)
 

+  /var/run/virtlogd\.pid	--	gen_context(system_u:object_r:virtlogd_var_run_t,s0)
 

+  /var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 

+ @@ -73,57 +55,8 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
 

+  /var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
 

+  /var/run/libvirt/lxc(/.*)?	gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
 

+  /var/run/libvirt/virtlogd-sock	-s 		gen_context(system_u:object_r:virtlogd_var_run_t,s0)
 

+ -/var/run/libvirt-sandbox(/.*)?	gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
 

+ -/var/run/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 

+ -/var/run/qemu-pr-helper\.sock	-s 		gen_context(system_u:object_r:virt_var_run_t,s0)
 

+ -
 

+ -/var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
 

+ -
 

+ -# support for AEOLUS project
 

+ -/usr/bin/imagefactory		--			gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ -/usr/bin/imgfac\.py		--			gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ -/var/cache/oz(/.*)?					gen_context(system_u:object_r:virt_cache_t,s0)
 

+ -/var/lib/imagefactory/images(/.*)?	gen_context(system_u:object_r:virt_image_t,s0)
 

+ -/var/lib/oz(/.*)?					gen_context(system_u:object_r:virt_var_lib_t,s0)
 

+ -/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 

+ -/var/lib/vdsm(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 

+ -/var/lib/rkt/cas(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 

+ -
 

+ -# add support vios-proxy-*
 

+ -/usr/bin/vios-proxy-host	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ -/usr/bin/vios-proxy-guest	--  gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ -
 

+ -#support for vdsm
 

+ -/usr/share/vdsm/vdsm    --       gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ -/usr/share/vdsm/respawn    --       gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ -/usr/share/vdsm/supervdsmServer    --       gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ -/usr/share/vdsm/daemonAdapter       --  gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ -
 

+ -# support for nova-stack
 

+ -/usr/bin/nova-compute       --  gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ -/usr/bin/qemu		--	gen_context(system_u:object_r:qemu_exec_t,s0)
 

+ -/usr/bin/qemu-system-.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 

+ -/usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 

+ -/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 

+ -
 

+ -/etc/qemu-ga/fsfreeze-hook.d(/.*)?      gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
 

+ -/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)?  gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
 

+ -/var/run/qemu-ga/fsfreeze-hook.d(/.*)?      gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
 

+ -
 

+ -/usr/libexec/qemu-ga(/.*)?	gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
 

+ -
 

+ -/usr/lib/virt-sysprep/firstboot.sh --  gen_context(system_u:object_r:virtd_exec_t,s0)
 

+  

+  /usr/lib/systemd/system/*virtlogd.*	gen_context(system_u:object_r:virtlogd_unit_file_t,s0)
 

+  

+  /usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
 

+  /usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
 

+ -/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
 

+ -
 

+ -/usr/bin/qemu-ga                --      gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
 

+ -
 

+ -/var/run/qemu-ga\.pid           --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 

+ -/var/run/qga\.state             --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 

+ -
 

+ -/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 

+ -/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 

+ diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
 

+ index f2ee43e1c..0f91098e4 100644
 

+ --- a/policy/modules/contrib/virt.if
 

+ +++ b/policy/modules/contrib/virt.if
 

+ @@ -175,23 +175,6 @@ interface(`virt_exec',`
 

+  	can_exec($1, virtd_exec_t)
 

+  ')
 

+  

+ -########################################
 

+ -## <summary>
 

+ -##  Transition to virt_bridgehelper.
 

+ -## </summary>
 

+ -## <param name="domain">
 

+ -## <summary>
 

+ -##  Domain allowed to transition.
 

+ -## </summary>
 

+ -## </param>
 

+ -interface(`virt_domtrans_bridgehelper',`
 

+ -	gen_require(`
 

+ -		type virt_bridgehelper_t, virt_bridgehelper_exec_t;
 

+ -	')
 

+ -
 

+ -	domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
 

+ -')
 

+ -
 

+  ########################################
 

+  ## <summary>
 

+  ##      Allow caller domain to run bpftool.
 

+ diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
 

+ index 340056b8c..2259ab3c5 100644
 

+ --- a/policy/modules/contrib/virt.te
 

+ +++ b/policy/modules/contrib/virt.te
 

+ @@ -170,20 +170,6 @@ gen_tunable(virt_sandbox_use_mknod, false)
 

+  ## </desc>
 

+  gen_tunable(virt_sandbox_use_all_caps, true)
 

+  

+ -## <desc>
 

+ -## <p>
 

+ -## Allow qemu-ga to read qemu-ga date.
 

+ -## </p>
 

+ -## </desc>
 

+ -gen_tunable(virt_read_qemu_ga_data, false)
 

+ -
 

+ -## <desc>
 

+ -## <p>
 

+ -## Allow qemu-ga to manage qemu-ga date.
 

+ -## </p>
 

+ -## </desc>
 

+ -gen_tunable(virt_rw_qemu_ga_data, false)
 

+ -
 

+  ## <desc>
 

+  ## <p>
 

+  ## Allow virtlockd read and lock block devices.
 

+ @@ -191,13 +177,6 @@ gen_tunable(virt_rw_qemu_ga_data, false)
 

+  ## </desc>
 

+  gen_tunable(virt_lockd_blk_devs, false)
 

+  

+ -## <desc>
 

+ -## <p>
 

+ -## Allow qemu-ga read all non-security file types.
 

+ -## </p>
 

+ -## </desc>
 

+ -gen_tunable(virt_qemu_ga_read_nonsecurity_files, false)
 

+ -
 

+  virt_domain_template(svirt)
 

+  role system_r types svirt_t;
 

+  typealias svirt_t alias qemu_t;
 

+ @@ -301,32 +280,6 @@ ifdef(`enable_mls',`
 

+  	init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh)
 

+  ')
 

+  

+ -type virt_bridgehelper_t, virt_system_domain;
 

+ -domain_type(virt_bridgehelper_t)
 

+ -
 

+ -type virt_bridgehelper_exec_t, virt_file_type;
 

+ -domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
 

+ -role system_r types virt_bridgehelper_t;
 

+ -
 

+ -# policy for qemu_ga
 

+ -type virt_qemu_ga_t, virt_system_domain;
 

+ -type virt_qemu_ga_exec_t, virt_file_type;
 

+ -init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
 

+ -
 

+ -type virt_qemu_ga_var_run_t, virt_file_type;
 

+ -files_pid_file(virt_qemu_ga_var_run_t)
 

+ -
 

+ -type virt_qemu_ga_log_t, virt_file_type;
 

+ -logging_log_file(virt_qemu_ga_log_t)
 

+ -
 

+ -type virt_qemu_ga_tmp_t, virt_file_type;
 

+ -files_tmp_file(virt_qemu_ga_tmp_t)
 

+ -
 

+ -type virt_qemu_ga_data_t, virt_file_type;
 

+ -files_type(virt_qemu_ga_data_t)
 

+ -
 

+ -type virt_qemu_ga_unconfined_exec_t, virt_file_type;
 

+ -application_executable_file(virt_qemu_ga_unconfined_exec_t)
 

+  

+  ########################################
 

+  #
 

+ @@ -1673,178 +1626,6 @@ tunable_policy(`virt_sandbox_use_audit',`
 

+  

+  userdom_use_user_ptys(svirt_qemu_net_t)
 

+  

+ -########################################
 

+ -#
 

+ -# virt_bridgehelper local policy
 

+ -#
 

+ -
 

+ -allow virt_bridgehelper_t self:process { setcap getcap };
 

+ -allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
 

+ -allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 

+ -allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 

+ -allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
 

+ -
 

+ -allow virt_bridgehelper_t virt_domain:unix_stream_socket { read write };
 

+ -
 

+ -manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
 

+ -
 

+ -kernel_read_network_state(virt_bridgehelper_t)
 

+ -kernel_read_system_state(virt_bridgehelper_t)
 

+ -
 

+ -dev_read_urand(virt_bridgehelper_t)
 

+ -dev_read_rand(virt_bridgehelper_t)
 

+ -dev_read_sysfs(virt_bridgehelper_t)
 

+ -
 

+ -corenet_rw_tun_tap_dev(virt_bridgehelper_t)
 

+ -
 

+ -userdom_use_inherited_user_ptys(virt_bridgehelper_t)
 

+ -
 

+ -#######################################
 

+ -#
 

+ -# virt_qemu_ga local policy
 

+ -#
 

+ -
 

+ -allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config };
 

+ -
 

+ -allow virt_qemu_ga_t self:passwd passwd;
 

+ -
 

+ -allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
 

+ -allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
 

+ -
 

+ -allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms;
 

+ -can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t)
 

+ -
 

+ -manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
 

+ -manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
 

+ -files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir })
 

+ -
 

+ -manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
 

+ -manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
 

+ -files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } )
 

+ -
 

+ -manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
 

+ -manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
 

+ -logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file })
 

+ -
 

+ -kernel_read_system_state(virt_qemu_ga_t)
 

+ -kernel_read_network_state(virt_qemu_ga_t)
 

+ -kernel_rw_kernel_sysctl(virt_qemu_ga_t)
 

+ -
 

+ -corecmd_exec_shell(virt_qemu_ga_t)
 

+ -corecmd_exec_bin(virt_qemu_ga_t)
 

+ -
 

+ -clock_read_adjtime(virt_qemu_ga_t)
 

+ -
 

+ -dev_getattr_apm_bios_dev(virt_qemu_ga_t)
 

+ -dev_rw_sysfs(virt_qemu_ga_t)
 

+ -dev_rw_realtime_clock(virt_qemu_ga_t)
 

+ -
 

+ -files_list_all_mountpoints(virt_qemu_ga_t)
 

+ -files_write_all_mountpoints(virt_qemu_ga_t)
 

+ -
 

+ -fs_list_all(virt_qemu_ga_t)
 

+ -fs_getattr_all_fs(virt_qemu_ga_t)
 

+ -
 

+ -term_use_virtio_console(virt_qemu_ga_t)
 

+ -term_use_all_ttys(virt_qemu_ga_t)
 

+ -term_use_unallocated_ttys(virt_qemu_ga_t)
 

+ -
 

+ -auth_use_nsswitch(virt_qemu_ga_t)
 

+ -
 

+ -logging_send_syslog_msg(virt_qemu_ga_t)
 

+ -logging_send_audit_msgs(virt_qemu_ga_t)
 

+ -
 

+ -init_read_utmp(virt_qemu_ga_t)
 

+ -
 

+ -modutils_exec_kmod(virt_qemu_ga_t)
 

+ -
 

+ -sysnet_dns_name_resolve(virt_qemu_ga_t)
 

+ -
 

+ -systemd_exec_systemctl(virt_qemu_ga_t)
 

+ -systemd_start_power_services(virt_qemu_ga_t)
 

+ -systemd_dbus_chat_logind(virt_qemu_ga_t)
 

+ -
 

+ -userdom_use_user_ptys(virt_qemu_ga_t)
 

+ -
 

+ -usermanage_domtrans_passwd(virt_qemu_ga_t)
 

+ -
 

+ -tunable_policy(`virt_qemu_ga_read_nonsecurity_files',`
 

+ -	files_read_non_security_files(virt_qemu_ga_t)
 

+ -')
 

+ -
 

+ -tunable_policy(`virt_read_qemu_ga_data',`
 

+ -    read_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
 

+ -    read_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
 

+ -')
 

+ -
 

+ -tunable_policy(`virt_rw_qemu_ga_data',`
 

+ -    manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
 

+ -    manage_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
 

+ -    manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
 

+ -')
 

+ -
 

+ -optional_policy(`
 

+ -    bootloader_domtrans(virt_qemu_ga_t)
 

+ -')
 

+ -
 

+ -optional_policy(`
 

+ -    clock_domtrans(virt_qemu_ga_t)
 

+ -')
 

+ -
 

+ -optional_policy(`
 

+ -    dbus_system_bus_client(virt_qemu_ga_t)
 

+ -')
 

+ -
 

+ -optional_policy(`
 

+ -    cron_initrc_domtrans(virt_qemu_ga_t)
 

+ -    cron_domtrans(virt_qemu_ga_t)
 

+ -')
 

+ -
 

+ -optional_policy(`
 

+ -    devicekit_manage_pid_files(virt_qemu_ga_t)
 

+ -    devicekit_read_log_files(virt_qemu_ga_t)
 

+ -')
 

+ -
 

+ -optional_policy(`
 

+ -    fstools_domtrans(virt_qemu_ga_t)
 

+ -')
 

+ -
 

+ -optional_policy(`
 

+ -    rpm_dbus_chat(virt_qemu_ga_t)
 

+ -')
 

+ -
 

+ -optional_policy(`
 

+ -    shutdown_domtrans(virt_qemu_ga_t)
 

+ -')
 

+ -
 

+ -optional_policy(`
 

+ -	udev_read_pid_files(virt_qemu_ga_t)
 

+ -')
 

+ -
 

+ -#######################################
 

+ -#
 

+ -# qemu-ga  unconfined hook script local policy
 

+ -#
 

+ -
 

+ -optional_policy(`
 

+ -    type virt_qemu_ga_unconfined_t;
 

+ -    domain_type(virt_qemu_ga_unconfined_t)
 

+ -
 

+ -    domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
 

+ -    role system_r types virt_qemu_ga_unconfined_t;
 

+ -
 

+ -    domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t)
 

+ -
 

+ -    allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
 

+ -    allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
 

+ -    allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
 

+ -
 

+ -    init_domtrans_script(virt_qemu_ga_unconfined_t)
 

+ -
 

+ -    optional_policy(`
 

+ -        unconfined_domain(virt_qemu_ga_unconfined_t)
 

+ -    ')
 

+ -')
 

+  

+  #######################################
 

+  #
 

+ diff --git a/policy/modules/contrib/virt_supplementary.fc b/policy/modules/contrib/virt_supplementary.fc
 

+ new file mode 100644
 

+ index 000000000..76df96204
 

+ --- /dev/null
 

+ +++ b/policy/modules/contrib/virt_supplementary.fc
 

+ @@ -0,0 +1,64 @@
 

+ +HOME_DIR/\.virtinst(/.*)? 	gen_context(system_u:object_r:virt_home_t,s0)
 

+ +HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
 

+ +HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
 

+ +HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
 

+ +
 

+ +/etc/xen				-d	gen_context(system_u:object_r:virt_etc_t,s0)
 

+ +/etc/xen/[^/]*				--	gen_context(system_u:object_r:virt_etc_t,s0)
 

+ +/etc/xen/[^/]*				-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 

+ +/etc/xen/.*/.*					gen_context(system_u:object_r:virt_etc_rw_t,s0)
 

+ +
 

+ +/usr/bin/qemu-pr-helper			--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +/usr/bin/virt-who			--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +
 

+ +/usr/lib/systemd/system/.*xen.*\.service	--	gen_context(system_u:object_r:virtd_unit_file_t,s0)
 

+ +/usr/lib/virt-sysprep/firstboot.sh		--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +
 

+ +/usr/libexec/qemu-bridge-helper			gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
 

+ +
 

+ +/usr/sbin/condor_vm-gahp		--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +/usr/sbin/libvirt-qmf			--	gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 

+ +/usr/sbin/xl				--	gen_context(system_u:object_r:virsh_exec_t,s0)
 

+ +/usr/sbin/xm				--	gen_context(system_u:object_r:virsh_exec_t,s0)
 

+ +
 

+ +/var/lock/xl				--	gen_context(system_u:object_r:virt_log_t,s0)
 

+ +/var/log/vdsm(/.*)?				gen_context(system_u:object_r:virt_log_t,s0)
 

+ +
 

+ +/var/run/libvirt-sandbox(/.*)?			gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
 

+ +/var/run/qemu-pr-helper\.sock		-s	gen_context(system_u:object_r:virt_var_run_t,s0)
 

+ +
 

+ +# support for AEOLUS project
 

+ +/usr/bin/imagefactory			--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +/usr/bin/imgfac\.py			--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +/var/cache/oz(/.*)?				gen_context(system_u:object_r:virt_cache_t,s0)
 

+ +/var/lib/imagefactory/images(/.*)?		gen_context(system_u:object_r:virt_image_t,s0)
 

+ +/var/lib/oz(/.*)?				gen_context(system_u:object_r:virt_var_lib_t,s0)
 

+ +/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 

+ +/var/lib/rkt/cas(/.*)?				gen_context(system_u:object_r:container_file_t,s0)
 

+ +
 

+ +# add support vios-proxy-*
 

+ +/usr/bin/vios-proxy-host		--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +/usr/bin/vios-proxy-guest		--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +
 

+ +#support for vdsm
 

+ +/usr/share/vdsm/vdsm			--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +/usr/share/vdsm/respawn			--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +/usr/share/vdsm/supervdsmServer		--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +/usr/share/vdsm/daemonAdapter		--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +/var/lib/vdsm(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 

+ +/var/run/vdsm(/.*)?				gen_context(system_u:object_r:virt_var_run_t,s0)
 

+ +/var/vdsm(/.*)?					gen_context(system_u:object_r:virt_var_run_t,s0)
 

+ +
 

+ +# support for nova-stack
 

+ +/usr/bin/nova-compute			--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +
 

+ +# support for QEMU-GA
 

+ +/etc/qemu-ga/fsfreeze-hook\.d(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
 

+ +/usr/bin/qemu-ga			--	gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
 

+ +/usr/libexec/qemu-ga(/.*)?			gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
 

+ +/usr/libexec/qemu-ga/fsfreeze-hook\.d(/.*)?	gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
 

+ +/var/run/qemu-ga/fsfreeze-hook\.d(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
 

+ +/var/run/qemu-ga\.pid			--	gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 

+ +/var/run/qga\.state			--	gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 

+ +/var/log/qemu-ga\.log.*			--	gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 

+ +/var/log/qemu-ga(/.*)?				gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 

+ diff --git a/policy/modules/contrib/virt_supplementary.if b/policy/modules/contrib/virt_supplementary.if
 

+ new file mode 100644
 

+ index 000000000..7db1e5a8a
 

+ --- /dev/null
 

+ +++ b/policy/modules/contrib/virt_supplementary.if
 

+ @@ -0,0 +1,17 @@
 

+ +## <summary>Policy for virtualization</summary>
 

+ +#####################################
 

+ +## <summary>
 

+ +##	Transition to virt_bridgehelper.
 

+ +## </summary>
 

+ +## <param name="domain">
 

+ +##	<summary>
 

+ +## 	Domain allowed to transition.
 

+ +##	</summary>
 

+ +## </param>
 

+ +interface(`virt_domtrans_bridgehelper',`
 

+ +	gen_require(`
 

+ +		type virt_bridgehelper_t, virt_bridgehelper_exec_t;
 

+ +	')
 

+ +
 

+ +	domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
 

+ +')
 

+ diff --git a/policy/modules/contrib/virt_supplementary.te b/policy/modules/contrib/virt_supplementary.te
 

+ new file mode 100644
 

+ index 000000000..2f18cf363
 

+ --- /dev/null
 

+ +++ b/policy/modules/contrib/virt_supplementary.te
 

+ @@ -0,0 +1,288 @@
 

+ +policy_module(virt_supplementary, 1.5.0)
 

+ +
 

+ +########################################
 

+ +#
 

+ +# Declarations
 

+ +#
 

+ +
 

+ +## <desc>
 

+ +## <p>
 

+ +## Allow qemu-ga to read qemu-ga date.
 

+ +## </p>
 

+ +## </desc>
 

+ +gen_tunable(virt_read_qemu_ga_data, false)
 

+ +
 

+ +## <desc>
 

+ +## <p>
 

+ +## Allow qemu-ga to manage qemu-ga date.
 

+ +## </p>
 

+ +## </desc>
 

+ +gen_tunable(virt_rw_qemu_ga_data, false)
 

+ +
 

+ +## <desc>
 

+ +## <p>
 

+ +## Allow qemu-ga read all non-security file types.
 

+ +## </p>
 

+ +## </desc>
 

+ +gen_tunable(virt_qemu_ga_read_nonsecurity_files, false)
 

+ +
 

+ +gen_require(`
 

+ +    class passwd passwd;
 

+ +')
 

+ +
 

+ +type virt_qmf_t;
 

+ +type virt_qmf_exec_t;
 

+ +init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
 

+ +
 

+ +type virt_bridgehelper_t;
 

+ +domain_type(virt_bridgehelper_t)
 

+ +
 

+ +type virt_bridgehelper_exec_t;
 

+ +domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
 

+ +role system_r types virt_bridgehelper_t;
 

+ +
 

+ +# policy for qemu_ga
 

+ +type virt_qemu_ga_t;
 

+ +type virt_qemu_ga_exec_t;
 

+ +init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
 

+ +
 

+ +type virt_qemu_ga_var_run_t;
 

+ +files_pid_file(virt_qemu_ga_var_run_t)
 

+ +
 

+ +type virt_qemu_ga_log_t;
 

+ +logging_log_file(virt_qemu_ga_log_t)
 

+ +
 

+ +type virt_qemu_ga_tmp_t;
 

+ +files_tmp_file(virt_qemu_ga_tmp_t)
 

+ +
 

+ +type virt_qemu_ga_data_t;
 

+ +files_type(virt_qemu_ga_data_t)
 

+ +
 

+ +type virt_qemu_ga_unconfined_exec_t;
 

+ +application_executable_file(virt_qemu_ga_unconfined_exec_t)
 

+ +
 

+ +optional_policy(`
 

+ +	virt_file_types(virt_qemu_ga_exec_t)
 

+ +	virt_file_types(virt_qemu_ga_var_run_t)
 

+ +	virt_file_types(virt_qemu_ga_log_t)
 

+ +	virt_file_types(virt_qemu_ga_tmp_t)
 

+ +	virt_file_types(virt_qemu_ga_data_t)
 

+ +	virt_file_types(virt_qemu_ga_unconfined_exec_t)
 

+ +')
 

+ +
 

+ +########################################
 

+ +#
 

+ +# virt_qmf local policy
 

+ +#
 

+ +allow virt_qmf_t self:capability { sys_nice sys_tty_config };
 

+ +allow virt_qmf_t self:process { setsched signal };
 

+ +allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
 

+ +allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
 

+ +allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
 

+ +allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
 

+ +
 

+ +kernel_read_system_state(virt_qmf_t)
 

+ +kernel_read_network_state(virt_qmf_t)
 

+ +
 

+ +corenet_tcp_connect_matahari_port(virt_qmf_t)
 

+ +
 

+ +dev_read_sysfs(virt_qmf_t)
 

+ +dev_read_rand(virt_qmf_t)
 

+ +dev_read_urand(virt_qmf_t)
 

+ +
 

+ +domain_use_interactive_fds(virt_qmf_t)
 

+ +
 

+ +logging_send_syslog_msg(virt_qmf_t)
 

+ +
 

+ +sysnet_read_config(virt_qmf_t)
 

+ +
 

+ +optional_policy(`
 

+ +	dbus_read_lib_files(virt_qmf_t)
 

+ +')
 

+ +
 

+ +optional_policy(`
 

+ +	virt_exec(virt_qmf_t)
 

+ +	virt_file_types(virt_qmf_exec_t)
 

+ +	virt_stream_connect(virt_qmf_t)
 

+ +	virt_system_domain_type(virt_qmf_t)
 

+ +')
 

+ +
 

+ +########################################
 

+ +#
 

+ +# virt_bridgehelper local policy
 

+ +#
 

+ +
 

+ +allow virt_bridgehelper_t self:process { getcap setcap };
 

+ +allow virt_bridgehelper_t self:capability { net_admin setgid setpcap setuid };
 

+ +allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
 

+ +allow virt_bridgehelper_t self:tun_socket create_socket_perms;
 

+ +allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
 

+ +
 

+ +kernel_read_network_state(virt_bridgehelper_t)
 

+ +kernel_read_system_state(virt_bridgehelper_t)
 

+ +
 

+ +corenet_rw_tun_tap_dev(virt_bridgehelper_t)
 

+ +
 

+ +dev_read_urand(virt_bridgehelper_t)
 

+ +dev_read_rand(virt_bridgehelper_t)
 

+ +dev_read_sysfs(virt_bridgehelper_t)
 

+ +
 

+ +userdom_use_inherited_user_ptys(virt_bridgehelper_t)
 

+ +
 

+ +optional_policy(`
 

+ +	virt_file_types(virt_bridgehelper_exec_t)
 

+ +	virt_rw_stream_sockets_virt_domain(virt_bridgehelper_t)
 

+ +	virt_svirt_manage_home(virt_bridgehelper_t)
 

+ +	virt_system_domain_type(virt_bridgehelper_t)
 

+ +')
 

+ +
 

+ +#######################################
 

+ +#
 

+ +# virt_qemu_ga local policy
 

+ +#
 

+ +
 

+ +allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config };
 

+ +
 

+ +allow virt_qemu_ga_t self:passwd passwd;
 

+ +
 

+ +allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
 

+ +allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
 

+ +
 

+ +allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms;
 

+ +can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t)
 

+ +
 

+ +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
 

+ +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
 

+ +files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir })
 

+ +
 

+ +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
 

+ +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
 

+ +files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } )
 

+ +
 

+ +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
 

+ +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
 

+ +logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file })
 

+ +
 

+ +kernel_read_system_state(virt_qemu_ga_t)
 

+ +kernel_read_network_state(virt_qemu_ga_t)
 

+ +kernel_rw_kernel_sysctl(virt_qemu_ga_t)
 

+ +
 

+ +corecmd_exec_shell(virt_qemu_ga_t)
 

+ +corecmd_exec_bin(virt_qemu_ga_t)
 

+ +
 

+ +dev_getattr_apm_bios_dev(virt_qemu_ga_t)
 

+ +dev_rw_sysfs(virt_qemu_ga_t)
 

+ +dev_rw_realtime_clock(virt_qemu_ga_t)
 

+ +
 

+ +files_list_all_mountpoints(virt_qemu_ga_t)
 

+ +files_write_all_mountpoints(virt_qemu_ga_t)
 

+ +
 

+ +fs_list_all(virt_qemu_ga_t)
 

+ +fs_getattr_all_fs(virt_qemu_ga_t)
 

+ +
 

+ +term_use_virtio_console(virt_qemu_ga_t)
 

+ +term_use_all_ttys(virt_qemu_ga_t)
 

+ +term_use_unallocated_ttys(virt_qemu_ga_t)
 

+ +
 

+ +auth_use_nsswitch(virt_qemu_ga_t)
 

+ +
 

+ +clock_read_adjtime(virt_qemu_ga_t)
 

+ +
 

+ +init_read_utmp(virt_qemu_ga_t)
 

+ +
 

+ +logging_send_syslog_msg(virt_qemu_ga_t)
 

+ +logging_send_audit_msgs(virt_qemu_ga_t)
 

+ +
 

+ +modutils_exec_kmod(virt_qemu_ga_t)
 

+ +
 

+ +sysnet_dns_name_resolve(virt_qemu_ga_t)
 

+ +
 

+ +systemd_exec_systemctl(virt_qemu_ga_t)
 

+ +systemd_start_power_services(virt_qemu_ga_t)
 

+ +systemd_dbus_chat_logind(virt_qemu_ga_t)
 

+ +
 

+ +userdom_use_user_ptys(virt_qemu_ga_t)
 

+ +
 

+ +usermanage_domtrans_passwd(virt_qemu_ga_t)
 

+ +
 

+ +tunable_policy(`virt_read_qemu_ga_data',`
 

+ +	read_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
 

+ +	read_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
 

+ +')
 

+ +
 

+ +tunable_policy(`virt_rw_qemu_ga_data',`
 

+ +	manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
 

+ +	manage_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
 

+ +	manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
 

+ +')
 

+ +
 

+ +tunable_policy(`virt_qemu_ga_read_nonsecurity_files',`
 

+ +	files_read_non_security_files(virt_qemu_ga_t)
 

+ +')
 

+ +
 

+ +optional_policy(`
 

+ +	bootloader_domtrans(virt_qemu_ga_t)
 

+ +')
 

+ +
 

+ +optional_policy(`
 

+ +	clock_domtrans(virt_qemu_ga_t)
 

+ +')
 

+ +
 

+ +optional_policy(`
 

+ +	cron_initrc_domtrans(virt_qemu_ga_t)
 

+ +	cron_domtrans(virt_qemu_ga_t)
 

+ +')
 

+ +
 

+ +optional_policy(`
 

+ +	dbus_system_bus_client(virt_qemu_ga_t)
 

+ +')
 

+ +
 

+ +optional_policy(`
 

+ +	devicekit_manage_pid_files(virt_qemu_ga_t)
 

+ +	devicekit_read_log_files(virt_qemu_ga_t)
 

+ +')
 

+ +
 

+ +optional_policy(`
 

+ +	fstools_domtrans(virt_qemu_ga_t)
 

+ +')
 

+ +
 

+ +optional_policy(`
 

+ +	rpm_dbus_chat(virt_qemu_ga_t)
 

+ +')
 

+ +
 

+ +optional_policy(`
 

+ +	shutdown_domtrans(virt_qemu_ga_t)
 

+ +')
 

+ +
 

+ +optional_policy(`
 

+ +	udev_read_pid_files(virt_qemu_ga_t)
 

+ +')
 

+ +
 

+ +optional_policy(`
 

+ +	virt_system_domain_type(virt_qemu_ga_t)
 

+ +')
 

+ +
 

+ +#######################################
 

+ +#
 

+ +# qemu-ga  unconfined hook script local policy
 

+ +#
 

+ +
 

+ +optional_policy(`
 

+ +	type virt_qemu_ga_unconfined_t;
 

+ +	domain_type(virt_qemu_ga_unconfined_t)
 

+ +
 

+ +	domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
 

+ +	role system_r types virt_qemu_ga_unconfined_t;
 

+ +
 

+ +	domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t)
 

+ +
 

+ +	allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
 

+ +	allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
 

+ +	allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
 

+ +
 

+ +	init_domtrans_script(virt_qemu_ga_unconfined_t)
 

+ +
 

+ +	optional_policy(`
 

+ +		unconfined_domain(virt_qemu_ga_unconfined_t)
 

+ +	')
 

+ +')
 

+ -- 

+ 2.30.2
 

+

file added
+2058
The added file is too large to be shown here, see it at: 0002-Introduce-SELinux-policy-for-libvirt-drivers.patch
file added
+308 
@@ -0,0 +1,308 @@ 
 

+ From 1edac514aa18ae0c3cdd816c54a5a1b022478917 Mon Sep 17 00:00:00 2001
 

+ From: Nikola Knazekova <nknazeko@redhat.com>
 

+ Date: Thu, 17 Jun 2021 14:21:42 +0200
 

+ Subject: [PATCH] MLS update for libvirt-selinux
 

+ 

+ Fix AVC messages discovered by testing on MLS system.
 

+ 

+ Move qemu_exec_t, qemu-storage-daemon and /var/log/log/* to virt_supplementary.
 

+ ---
 

+  policy/modules/contrib/virt.fc               |  3 +-
 

+  policy/modules/contrib/virt.if               | 40 ++++++++++----------
 

+  policy/modules/contrib/virt.te               | 29 ++++++++++----
 

+  policy/modules/contrib/virt_supplementary.fc |  6 +++
 

+  policy/modules/contrib/virt_supplementary.if | 18 +++++++++
 

+  policy/modules/contrib/virt_supplementary.te |  2 +
 

+  6 files changed, 68 insertions(+), 30 deletions(-)
 

+ 

+ diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
 

+ index 5aa5bef6e..4ad5445a5 100644
 

+ --- a/policy/modules/contrib/virt.fc
 

+ +++ b/policy/modules/contrib/virt.fc
 

+ @@ -46,11 +46,10 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?	gen_context(system_u:object_r:svirt_ho
 

+  /var/lib/libvirt/lockd(/.*)?		gen_context(system_u:object_r:virt_var_lockd_t,s0)
 

+  /var/lib/libvirt/qemu(/.*)?		gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
 

+  

+ -/var/log/log(/.*)?				gen_context(system_u:object_r:virt_log_t,s0)
 

+  /var/log/libvirt(/.*)?				gen_context(system_u:object_r:virt_log_t,s0)
 

+  /var/run/libvirtd\.pid			--	gen_context(system_u:object_r:virt_var_run_t,s0)
 

+  /var/run/libvirt/common(/.*)?			gen_context(system_u:object_r:virt_common_var_run_t,s0)
 

+ -# Avoid calling m4's "interface" by using en empty string
 

+ +# Use parentheses so that "interface" is not recognized as a keyword by M4
 

+  /var/run/libvirt/interfac(e)(/.*)?		gen_context(system_u:object_r:virtinterfaced_var_run_t,s0)
 

+  /var/run/libvirt/nodedev(/.*)?			gen_context(system_u:object_r:virtnodedevd_var_run_t,s0)
 

+  /var/run/libvirt/nwfilter(/.*)?			gen_context(system_u:object_r:virtnwfilterd_var_run_t,s0)
 

+ diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
 

+ index b9b350b56..1055f2a3d 100644
 

+ --- a/policy/modules/contrib/virt.if
 

+ +++ b/policy/modules/contrib/virt.if
 

+ @@ -71,12 +71,11 @@ template(`virt_domain_template',`
 

+  		attribute virt_image_type, virt_domain;
 

+  		attribute virt_tmpfs_type;
 

+  		attribute virt_ptynode;
 

+ -		type qemu_exec_t;
 

+  		type virtlogd_t;
 

+  	')
 

+  

+  	type $1_t, virt_domain;
 

+ -	application_domain($1_t, qemu_exec_t)
 

+ +	application_type($1_t)
 

+  	domain_user_exemption_target($1_t)
 

+  	mls_rangetrans_target($1_t)
 

+  	mcs_constrained($1_t)
 

+ @@ -97,6 +96,15 @@ template(`virt_domain_template',`
 

+  	# Allow domain to write to pipes connected to virtlogd
 

+  	allow $1_t virtlogd_t:fd use;
 

+  	allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
 

+ +
 

+ +	optional_policy(`
 

+ +		gen_require(`
 

+ +			type qemu_exec_t;
 

+ +		')
 

+ +
 

+ +		application_executable_file(qemu_exec_t)
 

+ +		domain_entry_file($1_t, qemu_exec_t)
 

+ +	')
 

+  ')
 

+  

+  ######################################
 

+ @@ -123,6 +131,8 @@ template(`virt_driver_template',`
 

+  	')
 

+  

+  	type $1_t, virt_driver_domain;
 

+ +	mls_rangetrans_source($1_t)
 

+ +	mls_rangetrans_target($1_t)
 

+  

+  	type $1_exec_t, virt_driver_executable;
 

+  	init_daemon_domain($1_t, $1_exec_t)
 

+ @@ -160,6 +170,14 @@ template(`virt_driver_template',`
 

+  

+  	kernel_dgram_send($1_t)
 

+  

+ +	mls_fd_share_all_levels($1_t)
 

+ +	mls_file_read_to_clearance($1_t)
 

+ +	mls_file_write_to_clearance($1_t)
 

+ +	mls_process_read_to_clearance($1_t)
 

+ +	mls_process_write_to_clearance($1_t)
 

+ +	mls_socket_read_to_clearance($1_t)
 

+ +	mls_socket_write_to_clearance($1_t)
 

+ +
 

+  	auth_read_passwd($1_t)
 

+  

+  	dev_read_sysfs($1_t)
 

+ @@ -1610,24 +1628,6 @@ interface(`virt_system_domain_type',`
 

+  	typeattribute $1 virt_system_domain;
 

+  ')
 

+  

+ -########################################
 

+ -## <summary>
 

+ -##	Execute a qemu_exec_t in the callers domain
 

+ -## </summary>
 

+ -## <param name="domain">
 

+ -## <summary>
 

+ -##	Domain allowed access.
 

+ -## </summary>
 

+ -## </param>
 

+ -#
 

+ -interface(`virt_exec_qemu',`
 

+ -	gen_require(`
 

+ -		type qemu_exec_t;
 

+ -	')
 

+ -
 

+ -	can_exec($1, qemu_exec_t)
 

+ -')
 

+ -
 

+  ########################################
 

+  ## <summary>
 

+  ##	Transition to virt named content
 

+ diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
 

+ index 75b3558e6..da4322fe3 100644
 

+ --- a/policy/modules/contrib/virt.te
 

+ +++ b/policy/modules/contrib/virt.te
 

+ @@ -194,8 +194,6 @@ typealias svirt_t alias qemu_t;
 

+  virt_domain_template(svirt_tcg)
 

+  role system_r types svirt_tcg_t;
 

+  

+ -type qemu_exec_t, virt_file_type;
 

+ -
 

+  type virt_cache_t alias svirt_cache_t, virt_file_type;
 

+  files_type(virt_cache_t)
 

+  

+ @@ -372,6 +370,10 @@ allow svirt_t self:process ptrace;
 

+  # it was a part of auth_use_nsswitch
 

+  allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
 

+  

+ +allow svirt_t virtlogd_t:fifo_file write;
 

+ +
 

+ +allow svirt_t virtqemud_var_run_t:file write;
 

+ +
 

+  read_files_pattern(svirt_t, virtqemud_t, virtqemud_t)
 

+  

+  corenet_udp_sendrecv_generic_if(svirt_t)
 

+ @@ -451,9 +453,6 @@ allow virt_domain virtd_t:unix_stream_socket { accept getattr getopt read write
 

+  allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
 

+  allow virt_domain virtd_t:tun_socket attach_queue;
 

+  

+ -can_exec(virtd_t, qemu_exec_t)
 

+ -can_exec(virt_domain, qemu_exec_t)
 

+ -
 

+  allow virtd_t qemu_var_run_t:file relabel_file_perms;
 

+  manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
 

+  relabelfrom_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
 

+ @@ -833,6 +832,8 @@ can_exec(virtlogd_t, virtlogd_exec_t)
 

+  

+  kernel_read_network_state(virtlogd_t)
 

+  

+ +mls_fd_share_all_levels(virtlogd_t)
 

+ +
 

+  allow virtlogd_t self:unix_stream_socket create_stream_socket_perms;
 

+  

+  # Allow virtlogd_t to execute itself.
 

+ @@ -1122,6 +1123,10 @@ optional_policy(`
 

+  	pulseaudio_dontaudit_exec(virt_domain)
 

+  ')
 

+  

+ +optional_policy(`
 

+ +	qemu_exec(virt_domain)
 

+ +')
 

+ +
 

+  optional_policy(`
 

+  	sssd_dontaudit_stream_connect(virt_domain)
 

+  	sssd_dontaudit_read_lib(virt_domain)
 

+ @@ -1761,6 +1766,9 @@ allow virtnodedevd_t self:netlink_generic_socket create_socket_perms;
 

+  

+  kernel_request_load_module(virtnodedevd_t)
 

+  

+ +corecmd_exec_bin(virtnodedevd_t)
 

+ +corecmd_exec_shell(virtnodedevd_t)
 

+ +
 

+  dev_rw_mtrr(virtnodedevd_t)
 

+  

+  miscfiles_read_hwdata(virtnodedevd_t)
 

+ @@ -1774,6 +1782,7 @@ optional_policy(`
 

+  # virtnwfilterd local policy
 

+  #
 

+  allow virtnwfilterd_t self:capability net_raw;
 

+ +allow virtnwfilterd_t self:netlink_generic_socket create_socket_perms;
 

+  allow virtnwfilterd_t self:netlink_netfilter_socket create_socket_perms;
 

+  allow virtnwfilterd_t self:netlink_rdma_socket create_socket_perms;
 

+  allow virtnwfilterd_t self:packet_socket { bind create getopt ioctl map setopt };
 

+ @@ -1823,9 +1832,9 @@ allow virtqemud_t self:netlink_audit_socket nlmsg_relay;
 

+  allow virtqemud_t self:process { setcap setexec setrlimit setsockcreate };
 

+  allow virtqemud_t self:tcp_socket create_socket_perms;
 

+  allow virtqemud_t self:tun_socket create;
 

+ -allow virtqemud_t self:udp_socket { create getattr };
 

+ +allow virtqemud_t self:udp_socket { create connect getattr };
 

+  

+ -allow virtqemud_t svirt_t:process { setsched signal signull transition };
 

+ +allow virtqemud_t svirt_t:process { getattr setsched signal signull transition };
 

+  allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms };
 

+  allow virtqemud_t svirt_socket_t:unix_stream_socket connectto;
 

+  

+ @@ -1850,6 +1859,7 @@ manage_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t)
 

+  manage_sock_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t)
 

+  

+  manage_dirs_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
 

+ +manage_fifo_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
 

+  manage_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
 

+  manage_sock_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t)
 

+  read_files_pattern(virtqemud_t, svirt_t, svirt_t)
 

+ @@ -1888,6 +1898,7 @@ dev_rw_vhost(virtqemud_t)
 

+  files_mounton_non_security(virtqemud_t)
 

+  files_read_all_symlinks(virtqemud_t)
 

+  

+ +fs_getattr_cgroup(virtqemud_t)
 

+  fs_getattr_hugetlbfs(virtqemud_t)
 

+  fs_manage_hugetlbfs_dirs(virtqemud_t)
 

+  fs_manage_cgroup_dirs(virtqemud_t)
 

+ @@ -1936,7 +1947,7 @@ allow virtstoraged_t self:capability { dac_override dac_read_search ipc_lock };
 

+  

+  files_tmp_filetrans(virtstoraged_t, virtstoraged_tmp_t, { file dir })
 

+  

+ -manage_lnk_files_pattern(virtstoraged_t, virt_etc_rw_t, virt_etc_rw_t)
 

+ +manage_dirs_pattern(virtstoraged_t, virt_content_t, virt_content_t)
 

+  

+  manage_files_pattern(virtstoraged_t, virt_image_t, virt_image_t)
 

+  

+ @@ -1945,6 +1956,8 @@ manage_files_pattern(virtstoraged_t, svirt_image_t, svirt_image_t)
 

+  manage_dirs_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t)
 

+  manage_files_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t)
 

+  

+ +manage_lnk_files_pattern(virtstoraged_t, virt_etc_rw_t, virt_etc_rw_t)
 

+ +
 

+  corecmd_exec_bin(virtstoraged_t)
 

+  

+  fs_getattr_all_fs(virtstoraged_t)
 

+ diff --git a/policy/modules/contrib/virt_supplementary.fc b/policy/modules/contrib/virt_supplementary.fc
 

+ index 76df96204..11b5723c1 100644
 

+ --- a/policy/modules/contrib/virt_supplementary.fc
 

+ +++ b/policy/modules/contrib/virt_supplementary.fc
 

+ @@ -9,6 +9,7 @@ HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:sv
 

+  /etc/xen/.*/.*					gen_context(system_u:object_r:virt_etc_rw_t,s0)
 

+  

+  /usr/bin/qemu-pr-helper			--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +/usr/bin/qemu-storage-daemon		--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+  /usr/bin/virt-who			--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+  

+  /usr/lib/systemd/system/.*xen.*\.service	--	gen_context(system_u:object_r:virtd_unit_file_t,s0)
 

+ @@ -22,6 +23,7 @@ HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:sv
 

+  /usr/sbin/xm				--	gen_context(system_u:object_r:virsh_exec_t,s0)
 

+  

+  /var/lock/xl				--	gen_context(system_u:object_r:virt_log_t,s0)
 

+ +/var/log/log(/.*)?                              gen_context(system_u:object_r:virt_log_t,s0)
 

+  /var/log/vdsm(/.*)?				gen_context(system_u:object_r:virt_log_t,s0)
 

+  

+  /var/run/libvirt-sandbox(/.*)?			gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
 

+ @@ -51,6 +53,10 @@ HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:sv
 

+  

+  # support for nova-stack
 

+  /usr/bin/nova-compute			--	gen_context(system_u:object_r:virtd_exec_t,s0)
 

+ +/usr/bin/qemu                           --      gen_context(system_u:object_r:qemu_exec_t,s0)
 

+ +/usr/bin/qemu-system-.*                 --      gen_context(system_u:object_r:qemu_exec_t,s0)
 

+ +/usr/bin/qemu-kvm                       --      gen_context(system_u:object_r:qemu_exec_t,s0)
 

+ +/usr/libexec/qemu.*                     --      gen_context(system_u:object_r:qemu_exec_t,s0)
 

+  

+  # support for QEMU-GA
 

+  /etc/qemu-ga/fsfreeze-hook\.d(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
 

+ diff --git a/policy/modules/contrib/virt_supplementary.if b/policy/modules/contrib/virt_supplementary.if
 

+ index 7db1e5a8a..f28bca97c 100644
 

+ --- a/policy/modules/contrib/virt_supplementary.if
 

+ +++ b/policy/modules/contrib/virt_supplementary.if
 

+ @@ -15,3 +15,21 @@ interface(`virt_domtrans_bridgehelper',`
 

+  

+  	domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
 

+  ')
 

+ +
 

+ +########################################
 

+ +## <summary>
 

+ +##      Execute a qemu_exec_t in the callers domain
 

+ +## </summary>
 

+ +## <param name="domain">
 

+ +## <summary>
 

+ +##      Domain allowed access.
 

+ +## </summary>
 

+ +## </param>
 

+ +#
 

+ +interface(`virt_exec_qemu',`
 

+ +        gen_require(`
 

+ +                type qemu_exec_t;
 

+ +        ')
 

+ +
 

+ +        can_exec($1, qemu_exec_t)
 

+ +')
 

+ diff --git a/policy/modules/contrib/virt_supplementary.te b/policy/modules/contrib/virt_supplementary.te
 

+ index 2f18cf363..09344c947 100644
 

+ --- a/policy/modules/contrib/virt_supplementary.te
 

+ +++ b/policy/modules/contrib/virt_supplementary.te
 

+ @@ -30,6 +30,8 @@ gen_require(`
 

+      class passwd passwd;
 

+  ')
 

+  

+ +type qemu_exec_t;
 

+ +
 

+  type virt_qmf_t;
 

+  type virt_qmf_exec_t;
 

+  init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
 

+ -- 

+ 2.30.2
 

+

file added
+52 
@@ -0,0 +1,52 @@ 
 

+ From 585ec0b5f83980170b21e537ab686cb3dd21a7c2 Mon Sep 17 00:00:00 2001
 

+ From: Nikola Knazekova <nknazeko@redhat.com>
 

+ Date: Tue, 1 Feb 2022 10:28:36 +0100
 

+ Subject: [PATCH] Update policy for libvirt drivers
 

+ 

+ Allow libvirt log management daemon to search VM images dir.
 

+ Allow libvirt storage pool management daemon to manage VM images dir.
 

+ Allow virt drivers to create virt common files.
 

+ ---
 

+  policy/modules/contrib/virt.if | 5 +++++
 

+  policy/modules/contrib/virt.te | 2 ++
 

+  2 files changed, 7 insertions(+)
 

+ 

+ diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
 

+ index 1055f2a3d..5cd61579e 100644
 

+ --- a/policy/modules/contrib/virt.if
 

+ +++ b/policy/modules/contrib/virt.if
 

+ @@ -154,6 +154,11 @@ template(`virt_driver_template',`
 

+  	allow virt_driver_domain virtd_t:unix_stream_socket rw_stream_socket_perms;
 

+  	allow virt_driver_domain virtqemud_t:unix_stream_socket connectto;
 

+  

+ +	allow $1_t virt_common_var_run_t:file append_file_perms;
 

+ +	manage_dirs_pattern($1_t, virt_common_var_run_t, virt_common_var_run_t)
 

+ +	manage_files_pattern($1_t, virt_common_var_run_t, virt_common_var_run_t)
 

+ +	filetrans_pattern($1_t, $1_var_run_t, virt_common_var_run_t, dir, "common")
 

+ +
 

+  	manage_dirs_pattern($1_t, virt_var_run_t, virt_var_run_t)
 

+  	manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
 

+  	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
 

+ diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
 

+ index da4322fe3..8a4cdba33 100644
 

+ --- a/policy/modules/contrib/virt.te
 

+ +++ b/policy/modules/contrib/virt.te
 

+ @@ -794,6 +794,7 @@ optional_policy(`
 

+  #
 

+  # virtlogd local policy
 

+  #
 

+ +allow virtlogd_t virt_image_t:dir search_dir_perms;
 

+  

+  # virtlogd is allowed to manage files it creates in /var/run/libvirt
 

+  manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
 

+ @@ -1949,6 +1950,7 @@ files_tmp_filetrans(virtstoraged_t, virtstoraged_tmp_t, { file dir })
 

+  

+  manage_dirs_pattern(virtstoraged_t, virt_content_t, virt_content_t)
 

+  

+ +manage_dirs_pattern(virtstoraged_t, virt_image_t, virt_image_t)
 

+  manage_files_pattern(virtstoraged_t, virt_image_t, virt_image_t)
 

+  

+  manage_files_pattern(virtstoraged_t, svirt_image_t, svirt_image_t)
 

+ -- 

+ 2.30.2
 

+

file added
+140 
@@ -0,0 +1,140 @@ 
 

+ From 21b48282e9ddd1e915e76e35b4ccdb89b9095b70 Mon Sep 17 00:00:00 2001
 

+ From: Nikola Knazekova <nknazeko@redhat.com>
 

+ Date: Wed, 23 Feb 2022 00:56:42 +0100
 

+ Subject: [PATCH] Update policy for libvirt
 

+ 

+ Allow svirt to connect virtlogd socket.
 

+ Add net_admin capability to virtqemud, virtnetworkd and virtnodedevd.
 

+ Allow virtnetworkd to create dnsmasq_var_run_t dir.
 

+ Allow virtnetworkd to dbus chat with firewalld.
 

+ 

+ Allow virtqemud, virtnodedevd and virtstoraged to set priority of process.
 

+ Allow virtqemud to rw netlink_audit_socket.
 

+ Allow virtqemud to dbus chat with policykit and systemd machined
 

+ Allow virtqemud to delete /dev/urandom char file
 

+ Allow virtqemud to rw lvm_control
 

+ ---
 

+  policy/modules/contrib/virt.if |  3 ++-
 

+  policy/modules/contrib/virt.te | 26 +++++++++++++++++++++-----
 

+  2 files changed, 23 insertions(+), 6 deletions(-)
 

+ 

+ diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
 

+ index 5cd61579e..12bdc698e 100644
 

+ --- a/policy/modules/contrib/virt.if
 

+ +++ b/policy/modules/contrib/virt.if
 

+ @@ -157,7 +157,8 @@ template(`virt_driver_template',`
 

+  	allow $1_t virt_common_var_run_t:file append_file_perms;
 

+  	manage_dirs_pattern($1_t, virt_common_var_run_t, virt_common_var_run_t)
 

+  	manage_files_pattern($1_t, virt_common_var_run_t, virt_common_var_run_t)
 

+ -	filetrans_pattern($1_t, $1_var_run_t, virt_common_var_run_t, dir, "common")
 

+ +	filetrans_pattern($1_t, virt_driver_var_run, virt_common_var_run_t, dir, "common")
 

+ +	filetrans_pattern($1_t, virt_var_run_t, virt_common_var_run_t, dir, "common")
 

+  

+  	manage_dirs_pattern($1_t, virt_var_run_t, virt_var_run_t)
 

+  	manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
 

+ diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
 

+ index 8a4cdba33..954098c8e 100644
 

+ --- a/policy/modules/contrib/virt.te
 

+ +++ b/policy/modules/contrib/virt.te
 

+ @@ -371,6 +371,7 @@ allow svirt_t self:process ptrace;
 

+  allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
 

+  

+  allow svirt_t virtlogd_t:fifo_file write;
 

+ +allow svirt_t virtlogd_t:unix_stream_socket connectto;
 

+  

+  allow svirt_t virtqemud_var_run_t:file write;
 

+  

+ @@ -1725,7 +1726,7 @@ userdom_read_all_users_state(virtinterfaced_t)
 

+  #
 

+  # virtnetworkd local policy
 

+  #
 

+ -allow virtnetworkd_t self:capability { kill sys_ptrace };
 

+ +allow virtnetworkd_t self:capability { kill net_admin sys_ptrace };
 

+  allow virtnetworkd_t self:netlink_netfilter_socket create_socket_perms;
 

+  allow virtnetworkd_t self:process setcap;
 

+  allow virtnetworkd_t self:tun_socket { create relabelfrom relabelto };
 

+ @@ -1746,6 +1747,7 @@ dev_rw_sysfs(virtnetworkd_t)
 

+  sysnet_read_config(virtnetworkd_t)
 

+  

+  optional_policy(`
 

+ +	dnsmasq_create_pid_dirs(virtnetworkd_t)
 

+  	dnsmasq_domtrans(virtnetworkd_t)
 

+  	dnsmasq_manage_pid_files(virtnetworkd_t)
 

+  	dnsmasq_read_state(virtnetworkd_t)
 

+ @@ -1758,12 +1760,17 @@ optional_policy(`
 

+  	iptables_read_var_run(virtnetworkd_t)
 

+  ')
 

+  

+ +optional_policy(`
 

+ +        firewalld_dbus_chat(virtnetworkd_t)
 

+ +')
 

+ +
 

+  #######################################
 

+  #
 

+  # virtnodedevd local policy
 

+  #
 

+ -allow virtnodedevd_t self:capability sys_admin;
 

+ +allow virtnodedevd_t self:capability { net_admin sys_admin };
 

+  allow virtnodedevd_t self:netlink_generic_socket create_socket_perms;
 

+ +allow virtnodedevd_t self:process { setsched };
 

+  

+  kernel_request_load_module(virtnodedevd_t)
 

+  

+ @@ -1828,9 +1835,9 @@ userdom_read_all_users_state(virtproxyd_t)
 

+  # virtqemud local policy
 

+  #
 

+  allow virtqemud_t self:bpf { map_create map_read map_write prog_load prog_run };
 

+ -allow virtqemud_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_admin sys_chroot sys_ptrace sys_rawio };
 

+ -allow virtqemud_t self:netlink_audit_socket nlmsg_relay;
 

+ -allow virtqemud_t self:process { setcap setexec setrlimit setsockcreate };
 

+ +allow virtqemud_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill net_admin setgid setuid sys_admin sys_chroot sys_ptrace sys_rawio };
 

+ +allow virtqemud_t self:netlink_audit_socket { nlmsg_relay read write };
 

+ +allow virtqemud_t self:process { setcap setexec setrlimit setsched setsockcreate };
 

+  allow virtqemud_t self:tcp_socket create_socket_perms;
 

+  allow virtqemud_t self:tun_socket create;
 

+  allow virtqemud_t self:udp_socket { create connect getattr };
 

+ @@ -1889,11 +1896,13 @@ corenet_rw_tun_tap_dev(virtqemud_t)
 

+  corenet_tcp_bind_generic_node(virtqemud_t)
 

+  corenet_tcp_bind_vnc_port(virtqemud_t)
 

+  

+ +dev_delete_urand(virtqemud_t)
 

+  dev_read_cpuid(virtqemud_t)
 

+  dev_read_sysfs(virtqemud_t)
 

+  dev_read_urand(virtqemud_t)
 

+  dev_relabel_all_dev_nodes(virtqemud_t)
 

+  dev_rw_kvm(virtqemud_t)
 

+ +dev_rw_lvm_control(virtqemud_t)
 

+  dev_rw_vhost(virtqemud_t)
 

+  

+  files_mounton_non_security(virtqemud_t)
 

+ @@ -1901,6 +1910,7 @@ files_read_all_symlinks(virtqemud_t)
 

+  

+  fs_getattr_cgroup(virtqemud_t)
 

+  fs_getattr_hugetlbfs(virtqemud_t)
 

+ +fs_delete_tmpfs_files(virtqemud_t)
 

+  fs_manage_hugetlbfs_dirs(virtqemud_t)
 

+  fs_manage_cgroup_dirs(virtqemud_t)
 

+  fs_manage_cgroup_files(virtqemud_t)
 

+ @@ -1937,6 +1947,11 @@ optional_policy(`
 

+  ')
 

+  

+  optional_policy(`
 

+ +	policykit_dbus_chat(virtqemud_t)
 

+ +')
 

+ +
 

+ +optional_policy(`
 

+ +	systemd_dbus_chat_machined(virtqemud_t)
 

+  	systemd_userdbd_stream_connect(virtqemud_t)
 

+  ')
 

+  

+ @@ -1945,6 +1960,7 @@ optional_policy(`
 

+  # virtstoraged local policy
 

+  #
 

+  allow virtstoraged_t self:capability { dac_override dac_read_search ipc_lock };
 

+ +allow virtstoraged_t self:process { setsched };
 

+  

+  files_tmp_filetrans(virtstoraged_t, virtstoraged_tmp_t, { file dir })
 

+  

+ -- 

+ 2.30.2
 

+

file added
+42 
@@ -0,0 +1,42 @@ 
 

+ From a0f16c4d90f1ce40b42b815411f787581e8bf4b1 Mon Sep 17 00:00:00 2001
 

+ From: Nikola Knazekova <nknazeko@redhat.com>
 

+ Date: Wed, 16 Mar 2022 01:35:27 +0100
 

+ Subject: [PATCH] Add macro dev_delete_urand
 

+ 

+ Allow domain to delete char_files in the dev/urandom directory.
 

+ ---
 

+  policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 

+  1 file changed, 18 insertions(+)
 

+ 

+ diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
 

+ index 79c71e1fa..5b536bc81 100644
 

+ --- a/policy/modules/kernel/devices.if
 

+ +++ b/policy/modules/kernel/devices.if
 

+ @@ -5334,6 +5334,24 @@ interface(`dev_dontaudit_write_urand',`
 

+  	dontaudit $1 urandom_device_t:chr_file write;
 

+  ')
 

+  

+ +########################################
 

+ +## <summary>
 

+ +##      Delete files in the dev/urandom directory.
 

+ +## </summary>
 

+ +## <param name="domain">
 

+ +##      <summary>
 

+ +##      Domain allowed access.
 

+ +##      </summary>
 

+ +## </param>
 

+ +#
 

+ +interface(`dev_delete_urand',`
 

+ +        gen_require(`
 

+ +                type urandom_device_t;
 

+ +        ')
 

+ +
 

+ +        allow $1 urandom_device_t:chr_file unlink;
 

+ +')
 

+ +
 

+  ########################################
 

+  ## <summary>
 

+  ##	Getattr generic the USB devices.
 

+ -- 

+ 2.30.2
 

+

file added
+35 
@@ -0,0 +1,35 @@ 
 

+ From c5262c7a5ba90d8972ba9997f44c20d8492f2424 Mon Sep 17 00:00:00 2001
 

+ From: Vit Mojzis <vmojzis@redhat.com>
 

+ Date: Mon, 21 Mar 2022 18:10:46 +0100
 

+ Subject: [PATCH] Enable virt_supplementary module
 

+ 

+ ---
 

+  policy/modules.conf | 9 ++++++++-
 

+  1 file changed, 8 insertions(+), 1 deletion(-)
 

+ 

+ diff --git a/policy/modules.conf b/policy/modules.conf
 

+ index f221d1906..c49b54197 100644
 

+ --- a/policy/modules.conf
 

+ +++ b/policy/modules.conf
 

+ @@ -2512,10 +2512,17 @@ vhostmd = module
 

+  # Layer: services
 

+  # Module: virt
 

+  #
 

+ -# Virtualization libraries
 

+ +# libvirt - a toolkit to manage virtualization platforms
 

+  # 

+  virt = module
 

+  

+ +# Layer: services
 

+ +# Module: virt_supplementary
 

+ +#
 

+ +# non-libvirt virtualization libraries
 

+ +#
 

+ +virt_supplementary = module
 

+ +
 

+  # Layer: apps
 

+  # Module: vhostmd
 

+  #
 

+ -- 

+ 2.30.2
 

+

file added
+277 
@@ -0,0 +1,277 @@ 
 

+ From bd3ddbe970be466a8fcaef5460ab0b701948c194 Mon Sep 17 00:00:00 2001
 

+ From: Vit Mojzis <vmojzis@redhat.com>
 

+ Date: Tue, 22 Mar 2022 17:06:32 +0100
 

+ Subject: [PATCH] Virt: Fix issues reported by selint
 

+ 

+ virt.te:  807: (C): Permissions in av rule not ordered (read_lnk_file_perms before ioctl) (C-005)
 

+ virt.te: 1843: (C): Permissions in av rule not ordered (create before connect) (C-005)
 

+ virt.te: 2038: (C): Permissions in av rule not ordered (setuid before setgid) (C-005)
 

+ virt.if:   51: (C): No comment before interface definition for virt_stub_svirt_sandbox_file (C-004)
 

+ virt.if:   82: (W): Attribute virt_image_type is listed in require block but not used in interface (W-003)
 

+ virt.if:   83: (W): Attribute virt_tmpfs_type is listed in require block but not used in interface (W-003)
 

+ virt.if:  100: (W): Type qemu_exec_t is used in interface but not required (W-002)
 

+ virt.if:  151: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
 

+ virt.if:  152: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
 

+ virt.if:  153: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
 

+ virt.if:  154: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
 

+ virt.if:  155: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
 

+ virt.if:  876: (W): Type virt_var_lib_t is listed in require block but not used in interface (W-003)
 

+ virt.if:  971: (W): Type virt_var_lib_t is listed in require block but not used in interface (W-003)
 

+ virt.if:  996: (W): Type virt_var_lib_t is listed in require block but not used in interface (W-003)
 

+ virt.if: 1246: (W): Definition of declared type virt_bridgehelper_t not found in own module, but in module virt_supplementary (W-011)
 

+ virt.if: 1717: (S): Permission macro rw_file_perms does not match class chr_file (S-009)
 

+ virt_supplementary.te:283: (S): Permission macro read_file_perms does not match class dir (S-009)
 

+ 

+ Also, replace spaces in virt_prog_run_bpf interface with tabs and remove
 

+ some trailing whitespaces.
 

+ 

+ Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 

+ ---
 

+  policy/modules/contrib/virt.if               | 52 +++++++++++---------
 

+  policy/modules/contrib/virt.te               |  8 +--
 

+  policy/modules/contrib/virt_supplementary.if | 19 +++++++
 

+  policy/modules/contrib/virt_supplementary.te |  5 +-
 

+  4 files changed, 54 insertions(+), 30 deletions(-)
 

+ 

+ diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
 

+ index 12bdc698e..cbff92e4d 100644
 

+ --- a/policy/modules/contrib/virt.if
 

+ +++ b/policy/modules/contrib/virt.if
 

+ @@ -48,6 +48,17 @@ interface(`virt_stub_container_image',`
 

+  	')
 

+  ')
 

+  

+ +########################################
 

+ +## <summary>
 

+ +##	container_file_t and container_ro_file_t stub interface.
 

+ +##	No access allowed.
 

+ +## </summary>
 

+ +## <param name="domain" unused="true">
 

+ +##	<summary>
 

+ +##	Domain allowed access.
 

+ +##	</summary>
 

+ +## </param>
 

+ +#
 

+  interface(`virt_stub_svirt_sandbox_file',`
 

+  	gen_require(`
 

+  		type container_file_t;
 

+ @@ -68,8 +79,7 @@ interface(`virt_stub_svirt_sandbox_file',`
 

+  #
 

+  template(`virt_domain_template',`
 

+  	gen_require(`
 

+ -		attribute virt_image_type, virt_domain;
 

+ -		attribute virt_tmpfs_type;
 

+ +		attribute virt_domain;
 

+  		attribute virt_ptynode;
 

+  		type virtlogd_t;
 

+  	')
 

+ @@ -97,14 +107,8 @@ template(`virt_domain_template',`
 

+  	allow $1_t virtlogd_t:fd use;
 

+  	allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
 

+  

+ -	optional_policy(`
 

+ -		gen_require(`
 

+ -			type qemu_exec_t;
 

+ -		')
 

+ +	qemu_entry_type($1_t)
 

+  

+ -		application_executable_file(qemu_exec_t)
 

+ -		domain_entry_file($1_t, qemu_exec_t)
 

+ -	')
 

+  ')
 

+  

+  ######################################
 

+ @@ -125,6 +129,7 @@ template(`virt_driver_template',`
 

+  		attribute virt_driver_var_run;
 

+  		type virtd_t;
 

+  		type virtqemud_t;
 

+ +		type virt_common_var_run_t;
 

+  		type virt_etc_t;
 

+  		type virt_etc_rw_t;
 

+  		type virt_var_run_t;
 

+ @@ -298,20 +303,20 @@ interface(`virt_exec',`
 

+  

+  ########################################
 

+  ## <summary>
 

+ -##      Allow caller domain to run bpftool.
 

+ +##	Allow caller domain to run bpftool.
 

+  ## </summary>
 

+  ## <param name="domain">
 

+ -##      <summary>
 

+ -##      Domain allowed access.
 

+ -##      </summary>
 

+ +##	<summary>
 

+ +##	Domain allowed access.
 

+ +##	</summary>
 

+  ## </param>
 

+  #
 

+  interface(`virt_prog_run_bpf',`
 

+ -        gen_require(`
 

+ -                type virtd_t;
 

+ -        ')
 

+ +	gen_require(`
 

+ +		type virtd_t;
 

+ +	')
 

+  

+ -    allow $1 virtd_t:bpf { map_create map_read map_write prog_load prog_run };
 

+ +	allow $1 virtd_t:bpf { map_create map_read map_write prog_load prog_run };
 

+  ')
 

+  

+  

+ @@ -867,7 +872,6 @@ interface(`virt_search_images',`
 

+  #
 

+  interface(`virt_read_images',`
 

+  	gen_require(`
 

+ -		type virt_var_lib_t;
 

+  		attribute virt_image_type;
 

+  	')
 

+  

+ @@ -962,7 +966,6 @@ interface(`virt_manage_cache',`
 

+  #
 

+  interface(`virt_manage_images',`
 

+  	gen_require(`
 

+ -		type virt_var_lib_t;
 

+  		attribute virt_image_type;
 

+  	')
 

+  

+ @@ -987,7 +990,6 @@ interface(`virt_manage_images',`
 

+  #
 

+  interface(`virt_manage_default_image_type',`
 

+  	gen_require(`
 

+ -		type virt_var_lib_t;
 

+  		type virt_image_t;
 

+  	')
 

+  

+ @@ -1249,15 +1251,16 @@ interface(`virt_stream_connect_sandbox',`
 

+  interface(`virt_transition_svirt',`
 

+  	gen_require(`
 

+  		attribute virt_domain;
 

+ -		type virt_bridgehelper_t;
 

+  		type svirt_image_t;
 

+  		type svirt_socket_t;
 

+  	')
 

+  

+  	allow $1 virt_domain:process transition;
 

+  	role $2 types virt_domain;
 

+ -	role $2 types virt_bridgehelper_t;
 

+  	role $2 types svirt_socket_t;
 

+ +	optional_policy(`
 

+ +		virt_bridgehelper_role($2)
 

+ +	')
 

+  

+  	allow $1 virt_domain:process { sigkill signal signull sigstop };
 

+  	allow $1 svirt_image_t:file { relabelfrom relabelto };
 

+ @@ -1529,7 +1532,7 @@ interface(`virt_file_types',`
 

+  

+  ########################################
 

+  ## <summary>
 

+ -##	Make the specified type usable as a svirt file type 

+ +##	Make the specified type usable as a svirt file type
 

+  ## </summary>
 

+  ## <param name="type">
 

+  ##	<summary>
 

+ @@ -1720,9 +1723,10 @@ interface(`virt_rw_svirt_dev',`
 

+  		type svirt_image_t;
 

+  	')
 

+  

+ -	allow $1 svirt_image_t:chr_file rw_file_perms;
 

+ +	allow $1 svirt_image_t:chr_file rw_chr_file_perms;
 

+  ')
 

+  

+ +
 

+  ########################################
 

+  ## <summary>
 

+  ##	Read and write to svirt_image files.
 

+ diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
 

+ index 954098c8e..1ffc2faca 100644
 

+ --- a/policy/modules/contrib/virt.te
 

+ +++ b/policy/modules/contrib/virt.te
 

+ @@ -128,7 +128,7 @@ gen_tunable(virt_sandbox_use_netlink, false)
 

+  # The following three tunables are not used anywhere in selinux-policy,
 

+  # but they are referred to from container-selinux
 

+  # virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps
 

+ - 

+ +
 

+  ## <desc>
 

+  ## <p>
 

+  ## Allow sandbox containers to use sys_admin system calls, for example mount
 

+ @@ -804,7 +804,7 @@ manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
 

+  allow virtlogd_t virtlogd_etc_t:file read_file_perms;
 

+  files_search_etc(virtlogd_t)
 

+  allow virtlogd_t virt_etc_t:file read_file_perms;
 

+ -allow virtlogd_t virt_etc_t:lnk_file { read_lnk_file_perms ioctl lock };
 

+ +allow virtlogd_t virt_etc_t:lnk_file { ioctl lock read_lnk_file_perms };
 

+  allow virtlogd_t virt_etc_t:dir search;
 

+  

+  manage_dirs_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t)
 

+ @@ -1840,7 +1840,7 @@ allow virtqemud_t self:netlink_audit_socket { nlmsg_relay read write };
 

+  allow virtqemud_t self:process { setcap setexec setrlimit setsched setsockcreate };
 

+  allow virtqemud_t self:tcp_socket create_socket_perms;
 

+  allow virtqemud_t self:tun_socket create;
 

+ -allow virtqemud_t self:udp_socket { create connect getattr };
 

+ +allow virtqemud_t self:udp_socket { connect create getattr };
 

+  

+  allow virtqemud_t svirt_t:process { getattr setsched signal signull transition };
 

+  allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms };
 

+ @@ -2035,7 +2035,7 @@ tunable_policy(`virt_transition_userdomain',`
 

+  virt_sandbox_domain_template(svirt_kvm_net)
 

+  typeattribute svirt_kvm_net_t sandbox_net_domain;
 

+  

+ -allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search  fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
 

+ +allow svirt_kvm_net_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_ptrace sys_resource };
 

+  dontaudit svirt_kvm_net_t self:capability2 block_suspend;
 

+  

+  tunable_policy(`virt_sandbox_use_netlink',`
 

+ diff --git a/policy/modules/contrib/virt_supplementary.if b/policy/modules/contrib/virt_supplementary.if
 

+ index f28bca97c..a95c2fc65 100644
 

+ --- a/policy/modules/contrib/virt_supplementary.if
 

+ +++ b/policy/modules/contrib/virt_supplementary.if
 

+ @@ -33,3 +33,22 @@ interface(`virt_exec_qemu',`
 

+  

+          can_exec($1, qemu_exec_t)
 

+  ')
 

+ +
 

+ +
 

+ +########################################
 

+ +## <summary>
 

+ +##      Role access for virt_bridgehelper
 

+ +## </summary>
 

+ +## <param name="role">
 

+ +##      <summary>
 

+ +##      Role allowed access
 

+ +##      </summary>
 

+ +## </param>
 

+ +#
 

+ +interface(`virt_bridgehelper_role',`
 

+ +        gen_require(`
 

+ +                type virt_bridgehelper_t;
 

+ +        ')
 

+ +
 

+ +        role $1 types virt_bridgehelper_t;
 

+ +')
 

+ diff --git a/policy/modules/contrib/virt_supplementary.te b/policy/modules/contrib/virt_supplementary.te
 

+ index 09344c947..b990063fc 100644
 

+ --- a/policy/modules/contrib/virt_supplementary.te
 

+ +++ b/policy/modules/contrib/virt_supplementary.te
 

+ @@ -31,6 +31,7 @@ gen_require(`
 

+  ')
 

+  

+  type qemu_exec_t;
 

+ +application_executable_file(qemu_exec_t)
 

+  

+  type virt_qmf_t;
 

+  type virt_qmf_exec_t;
 

+ @@ -278,8 +279,8 @@ optional_policy(`
 

+  

+  	domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t)
 

+  

+ -	allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
 

+ -	allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
 

+ +	allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir list_dir_perms;
 

+ +
 

+  	allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
 

+  

+  	init_domtrans_script(virt_qemu_ga_unconfined_t)
 

+ -- 

+ 2.30.2
 

+

file modified
+8 -1 
@@ -1471,10 +1471,17 @@ 
 

  # Layer: services
 

  # Module: virt
 

  #
 

- # Virtualization libraries
 

+ # libvirt - a toolkit to manage virtualization platforms
 

  # 

  virt = module
 

  

+ # Layer: services
 

+ # Module: virt_supplementary
 

+ #
 

+ # non-libvirt virtualization libraries
 

+ #
 

+ virt_supplementary = module
 

+ 

  # Layer: apps
 

  # Module: vmware
 

  #

file modified
+8 -1 
@@ -2118,10 +2118,17 @@ 
 

  # Layer: services
 

  # Module: virt
 

  #
 

- # Virtualization libraries
 

+ # libvirt - a toolkit to manage virtualization platforms
 

  # 

  virt = module
 

  

+ # Layer: services
 

+ # Module: virt_supplementary
 

+ #
 

+ # non-libvirt virtualization libraries
 

+ #
 

+ virt_supplementary = module
 

+ 

  # Layer: apps
 

  # Module: vhostmd
 

  #

file modified
+18 -1 
@@ -24,7 +24,7 @@ 
 

  Summary: SELinux policy configuration
 

  Name: selinux-policy
 

  Version: 36.5
 

- Release: 1%{?dist}
 

+ Release: 2%{?dist}
 

  License: GPLv2+
 

  Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
 

  Source1: modules-targeted-base.conf
 
@@ -64,6 +64,15 @@ 
 

  # Provide rpm macros for packages installing SELinux modules
 

  Source102: rpm.macros
 

  

+ Patch0001: 0001-Split-virt-policy-introduce-virt_supplementary-modul.patch
 

+ Patch0002: 0002-Introduce-SELinux-policy-for-libvirt-drivers.patch
 

+ Patch0003: 0003-MLS-update-for-libvirt-selinux.patch
 

+ Patch0004: 0004-Update-policy-for-libvirt-drivers.patch
 

+ Patch0005: 0005-Update-policy-for-libvirt.patch
 

+ Patch0006: 0006-Add-macro-dev_delete_urand.patch
 

+ Patch0007: 0007-Enable-virt_supplementary-module.patch
 

+ Patch0008: 0008-Virt-Fix-issues-reported-by-selint.patch
 

+ 

  Url: %{giturl}
 

  BuildArch: noarch
 

  BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
 
@@ -411,6 +420,14 @@ 
 

  for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
 

   cp $i selinux_config
 

  done
 

+ %patch1 -p1
 

+ %patch2 -p1
 

+ %patch3 -p1
 

+ %patch4 -p1
 

+ %patch5 -p1
 

+ %patch6 -p1
 

+ %patch7 -p1
 

+ %patch8 -p1
 

  

  %install
 

  # Build targeted policy

no initial comment

Unable to freeze job graph: Unable to modify final job <Job rpm-sti-test branches: {MatchAny:{BranchMatcher:rawhide},{BranchMatcher:main}} source: fedora-project-config/zuul.d/_jobs-base.yaml@master#3> attribute timeout=21600 with variant <Job rpm-sti-test branches: None source: fedora-zuul-jobs-config/zuul.d/projects.yaml@master#108>

rebased onto 9e1b2e70a716440f4d1bfce47045490fa46c9439
2 years ago

Unable to freeze job graph: Unable to modify final job <Job rpm-sti-test branches: {MatchAny:{BranchMatcher:rawhide},{BranchMatcher:main}} source: fedora-project-config/zuul.d/_jobs-base.yaml@master#3> attribute timeout=21600 with variant <Job rpm-sti-test branches: None source: fedora-zuul-jobs-config/zuul.d/projects.yaml@master#108>

rebased onto 8aecc6c87bae194cd69046996ea39471e27f1dc3
2 years ago

Unable to freeze job graph: Unable to modify final job <Job rpm-sti-test branches: {MatchAny:{BranchMatcher:rawhide},{BranchMatcher:main}} source: fedora-project-config/zuul.d/_jobs-base.yaml@master#3> attribute timeout=21600 with variant <Job rpm-sti-test branches: None source: fedora-zuul-jobs-config/zuul.d/projects.yaml@master#108>
Metadata
None
No Tags
Changes Summary 11
+802
file added
0001-Split-virt-policy-introduce-virt_supplementary-modul.patch
+2058
file added
0002-Introduce-SELinux-policy-for-libvirt-drivers.patch
+308
file added
0003-MLS-update-for-libvirt-selinux.patch
+52
file added
0004-Update-policy-for-libvirt-drivers.patch
+140
file added
0005-Update-policy-for-libvirt.patch
+42
file added
0006-Add-macro-dev_delete_urand.patch
+35
file added
0007-Enable-virt_supplementary-module.patch
+277
file added
0008-Virt-Fix-issues-reported-by-selint.patch
+8 -1
file changed
modules-mls-contrib.conf
+8 -1
file changed
modules-targeted-contrib.conf
+18 -1
file changed
selinux-policy.spec
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.