* [refpolicy] [PATCH 1/4] Adding default context rules for libvirt
2012-04-11 18:30 [refpolicy] [PATCH 0/4] Updates related to libvirt Sven Vermeulen
@ 2012-04-11 18:34 ` Sven Vermeulen
2012-04-23 14:40 ` Christopher J. PeBenito
2012-04-11 18:35 ` [refpolicy] [PATCH 2/4] Let libvirt write its own tmp files (and execute them) Sven Vermeulen
` (2 subsequent siblings)
3 siblings, 1 reply; 9+ messages in thread
From: Sven Vermeulen @ 2012-04-11 18:34 UTC (permalink / raw)
To: refpolicy
The libvirt infrastructure requires the availability of the context files.
In this patch, we add the defaults to the three predefined application
contexts (mls/mcs/standard).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
Makefile | 2 +-
config/appconfig-mcs/virtual_domain_context | 1 +
config/appconfig-mcs/virtual_image_context | 2 ++
config/appconfig-mls/virtual_domain_context | 1 +
config/appconfig-mls/virtual_image_context | 2 ++
config/appconfig-standard/virtual_domain_context | 1 +
config/appconfig-standard/virtual_image_context | 2 ++
7 files changed, 10 insertions(+), 1 deletions(-)
create mode 100644 config/appconfig-mcs/virtual_domain_context
create mode 100644 config/appconfig-mcs/virtual_image_context
create mode 100644 config/appconfig-mls/virtual_domain_context
create mode 100644 config/appconfig-mls/virtual_image_context
create mode 100644 config/appconfig-standard/virtual_domain_context
create mode 100644 config/appconfig-standard/virtual_image_context
diff --git a/Makefile b/Makefile
index 5a43919..39a3d40 100644
--- a/Makefile
+++ b/Makefile
@@ -249,7 +249,7 @@ seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
new file mode 100644
index 0000000..d387b42
--- /dev/null
+++ b/config/appconfig-mcs/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mcs/virtual_image_context b/config/appconfig-mcs/virtual_image_context
new file mode 100644
index 0000000..8ab1e27
--- /dev/null
+++ b/config/appconfig-mcs/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-mls/virtual_domain_context b/config/appconfig-mls/virtual_domain_context
new file mode 100644
index 0000000..d387b42
--- /dev/null
+++ b/config/appconfig-mls/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t:s0
diff --git a/config/appconfig-mls/virtual_image_context b/config/appconfig-mls/virtual_image_context
new file mode 100644
index 0000000..8ab1e27
--- /dev/null
+++ b/config/appconfig-mls/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t:s0
+system_u:object_r:virt_content_t:s0
diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
new file mode 100644
index 0000000..c049e10
--- /dev/null
+++ b/config/appconfig-standard/virtual_domain_context
@@ -0,0 +1 @@
+system_u:system_r:svirt_t
diff --git a/config/appconfig-standard/virtual_image_context b/config/appconfig-standard/virtual_image_context
new file mode 100644
index 0000000..fca6046
--- /dev/null
+++ b/config/appconfig-standard/virtual_image_context
@@ -0,0 +1,2 @@
+system_u:object_r:svirt_image_t
+system_u:object_r:virt_content_t
--
1.7.3.4
^ permalink raw reply related [flat|nested] 9+ messages in thread* [refpolicy] [PATCH 1/4] Adding default context rules for libvirt
2012-04-11 18:34 ` [refpolicy] [PATCH 1/4] Adding default context rules for libvirt Sven Vermeulen
@ 2012-04-23 14:40 ` Christopher J. PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2012-04-23 14:40 UTC (permalink / raw)
To: refpolicy
On 04/11/12 14:34, Sven Vermeulen wrote:
> The libvirt infrastructure requires the availability of the context files.
>
> In this patch, we add the defaults to the three predefined application
> contexts (mls/mcs/standard).
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> Makefile | 2 +-
> config/appconfig-mcs/virtual_domain_context | 1 +
> config/appconfig-mcs/virtual_image_context | 2 ++
> config/appconfig-mls/virtual_domain_context | 1 +
> config/appconfig-mls/virtual_image_context | 2 ++
> config/appconfig-standard/virtual_domain_context | 1 +
> config/appconfig-standard/virtual_image_context | 2 ++
> 7 files changed, 10 insertions(+), 1 deletions(-)
> create mode 100644 config/appconfig-mcs/virtual_domain_context
> create mode 100644 config/appconfig-mcs/virtual_image_context
> create mode 100644 config/appconfig-mls/virtual_domain_context
> create mode 100644 config/appconfig-mls/virtual_image_context
> create mode 100644 config/appconfig-standard/virtual_domain_context
> create mode 100644 config/appconfig-standard/virtual_image_context
>
> diff --git a/Makefile b/Makefile
> index 5a43919..39a3d40 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -249,7 +249,7 @@ seusers := $(appconf)/seusers
> appdir := $(contextpath)
> user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
> user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
> -appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
> +appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_domain_context virtual_image_context) $(contextpath)/files/media $(fcsubspath) $(user_default_contexts_names)
> net_contexts := $(builddir)net_contexts
>
> all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
> diff --git a/config/appconfig-mcs/virtual_domain_context b/config/appconfig-mcs/virtual_domain_context
> new file mode 100644
> index 0000000..d387b42
> --- /dev/null
> +++ b/config/appconfig-mcs/virtual_domain_context
> @@ -0,0 +1 @@
> +system_u:system_r:svirt_t:s0
> diff --git a/config/appconfig-mcs/virtual_image_context b/config/appconfig-mcs/virtual_image_context
> new file mode 100644
> index 0000000..8ab1e27
> --- /dev/null
> +++ b/config/appconfig-mcs/virtual_image_context
> @@ -0,0 +1,2 @@
> +system_u:object_r:svirt_image_t:s0
> +system_u:object_r:virt_content_t:s0
> diff --git a/config/appconfig-mls/virtual_domain_context b/config/appconfig-mls/virtual_domain_context
> new file mode 100644
> index 0000000..d387b42
> --- /dev/null
> +++ b/config/appconfig-mls/virtual_domain_context
> @@ -0,0 +1 @@
> +system_u:system_r:svirt_t:s0
> diff --git a/config/appconfig-mls/virtual_image_context b/config/appconfig-mls/virtual_image_context
> new file mode 100644
> index 0000000..8ab1e27
> --- /dev/null
> +++ b/config/appconfig-mls/virtual_image_context
> @@ -0,0 +1,2 @@
> +system_u:object_r:svirt_image_t:s0
> +system_u:object_r:virt_content_t:s0
> diff --git a/config/appconfig-standard/virtual_domain_context b/config/appconfig-standard/virtual_domain_context
> new file mode 100644
> index 0000000..c049e10
> --- /dev/null
> +++ b/config/appconfig-standard/virtual_domain_context
> @@ -0,0 +1 @@
> +system_u:system_r:svirt_t
> diff --git a/config/appconfig-standard/virtual_image_context b/config/appconfig-standard/virtual_image_context
> new file mode 100644
> index 0000000..fca6046
> --- /dev/null
> +++ b/config/appconfig-standard/virtual_image_context
> @@ -0,0 +1,2 @@
> +system_u:object_r:svirt_image_t
> +system_u:object_r:virt_content_t
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 2/4] Let libvirt write its own tmp files (and execute them)
2012-04-11 18:30 [refpolicy] [PATCH 0/4] Updates related to libvirt Sven Vermeulen
2012-04-11 18:34 ` [refpolicy] [PATCH 1/4] Adding default context rules for libvirt Sven Vermeulen
@ 2012-04-11 18:35 ` Sven Vermeulen
2012-04-23 14:41 ` Christopher J. PeBenito
2012-04-11 18:35 ` [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect rights towards virt Sven Vermeulen
2012-04-11 18:36 ` [refpolicy] [PATCH 4/4] libvirt use of qemu requires re-exec of qemu Sven Vermeulen
3 siblings, 1 reply; 9+ messages in thread
From: Sven Vermeulen @ 2012-04-11 18:35 UTC (permalink / raw)
To: refpolicy
During startup of guests, libvirt needs to create temporary files and execute them (part of setting up the necessary
environment of the guests).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
virt.te | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/virt.te b/virt.te
index 3eca020..a427c3f 100644
--- a/virt.te
+++ b/virt.te
@@ -74,6 +74,9 @@ userdom_user_home_content(virt_content_t)
type virt_log_t;
logging_log_file(virt_log_t)
+type virt_tmp_t;
+files_tmp_file(virt_tmp_t)
+
type virt_var_run_t;
files_pid_file(virt_var_run_t)
@@ -207,6 +210,11 @@ manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
+files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+can_exec(virtd_t, virt_tmp_t)
+
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 9+ messages in thread* [refpolicy] [PATCH 2/4] Let libvirt write its own tmp files (and execute them)
2012-04-11 18:35 ` [refpolicy] [PATCH 2/4] Let libvirt write its own tmp files (and execute them) Sven Vermeulen
@ 2012-04-23 14:41 ` Christopher J. PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2012-04-23 14:41 UTC (permalink / raw)
To: refpolicy
On 04/11/12 14:35, Sven Vermeulen wrote:
> During startup of guests, libvirt needs to create temporary files and execute them (part of setting up the necessary
> environment of the guests).
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> virt.te | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/virt.te b/virt.te
> index 3eca020..a427c3f 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -74,6 +74,9 @@ userdom_user_home_content(virt_content_t)
> type virt_log_t;
> logging_log_file(virt_log_t)
>
> +type virt_tmp_t;
> +files_tmp_file(virt_tmp_t)
> +
> type virt_var_run_t;
> files_pid_file(virt_var_run_t)
>
> @@ -207,6 +210,11 @@ manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
> manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
> logging_log_filetrans(virtd_t, virt_log_t, { file dir })
>
> +manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
> +manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
> +files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
> +can_exec(virtd_t, virt_tmp_t)
> +
> manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
> manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
> manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect rights towards virt
2012-04-11 18:30 [refpolicy] [PATCH 0/4] Updates related to libvirt Sven Vermeulen
2012-04-11 18:34 ` [refpolicy] [PATCH 1/4] Adding default context rules for libvirt Sven Vermeulen
2012-04-11 18:35 ` [refpolicy] [PATCH 2/4] Let libvirt write its own tmp files (and execute them) Sven Vermeulen
@ 2012-04-11 18:35 ` Sven Vermeulen
2012-04-23 14:41 ` Christopher J. PeBenito
2012-04-11 18:36 ` [refpolicy] [PATCH 4/4] libvirt use of qemu requires re-exec of qemu Sven Vermeulen
3 siblings, 1 reply; 9+ messages in thread
From: Sven Vermeulen @ 2012-04-11 18:35 UTC (permalink / raw)
To: refpolicy
When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
administrator).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/system/init.te | 1 +
2 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7d25414..e08c71f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -394,6 +394,10 @@ optional_policy(`
')
optional_policy(`
+ virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
vmware_role(sysadm_r, sysadm_t)
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b7fcbe3..79a306e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -822,6 +822,7 @@ optional_policy(`
')
optional_policy(`
+ virt_stream_connect(initrc_t)
virt_manage_svirt_cache(initrc_t)
')
--
1.7.3.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect rights towards virt
2012-04-11 18:35 ` [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect rights towards virt Sven Vermeulen
@ 2012-04-23 14:41 ` Christopher J. PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2012-04-23 14:41 UTC (permalink / raw)
To: refpolicy
On 04/11/12 14:35, Sven Vermeulen wrote:
> When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
> domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
> administrator).
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/roles/sysadm.te | 4 ++++
> policy/modules/system/init.te | 1 +
> 2 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 7d25414..e08c71f 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -394,6 +394,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + virt_stream_connect(sysadm_t)
> +')
> +
> +optional_policy(`
> vmware_role(sysadm_r, sysadm_t)
> ')
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index b7fcbe3..79a306e 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -822,6 +822,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + virt_stream_connect(initrc_t)
> virt_manage_svirt_cache(initrc_t)
> ')
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 4/4] libvirt use of qemu requires re-exec of qemu
2012-04-11 18:30 [refpolicy] [PATCH 0/4] Updates related to libvirt Sven Vermeulen
` (2 preceding siblings ...)
2012-04-11 18:35 ` [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect rights towards virt Sven Vermeulen
@ 2012-04-11 18:36 ` Sven Vermeulen
2012-04-23 14:41 ` Christopher J. PeBenito
3 siblings, 1 reply; 9+ messages in thread
From: Sven Vermeulen @ 2012-04-11 18:36 UTC (permalink / raw)
To: refpolicy
When using libvirt as the virtualization framework, using qemu as the virtualization environment itself, launching guests
requires the qemu domain to have exec rights on its own binaries.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
qemu.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/qemu.te b/qemu.te
index 9cf9992..0bbccb5 100644
--- a/qemu.te
+++ b/qemu.te
@@ -50,6 +50,8 @@ role system_r types qemu_t;
# qemu local policy
#
+can_exec(qemu_t, qemu_exec_t)
+
storage_raw_write_removable_device(qemu_t)
storage_raw_read_removable_device(qemu_t)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 9+ messages in thread* [refpolicy] [PATCH 4/4] libvirt use of qemu requires re-exec of qemu
2012-04-11 18:36 ` [refpolicy] [PATCH 4/4] libvirt use of qemu requires re-exec of qemu Sven Vermeulen
@ 2012-04-23 14:41 ` Christopher J. PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2012-04-23 14:41 UTC (permalink / raw)
To: refpolicy
On 04/11/12 14:36, Sven Vermeulen wrote:
> When using libvirt as the virtualization framework, using qemu as the virtualization environment itself, launching guests
> requires the qemu domain to have exec rights on its own binaries.
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> qemu.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/qemu.te b/qemu.te
> index 9cf9992..0bbccb5 100644
> --- a/qemu.te
> +++ b/qemu.te
> @@ -50,6 +50,8 @@ role system_r types qemu_t;
> # qemu local policy
> #
>
> +can_exec(qemu_t, qemu_exec_t)
> +
> storage_raw_write_removable_device(qemu_t)
> storage_raw_read_removable_device(qemu_t)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 9+ messages in thread