Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/contrib/hypervkvp.te

policy_module(hypervkvp, 1.0.0)

########################################
#
# Declarations
#

attribute hyperv_domain;

type hypervkvp_t, hyperv_domain;
type hypervkvp_exec_t;
init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)

type hypervkvp_initrc_exec_t;
init_script_file(hypervkvp_initrc_exec_t)

type hypervkvp_unit_file_t;
systemd_unit_file(hypervkvp_unit_file_t)

type hypervkvp_var_lib_t;
files_type(hypervkvp_var_lib_t)

type hypervkvp_tmp_t;
files_tmpfs_file(hypervkvp_tmp_t)

type hypervvssd_t, hyperv_domain;
type hypervvssd_exec_t;
init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)

type hypervvssd_unit_file_t;
systemd_unit_file(hypervvssd_unit_file_t)

########################################
#
# hyperv domain local policy
#

allow hyperv_domain self:capability net_admin;
allow hyperv_domain self:netlink_socket create_socket_perms;

allow hyperv_domain self:fifo_file rw_fifo_file_perms;
allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;

corecmd_exec_shell(hyperv_domain)
corecmd_exec_bin(hyperv_domain)

dev_read_sysfs(hyperv_domain)

########################################
#
# hypervkvp local policy
#

allow hypervkvp_t self:capability sys_ptrace;
allow hypervkvp_t self:process setfscreate;
allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;

manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)

manage_files_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
manage_dirs_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
files_tmp_filetrans(hypervkvp_t, hypervkvp_tmp_t, { file dir })

kernel_read_system_state(hypervkvp_t)
kernel_read_network_state(hypervkvp_t)
kernel_request_load_module(hypervkvp_t)
kernel_rw_net_sysctls(hypervkvp_t)

corecmd_getattr_all_executables(hypervkvp_t)

dev_rw_hypervkvp(hypervkvp_t)

domain_read_all_domains_state(hypervkvp_t)

seutil_exec_setfiles(hypervkvp_t)
seutil_read_file_contexts(hypervkvp_t)

domain_read_all_domains_state(hypervkvp_t)

dev_read_urand(hypervkvp_t)

files_dontaudit_search_home(hypervkvp_t)
files_dontaudit_getattr_non_security_files(hypervkvp_t)

fs_getattr_all_fs(hypervkvp_t)
fs_read_hugetlbfs_files(hypervkvp_t)
fs_list_hugetlbfs(hypervkvp_t)

auth_use_nsswitch(hypervkvp_t)

logging_send_syslog_msg(hypervkvp_t)
logging_read_syslog_config(hypervkvp_t)

libs_exec_ldconfig(hypervkvp_t)

modutils_domtrans_kmod(hypervkvp_t)

seutil_domtrans_setfiles(hypervkvp_t)

sysnet_dns_name_resolve(hypervkvp_t)
sysnet_domtrans_dhcpc(hypervkvp_t)
sysnet_domtrans_ifconfig(hypervkvp_t)

sysnet_manage_dhcpc_pid(hypervkvp_t)
sysnet_signal_dhcpc(hypervkvp_t)

sysnet_manage_config(hypervkvp_t)
sysnet_read_dhcpc_state(hypervkvp_t)
sysnet_read_dhcp_config(hypervkvp_t)
sysnet_etc_filetrans_config(hypervkvp_t)

systemd_exec_systemctl(hypervkvp_t)

userdom_dontaudit_search_admin_dir(hypervkvp_t)

optional_policy(`
    brctl_domtrans(hypervkvp_t)
')

optional_policy(`
    dbus_read_pid_files(hypervkvp_t)
    dbus_system_bus_client(hypervkvp_t)
')

optional_policy(`
    hostname_exec(hypervkvp_t)
')

optional_policy(`
    firewalld_dbus_chat(hypervkvp_t)
')

optional_policy(`
    netutils_domtrans_ping(hypervkvp_t)
    netutils_domtrans(hypervkvp_t)
')

optional_policy(`
    networkmanager_read_pid_files(hypervkvp_t)
    networkmanager_dbus_chat(hypervkvp_t)
')

optional_policy(`
    sysnet_exec_ifconfig(hypervkvp_t)
')

optional_policy(`
    rpm_exec(hypervkvp_t)
')

########################################
#
# hypervvssd local policy
#

allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin };

dev_rw_hypervvssd(hypervvssd_t)

files_list_boot(hypervvssd_t)

files_list_all_mountpoints(hypervvssd_t)
files_write_all_mountpoints(hypervvssd_t)
files_list_non_auth_dirs(hypervvssd_t)

logging_send_syslog_msg(hypervvssd_t)

storage_raw_read_fixed_disk(hypervvssd_t)
extract all compressed files to make viewing source code easier and updated oreon-backgrounds and oreon-release packages 2024-07-03 21:20:34 -07:00			`policy_module(hypervkvp, 1.0.0)`

			`########################################`
			`#`
			`# Declarations`
			`#`

			`attribute hyperv_domain;`

			`type hypervkvp_t, hyperv_domain;`
			`type hypervkvp_exec_t;`
			`init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)`

			`type hypervkvp_initrc_exec_t;`
			`init_script_file(hypervkvp_initrc_exec_t)`

			`type hypervkvp_unit_file_t;`
			`systemd_unit_file(hypervkvp_unit_file_t)`

			`type hypervkvp_var_lib_t;`
			`files_type(hypervkvp_var_lib_t)`

			`type hypervkvp_tmp_t;`
			`files_tmpfs_file(hypervkvp_tmp_t)`

			`type hypervvssd_t, hyperv_domain;`
			`type hypervvssd_exec_t;`
			`init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)`

			`type hypervvssd_unit_file_t;`
			`systemd_unit_file(hypervvssd_unit_file_t)`

			`########################################`
			`#`
			`# hyperv domain local policy`
			`#`

			`allow hyperv_domain self:capability net_admin;`
			`allow hyperv_domain self:netlink_socket create_socket_perms;`

			`allow hyperv_domain self:fifo_file rw_fifo_file_perms;`
			`allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;`

			`corecmd_exec_shell(hyperv_domain)`
			`corecmd_exec_bin(hyperv_domain)`

			`dev_read_sysfs(hyperv_domain)`

			`########################################`
			`#`
			`# hypervkvp local policy`
			`#`

			`allow hypervkvp_t self:capability sys_ptrace;`
			`allow hypervkvp_t self:process setfscreate;`
			`allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;`

			`manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)`
			`manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)`
			`files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)`

			`manage_files_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)`
			`manage_dirs_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)`
			`files_tmp_filetrans(hypervkvp_t, hypervkvp_tmp_t, { file dir })`

			`kernel_read_system_state(hypervkvp_t)`
			`kernel_read_network_state(hypervkvp_t)`
			`kernel_request_load_module(hypervkvp_t)`
			`kernel_rw_net_sysctls(hypervkvp_t)`

			`corecmd_getattr_all_executables(hypervkvp_t)`

			`dev_rw_hypervkvp(hypervkvp_t)`

			`domain_read_all_domains_state(hypervkvp_t)`

			`seutil_exec_setfiles(hypervkvp_t)`
			`seutil_read_file_contexts(hypervkvp_t)`

			`domain_read_all_domains_state(hypervkvp_t)`

			`dev_read_urand(hypervkvp_t)`

			`files_dontaudit_search_home(hypervkvp_t)`
			`files_dontaudit_getattr_non_security_files(hypervkvp_t)`

			`fs_getattr_all_fs(hypervkvp_t)`
			`fs_read_hugetlbfs_files(hypervkvp_t)`
			`fs_list_hugetlbfs(hypervkvp_t)`

			`auth_use_nsswitch(hypervkvp_t)`

			`logging_send_syslog_msg(hypervkvp_t)`
			`logging_read_syslog_config(hypervkvp_t)`

			`libs_exec_ldconfig(hypervkvp_t)`

			`modutils_domtrans_kmod(hypervkvp_t)`

			`seutil_domtrans_setfiles(hypervkvp_t)`

			`sysnet_dns_name_resolve(hypervkvp_t)`
			`sysnet_domtrans_dhcpc(hypervkvp_t)`
			`sysnet_domtrans_ifconfig(hypervkvp_t)`

			`sysnet_manage_dhcpc_pid(hypervkvp_t)`
			`sysnet_signal_dhcpc(hypervkvp_t)`

			`sysnet_manage_config(hypervkvp_t)`
			`sysnet_read_dhcpc_state(hypervkvp_t)`
			`sysnet_read_dhcp_config(hypervkvp_t)`
			`sysnet_etc_filetrans_config(hypervkvp_t)`

			`systemd_exec_systemctl(hypervkvp_t)`

			`userdom_dontaudit_search_admin_dir(hypervkvp_t)`

			optional_policy(`
			`brctl_domtrans(hypervkvp_t)`
			`')`

			optional_policy(`
			`dbus_read_pid_files(hypervkvp_t)`
			`dbus_system_bus_client(hypervkvp_t)`
			`')`

			optional_policy(`
			`hostname_exec(hypervkvp_t)`
			`')`

			optional_policy(`
			`firewalld_dbus_chat(hypervkvp_t)`
			`')`

			optional_policy(`
			`netutils_domtrans_ping(hypervkvp_t)`
			`netutils_domtrans(hypervkvp_t)`
			`')`

			optional_policy(`
			`networkmanager_read_pid_files(hypervkvp_t)`
			`networkmanager_dbus_chat(hypervkvp_t)`
			`')`

			optional_policy(`
			`sysnet_exec_ifconfig(hypervkvp_t)`
			`')`

			optional_policy(`
			`rpm_exec(hypervkvp_t)`
			`')`

			`########################################`
			`#`
			`# hypervvssd local policy`
			`#`

			`allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin };`

			`dev_rw_hypervvssd(hypervvssd_t)`

			`files_list_boot(hypervvssd_t)`

			`files_list_all_mountpoints(hypervvssd_t)`
			`files_write_all_mountpoints(hypervvssd_t)`
			`files_list_non_auth_dirs(hypervvssd_t)`

			`logging_send_syslog_msg(hypervvssd_t)`

			`storage_raw_read_fixed_disk(hypervvssd_t)`