* [refpolicy] [PATCH 0/4] Updates related to libvirt
@ 2012-04-11 18:30 Sven Vermeulen
2012-04-11 18:34 ` [refpolicy] [PATCH 1/4] Adding default context rules for libvirt Sven Vermeulen
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Sven Vermeulen @ 2012-04-11 18:30 UTC (permalink / raw)
To: refpolicy
This is a set of small patches related to libvirt support.
First, we add in some context description files.
Next, we allow virt to write out and execute its tmp files.
Third, we provide initrc/sysadm with the rights to execute virsh.
Finally, we allow qemu to execute itself (which seems to be needed when
using libvirt for qemu-based virtualizatoion.
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/4] Adding default context rules for libvirt
2012-04-11 18:30 [refpolicy] [PATCH 0/4] Updates related to libvirt Sven Vermeulen
@ 2012-04-11 18:34 ` Sven Vermeulen
2012-04-23 14:40 ` Christopher J. PeBenito
2012-04-11 18:35 ` [refpolicy] [PATCH 2/4] Let libvirt write its own tmp files (and execute them) Sven Vermeulen
` (2 subsequent siblings)
3 siblings, 1 reply; 9+ messages in thread
From: Sven Vermeulen @ 2012-04-11 18:34 UTC (permalink / raw)
To: refpolicy
The libvirt infrastructure requires the availability of the context files.
In this patch, we add the defaults to the three predefined application
contexts (mls/mcs/standard).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
Makefile | 2 +-
config/appconfig-mcs/virtual_domain_context | 1 +
config/appconfig-mcs/virtual_image_context | 2 ++
config/appconfig-mls/virtual_domain_context | 1 +
config/appconfig-mls/virtual_image_context | 2 ++
config/appconfig-standard/virtual_domain_context | 1 +
config/appconfig-standard/virtual_image_context | 2 ++
7 files changed, 10 insertions(+), 1 deletions(-)
create mode 100644 config/appconfig-mcs/virtual_domain_context
create mode 100644 config/appconfig-mcs/virtual_image_context
create mode 100644 config/appconfig-mls/virtual_domain_context
create mode 100644 config/appconfig-mls/virtual_image_context
create mode 100644 config/appconfig-standard/virtual_domain_context
create mode 100644 config/appconfig-standard/virtual_image_context
diff --git a/Makefile b/Makefile
index 5a43919..39a3d40 100644
--- a/Makefile
+++ b/Makefile
@@ -249,7 +249,7 @@ seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
new file mode 100644
index 0000000..d387b42
--- /dev/null
+++ b/config/appconfig-mcs/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mcs/virtual_image_context b/config/appconfig-mcs/virtual_image_context
new file mode 100644
index 0000000..8ab1e27
--- /dev/null
+++ b/config/appconfig-mcs/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-mls/virtual_domain_context b/config/appconfig-mls/virtual_domain_context
new file mode 100644
index 0000000..d387b42
--- /dev/null
+++ b/config/appconfig-mls/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mls/virtual_image_context b/config/appconfig-mls/virtual_image_context
new file mode 100644
index 0000000..8ab1e27
--- /dev/null
+++ b/config/appconfig-mls/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
new file mode 100644
index 0000000..c049e10
--- /dev/null
+++ b/config/appconfig-standard/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t
diff --git a/config/appconfig-standard/virtual_image_context b/config/appconfig-standard/virtual_image_context
new file mode 100644
index 0000000..fca6046
--- /dev/null
+++ b/config/appconfig-standard/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t
+system_u:object_r:virt_content_t
--
1.7.3.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 2/4] Let libvirt write its own tmp files (and execute them)
2012-04-11 18:30 [refpolicy] [PATCH 0/4] Updates related to libvirt Sven Vermeulen
2012-04-11 18:34 ` [refpolicy] [PATCH 1/4] Adding default context rules for libvirt Sven Vermeulen
@ 2012-04-11 18:35 ` Sven Vermeulen
2012-04-23 14:41 ` Christopher J. PeBenito
2012-04-11 18:35 ` [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect rights towards virt Sven Vermeulen
2012-04-11 18:36 ` [refpolicy] [PATCH 4/4] libvirt use of qemu requires re-exec of qemu Sven Vermeulen
3 siblings, 1 reply; 9+ messages in thread
From: Sven Vermeulen @ 2012-04-11 18:35 UTC (permalink / raw)
To: refpolicy
During startup of guests, libvirt needs to create temporary files and execute them (part of setting up the necessary
environment of the guests).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
virt.te | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/virt.te b/virt.te
index 3eca020..a427c3f 100644
--- a/virt.te
+++ b/virt.te
@@ -74,6 +74,9 @@ userdom_user_home_content(virt_content_t)
type virt_log_t;
logging_log_file(virt_log_t)
+type virt_tmp_t;
+files_tmp_file(virt_tmp_t)
+
type virt_var_run_t;
files_pid_file(virt_var_run_t)
@@ -207,6 +210,11 @@ manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+can_exec(virtd_t, virt_tmp_t)
+
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect rights towards virt
2012-04-11 18:30 [refpolicy] [PATCH 0/4] Updates related to libvirt Sven Vermeulen
2012-04-11 18:34 ` [refpolicy] [PATCH 1/4] Adding default context rules for libvirt Sven Vermeulen
2012-04-11 18:35 ` [refpolicy] [PATCH 2/4] Let libvirt write its own tmp files (and execute them) Sven Vermeulen
@ 2012-04-11 18:35 ` Sven Vermeulen
2012-04-23 14:41 ` Christopher J. PeBenito
2012-04-11 18:36 ` [refpolicy] [PATCH 4/4] libvirt use of qemu requires re-exec of qemu Sven Vermeulen
3 siblings, 1 reply; 9+ messages in thread
From: Sven Vermeulen @ 2012-04-11 18:35 UTC (permalink / raw)
To: refpolicy
When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
administrator).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/system/init.te | 1 +
2 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7d25414..e08c71f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -394,6 +394,10 @@ optional_policy(`
')
optional_policy(`
+ virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
vmware_role(sysadm_r, sysadm_t)
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b7fcbe3..79a306e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -822,6 +822,7 @@ optional_policy(`
')
optional_policy(`
+ virt_stream_connect(initrc_t)
virt_manage_svirt_cache(initrc_t)
')
--
1.7.3.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 4/4] libvirt use of qemu requires re-exec of qemu
2012-04-11 18:30 [refpolicy] [PATCH 0/4] Updates related to libvirt Sven Vermeulen
` (2 preceding siblings ...)
2012-04-11 18:35 ` [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect rights towards virt Sven Vermeulen
@ 2012-04-11 18:36 ` Sven Vermeulen
2012-04-23 14:41 ` Christopher J. PeBenito
3 siblings, 1 reply; 9+ messages in thread
From: Sven Vermeulen @ 2012-04-11 18:36 UTC (permalink / raw)
To: refpolicy
When using libvirt as the virtualization framework, using qemu as the virtualization environment itself, launching guests
requires the qemu domain to have exec rights on its own binaries.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
qemu.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/qemu.te b/qemu.te
index 9cf9992..0bbccb5 100644
--- a/qemu.te
+++ b/qemu.te
@@ -50,6 +50,8 @@ role system_r types qemu_t;
# qemu local policy
#
+can_exec(qemu_t, qemu_exec_t)
+
storage_raw_write_removable_device(qemu_t)
storage_raw_read_removable_device(qemu_t)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/4] Adding default context rules for libvirt
2012-04-11 18:34 ` [refpolicy] [PATCH 1/4] Adding default context rules for libvirt Sven Vermeulen
@ 2012-04-23 14:40 ` Christopher J. PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2012-04-23 14:40 UTC (permalink / raw)
To: refpolicy
On 04/11/12 14:34, Sven Vermeulen wrote:
> The libvirt infrastructure requires the availability of the context files.
>
> In this patch, we add the defaults to the three predefined application
> contexts (mls/mcs/standard).
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> Makefile | 2 +-
> config/appconfig-mcs/virtual_domain_context | 1 +
> config/appconfig-mcs/virtual_image_context | 2 ++
> config/appconfig-mls/virtual_domain_context | 1 +
> config/appconfig-mls/virtual_image_context | 2 ++
> config/appconfig-standard/virtual_domain_context | 1 +
> config/appconfig-standard/virtual_image_context | 2 ++
> 7 files changed, 10 insertions(+), 1 deletions(-)
> create mode 100644 config/appconfig-mcs/virtual_domain_context
> create mode 100644 config/appconfig-mcs/virtual_image_context
> create mode 100644 config/appconfig-mls/virtual_domain_context
> create mode 100644 config/appconfig-mls/virtual_image_context
> create mode 100644 config/appconfig-standard/virtual_domain_context
> create mode 100644 config/appconfig-standard/virtual_image_context
>
> diff --git a/Makefile b/Makefile
> index 5a43919..39a3d40 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -249,7 +249,7 @@ seusers := $(appconf)/seusers
> appdir := $(contextpath)
> user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
> user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
> -appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
> +appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
> net_contexts := $(builddir)net_contexts
>
> all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
> diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
> new file mode 100644
> index 0000000..d387b42
> --- /dev/null
> +++ b/config/appconfig-mcs/virtual_domain_context
> @@ -0,0 +1 @@
> +system_u:system_r:svirt_t:s0
> diff --git a/config/appconfig-mcs/virtual_image_context b/config/appconfig-mcs/virtual_image_context
> new file mode 100644
> index 0000000..8ab1e27
> --- /dev/null
> +++ b/config/appconfig-mcs/virtual_image_context
> @@ -0,0 +1,2 @@
> +system_u:object_r:svirt_image_t:s0
> +system_u:object_r:virt_content_t:s0
> diff --git a/config/appconfig-mls/virtual_domain_context b/config/appconfig-mls/virtual_domain_context
> new file mode 100644
> index 0000000..d387b42
> --- /dev/null
> +++ b/config/appconfig-mls/virtual_domain_context
> @@ -0,0 +1 @@
> +system_u:system_r:svirt_t:s0
> diff --git a/config/appconfig-mls/virtual_image_context b/config/appconfig-mls/virtual_image_context
> new file mode 100644
> index 0000000..8ab1e27
> --- /dev/null
> +++ b/config/appconfig-mls/virtual_image_context
> @@ -0,0 +1,2 @@
> +system_u:object_r:svirt_image_t:s0
> +system_u:object_r:virt_content_t:s0
> diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
> new file mode 100644
> index 0000000..c049e10
> --- /dev/null
> +++ b/config/appconfig-standard/virtual_domain_context
> @@ -0,0 +1 @@
> +system_u:system_r:svirt_t
> diff --git a/config/appconfig-standard/virtual_image_context b/config/appconfig-standard/virtual_image_context
> new file mode 100644
> index 0000000..fca6046
> --- /dev/null
> +++ b/config/appconfig-standard/virtual_image_context
> @@ -0,0 +1,2 @@
> +system_u:object_r:svirt_image_t
> +system_u:object_r:virt_content_t
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 2/4] Let libvirt write its own tmp files (and execute them)
2012-04-11 18:35 ` [refpolicy] [PATCH 2/4] Let libvirt write its own tmp files (and execute them) Sven Vermeulen
@ 2012-04-23 14:41 ` Christopher J. PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2012-04-23 14:41 UTC (permalink / raw)
To: refpolicy
On 04/11/12 14:35, Sven Vermeulen wrote:
> During startup of guests, libvirt needs to create temporary files and execute them (part of setting up the necessary
> environment of the guests).
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> virt.te | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/virt.te b/virt.te
> index 3eca020..a427c3f 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -74,6 +74,9 @@ userdom_user_home_content(virt_content_t)
> type virt_log_t;
> logging_log_file(virt_log_t)
>
> +type virt_tmp_t;
> +files_tmp_file(virt_tmp_t)
> +
> type virt_var_run_t;
> files_pid_file(virt_var_run_t)
>
> @@ -207,6 +210,11 @@ manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
> manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
> logging_log_filetrans(virtd_t, virt_log_t, { file dir })
>
> +manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
> +manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
> +files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
> +can_exec(virtd_t, virt_tmp_t)
> +
> manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
> manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
> manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect rights towards virt
2012-04-11 18:35 ` [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect rights towards virt Sven Vermeulen
@ 2012-04-23 14:41 ` Christopher J. PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2012-04-23 14:41 UTC (permalink / raw)
To: refpolicy
On 04/11/12 14:35, Sven Vermeulen wrote:
> When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
> domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
> administrator).
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/roles/sysadm.te | 4 ++++
> policy/modules/system/init.te | 1 +
> 2 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 7d25414..e08c71f 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -394,6 +394,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + virt_stream_connect(sysadm_t)
> +')
> +
> +optional_policy(`
> vmware_role(sysadm_r, sysadm_t)
> ')
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index b7fcbe3..79a306e 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -822,6 +822,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + virt_stream_connect(initrc_t)
> virt_manage_svirt_cache(initrc_t)
> ')
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 4/4] libvirt use of qemu requires re-exec of qemu
2012-04-11 18:36 ` [refpolicy] [PATCH 4/4] libvirt use of qemu requires re-exec of qemu Sven Vermeulen
@ 2012-04-23 14:41 ` Christopher J. PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2012-04-23 14:41 UTC (permalink / raw)
To: refpolicy
On 04/11/12 14:36, Sven Vermeulen wrote:
> When using libvirt as the virtualization framework, using qemu as the virtualization environment itself, launching guests
> requires the qemu domain to have exec rights on its own binaries.
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> qemu.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/qemu.te b/qemu.te
> index 9cf9992..0bbccb5 100644
> --- a/qemu.te
> +++ b/qemu.te
> @@ -50,6 +50,8 @@ role system_r types qemu_t;
> # qemu local policy
> #
>
> +can_exec(qemu_t, qemu_exec_t)
> +
> storage_raw_write_removable_device(qemu_t)
> storage_raw_read_removable_device(qemu_t)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2012-04-23 14:41 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-04-11 18:30 [refpolicy] [PATCH 0/4] Updates related to libvirt Sven Vermeulen
2012-04-11 18:34 ` [refpolicy] [PATCH 1/4] Adding default context rules for libvirt Sven Vermeulen
2012-04-23 14:40 ` Christopher J. PeBenito
2012-04-11 18:35 ` [refpolicy] [PATCH 2/4] Let libvirt write its own tmp files (and execute them) Sven Vermeulen
2012-04-23 14:41 ` Christopher J. PeBenito
2012-04-11 18:35 ` [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect rights towards virt Sven Vermeulen
2012-04-23 14:41 ` Christopher J. PeBenito
2012-04-11 18:36 ` [refpolicy] [PATCH 4/4] libvirt use of qemu requires re-exec of qemu Sven Vermeulen
2012-04-23 14:41 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.