## Libvirt virtualization API ######################################## ## ## virtd_lxc_t stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # interface(`virt_stub_lxc',` gen_require(` type virtd_lxc_t; ') ') ######################################## ## ## svirt_sandbox_domain attribute stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # interface(`virt_stub_svirt_sandbox_domain',` gen_require(` attribute svirt_sandbox_domain; ') ') ######################################## ## ## container_file_t stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # interface(`virt_stub_container_image',` gen_require(` type container_file_t; ') ') ######################################## ## ## container_file_t and container_ro_file_t stub interface. ## No access allowed. ## ## ## ## Domain allowed access. ## ## # interface(`virt_stub_svirt_sandbox_file',` gen_require(` type container_file_t; type container_ro_file_t; ') ') ######################################## ## ## Creates types and rules for a basic ## qemu process domain. ## ## ## ## Prefix for the domain. ## ## # template(`virt_domain_template',` gen_require(` attribute virt_domain; attribute virt_ptynode; type virtlogd_t; ') type $1_t, virt_domain; application_type($1_t) domain_user_exemption_target($1_t) mls_rangetrans_target($1_t) mcs_constrained($1_t) role system_r types $1_t; type $1_devpts_t, virt_ptynode; term_pty($1_devpts_t) kernel_read_system_state($1_t) auth_read_passwd($1_t) logging_send_syslog_msg($1_t) allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty($1_t, $1_devpts_t) # Allow domain to write to pipes connected to virtlogd allow $1_t virtlogd_t:fd use; allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; qemu_entry_type($1_t) ') ###################################### ## ## Creates types and rules for a basic ## virt driver domain. ## ## ## ## Prefix for the domain. ## ## # template(`virt_driver_template',` gen_require(` attribute virt_driver_domain; attribute virt_driver_executable; attribute virt_driver_var_run; type virtd_t; type virtqemud_t; type virt_common_var_run_t; type virt_etc_t; type virt_etc_rw_t; type virtinterfaced_var_run_t; type virtnodedevd_var_run_t; type virtnetworkd_var_run_t; type virtnwfilterd_var_run_t; type virtsecretd_var_run_t; type virtstoraged_var_run_t; type virt_var_run_t; ') mls_rangetrans_source($1) mls_rangetrans_target($1) ################################## # # Local policy # allow $1 self:netlink_audit_socket create; allow $1 self:netlink_kobject_uevent_socket create_socket_perms; allow $1 self:netlink_route_socket create_netlink_socket_perms; allow $1 self:rawip_socket create_socket_perms; allow $1 self:unix_dgram_socket create_socket_perms; allow virt_driver_domain virtd_t:unix_stream_socket rw_stream_socket_perms; allow virt_driver_domain virtqemud_t:unix_stream_socket connectto; allow $1 virt_common_var_run_t:file append_file_perms; manage_dirs_pattern($1, virt_common_var_run_t, virt_common_var_run_t) manage_files_pattern($1, virt_common_var_run_t, virt_common_var_run_t) filetrans_pattern($1, virt_driver_var_run, virt_common_var_run_t, dir, "common") filetrans_pattern($1, virt_var_run_t, virt_common_var_run_t, dir, "common") filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interfac(e)") filetrans_pattern($1, virt_var_run_t, virtnodedevd_var_run_t, dir, "nodedev") filetrans_pattern($1, virt_var_run_t, virtnwfilterd_var_run_t, dir, "nwfilter") filetrans_pattern($1, virt_var_run_t, virtsecretd_var_run_t, dir, "secrets") filetrans_pattern($1, virt_var_run_t, virtstoraged_var_run_t, dir, "storage") manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t) read_files_pattern($1, virt_etc_t, virt_etc_t) manage_dirs_pattern($1, virt_etc_rw_t, virt_etc_rw_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern($1, virt_etc_t, virt_etc_rw_t, dir) read_files_pattern(virt_driver_domain, virtqemud_t, virtqemud_t) kernel_dgram_send($1) mls_fd_share_all_levels($1) mls_file_read_to_clearance($1) mls_file_write_to_clearance($1) mls_process_read_to_clearance($1) mls_process_write_to_clearance($1) mls_socket_read_to_clearance($1) mls_socket_write_to_clearance($1) auth_read_passwd($1) dev_read_sysfs($1) files_read_non_security_files($1) init_read_utmp($1) logging_send_syslog_msg($1) miscfiles_read_generic_certs($1) virt_manage_cache($1) virt_manage_pid_files($1) virt_stream_connect($1) optional_policy(` dbus_read_pid_files($1) dbus_stream_connect_system_dbusd($1) dbus_system_bus_client($1) ') optional_policy(` systemd_dbus_chat_logind($1) systemd_machined_stream_connect($1) systemd_write_inhibit_pipes($1) ') ') ######################################## ## ## Make the specified type usable as a virt image ## ## ## ## Type to be used as a virtual image ## ## # interface(`virt_image',` gen_require(` attribute virt_image_type; ') typeattribute $1 virt_image_type; files_type($1) # virt images can be assigned to blk devices dev_node($1) ') ####################################### ## ## Getattr on virt executable. ## ## ## ## Domain allowed to transition. ## ## # interface(`virt_getattr_exec',` gen_require(` attribute virt_driver_executable; type virtd_exec_t; ') allow $1 virtd_exec_t:file getattr; allow $1 virt_driver_executable:file getattr; ') ######################################## ## ## Execute a domain transition to run virt. ## ## ## ## Domain allowed to transition. ## ## # interface(`virt_domtrans',` gen_require(` type virtd_t, virtd_exec_t; ') domtrans_pattern($1, virtd_exec_t, virtd_t) ') ######################################## ## ## Execute virtd in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`virt_exec',` gen_require(` attribute virt_driver_executable; type virtd_exec_t; ') can_exec($1, virtd_exec_t) can_exec($1, virt_driver_executable) ') ######################################## ## ## Allow caller domain to run bpftool. ## ## ## ## Domain allowed access. ## ## # interface(`virt_prog_run_bpf',` gen_require(` type virtd_t; ') allow $1 virtd_t:bpf { map_create map_read map_write prog_load prog_run }; ') ####################################### ## ## Connect to virt over a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`virt_stream_connect',` gen_require(` attribute virt_driver_domain; attribute virt_driver_var_run; type virtd_t, virt_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) stream_connect_pattern($1, virt_driver_var_run, virt_driver_var_run, virt_driver_domain) ') ######################################## ## ## Read and write to virt_domain unix ## stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`virt_rw_stream_sockets_virt_domain',` gen_require(` attribute virt_domain; ') allow $1 virt_domain:unix_stream_socket { read write }; ') ####################################### ## ## Connect to svirt process over a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`virt_stream_connect_svirt',` gen_require(` type svirt_t; type svirt_image_t; ') stream_connect_pattern($1, svirt_image_t, svirt_image_t, svirt_t) ') ######################################## ## ## Read and write to apmd unix ## stream sockets. ## ## ## ## Domain allowed access. ## ## # interface(`virt_rw_stream_sockets_svirt',` gen_require(` type svirt_t; ') allow $1 svirt_t:unix_stream_socket { getopt read setopt write }; ') ######################################## ## ## Allow domain to attach to virt TUN devices ## ## ## ## Domain allowed access. ## ## # interface(`virt_attach_tun_iface',` gen_require(` attribute virt_driver_domain; type virtd_t; ') allow $1 virtd_t:tun_socket relabelfrom; allow $1 virt_driver_domain:tun_socket relabelfrom; allow $1 self:tun_socket relabelto; ') ######################################## ## ## Allow domain to attach to virt sandbox TUN devices ## ## ## ## Domain allowed access. ## ## # interface(`virt_attach_sandbox_tun_iface',` gen_require(` attribute svirt_sandbox_domain; ') allow $1 svirt_sandbox_domain:tun_socket relabelfrom; allow $1 self:tun_socket relabelto; ') ######################################## ## ## Read virt config files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_read_config',` gen_require(` type virt_etc_t, virt_etc_rw_t; ') files_search_etc($1) read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ') ######################################## ## ## manage virt config files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_manage_config',` gen_require(` type virt_etc_t, virt_etc_rw_t; ') files_search_etc($1) manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) ') ######################################## ## ## Allow domain to manage virt image files ## ## ## ## Domain allowed access. ## ## # interface(`virt_getattr_content',` gen_require(` type virt_content_t; ') allow $1 virt_content_t:file getattr_file_perms; ') ######################################## ## ## Allow domain to manage virt image files ## ## ## ## Domain allowed access. ## ## # interface(`virt_read_content',` gen_require(` type virt_content_t; ') virt_search_lib($1) allow $1 virt_content_t:dir list_dir_perms; allow $1 virt_content_t:blk_file map; allow $1 virt_content_t:file map; list_dirs_pattern($1, virt_content_t, virt_content_t) read_files_pattern($1, virt_content_t, virt_content_t) read_lnk_files_pattern($1, virt_content_t, virt_content_t) read_blk_files_pattern($1, virt_content_t, virt_content_t) read_chr_files_pattern($1, virt_content_t, virt_content_t) tunable_policy(`virt_use_nfs',` fs_list_nfs($1) fs_read_nfs_files($1) fs_read_nfs_symlinks($1) ') tunable_policy(`virt_use_samba',` fs_list_cifs($1) fs_read_cifs_files($1) fs_read_cifs_symlinks($1) ') ') ######################################## ## ## Allow domain to write virt image files ## ## ## ## Domain allowed access. ## ## # interface(`virt_write_content',` gen_require(` type virt_content_t; ') allow $1 virt_content_t:file write_file_perms; ') ######################################## ## ## Read virt PID symlinks files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_read_pid_symlinks',` gen_require(` attribute virt_driver_var_run; type virt_var_run_t; ') files_search_pids($1) read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) read_lnk_files_pattern($1, virt_driver_var_run, virt_driver_var_run) ') ######################################## ## ## Read virt PID files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_read_pid_files',` gen_require(` attribute virt_driver_var_run; type virt_var_run_t; ') files_search_pids($1) read_files_pattern($1, virt_var_run_t, virt_var_run_t) read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) read_files_pattern($1, virt_driver_var_run, virt_driver_var_run) read_lnk_files_pattern($1, virt_driver_var_run, virt_driver_var_run) ') ######################################## ## ## Manage virt pid directories. ## ## ## ## Domain allowed access. ## ## # interface(`virt_manage_pid_dirs',` gen_require(` attribute virt_driver_var_run; type virt_var_run_t; type virt_lxc_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t) manage_dirs_pattern($1, virt_driver_var_run, virt_driver_var_run) manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) virt_filetrans_named_content($1) ') ######################################## ## ## Manage virt pid files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_manage_pid_files',` gen_require(` attribute virt_driver_var_run; type virt_var_run_t; type virt_lxc_var_run_t; ') files_search_pids($1) manage_files_pattern($1, virt_var_run_t, virt_var_run_t) manage_files_pattern($1, virt_driver_var_run, virt_driver_var_run) manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) ') ######################################## ## ## Create objects in the pid directory ## with a private type with a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Type to which the created node will be transitioned. ## ## ## ## ## Object class(es) (single or set including {}) for which this ## the transition will occur. ## ## ## ## ## The name of the object being created. ## ## # interface(`virt_pid_filetrans',` gen_require(` attribute virt_driver_var_run; type virt_var_run_t; ') filetrans_pattern($1, virt_var_run_t, $2, $3, $4) filetrans_pattern($1, virt_driver_var_run, $2, $3, $4) ') ######################################## ## ## Search virt lib directories. ## ## ## ## Domain allowed access. ## ## # interface(`virt_search_lib',` gen_require(` type virt_var_lib_t; ') allow $1 virt_var_lib_t:dir search_dir_perms; files_search_var_lib($1) ') ######################################## ## ## Read virt lib files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_read_lib_files',` gen_require(` type virt_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) list_dirs_pattern($1, virt_var_lib_t, virt_var_lib_t) read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ') ######################################## ## ## Dontaudit inherited read virt lib files. ## ## ## ## Domain to not audit. ## ## # interface(`virt_dontaudit_read_lib_files',` gen_require(` type virt_var_lib_t; ') dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; ') ######################################## ## ## Create, read, write, and delete ## virt lib files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_manage_lib_files',` gen_require(` type virt_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ') ######################################## ## ## Allow the specified domain to read virt's log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`virt_read_log',` gen_require(` type virt_log_t; ') logging_search_logs($1) read_files_pattern($1, virt_log_t, virt_log_t) ') ######################################## ## ## Allow the specified domain to append ## virt log files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_append_log',` gen_require(` type virt_log_t; ') logging_search_logs($1) append_files_pattern($1, virt_log_t, virt_log_t) ') ######################################## ## ## Allow domain to manage virt log files ## ## ## ## Domain allowed access. ## ## # interface(`virt_manage_log',` gen_require(` type virt_log_t; ') manage_dirs_pattern($1, virt_log_t, virt_log_t) manage_files_pattern($1, virt_log_t, virt_log_t) manage_lnk_files_pattern($1, virt_log_t, virt_log_t) ') ######################################## ## ## Allow domain to getattr virt image direcories ## ## ## ## Domain allowed access. ## ## # interface(`virt_getattr_images',` gen_require(` attribute virt_image_type; ') virt_search_lib($1) allow $1 virt_image_type:file getattr_file_perms; ') ######################################## ## ## Allow domain to search virt image direcories ## ## ## ## Domain allowed access. ## ## # interface(`virt_search_images',` gen_require(` attribute virt_image_type; ') virt_search_lib($1) allow $1 virt_image_type:dir search_dir_perms; ') ######################################## ## ## Allow domain to read virt image files ## ## ## ## Domain allowed access. ## ## # interface(`virt_read_images',` gen_require(` attribute virt_image_type; ') virt_search_lib($1) allow $1 virt_image_type:dir list_dir_perms; list_dirs_pattern($1, virt_image_type, virt_image_type) read_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) read_blk_files_pattern($1, virt_image_type, virt_image_type) read_chr_files_pattern($1, virt_image_type, virt_image_type) tunable_policy(`virt_use_nfs',` fs_list_nfs($1) fs_read_nfs_files($1) fs_read_nfs_symlinks($1) ') tunable_policy(`virt_use_samba',` fs_list_cifs($1) fs_read_cifs_files($1) fs_read_cifs_symlinks($1) ') ') ######################################## ## ## Allow domain to read virt blk image files ## ## ## ## Domain allowed access. ## ## # interface(`virt_read_blk_images',` gen_require(` attribute virt_image_type; ') read_blk_files_pattern($1, virt_image_type, virt_image_type) ') ######################################## ## ## Allow domain to read/write virt image chr files ## ## ## ## Domain allowed access. ## ## # interface(`virt_rw_chr_files',` gen_require(` attribute virt_image_type; ') rw_chr_files_pattern($1, virt_image_type, virt_image_type) ') ######################################## ## ## Create, read, write, and delete ## svirt cache files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_manage_cache',` gen_require(` type virt_cache_t; ') files_search_var($1) manage_dirs_pattern($1, virt_cache_t, virt_cache_t) manage_files_pattern($1, virt_cache_t, virt_cache_t) manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) ') ######################################## ## ## Allow domain to manage virt image files ## ## ## ## Domain allowed access. ## ## # interface(`virt_manage_images',` gen_require(` attribute virt_image_type; ') virt_search_lib($1) allow $1 virt_image_type:dir list_dir_perms; manage_dirs_pattern($1, virt_image_type, virt_image_type) manage_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) rw_blk_files_pattern($1, virt_image_type, virt_image_type) rw_chr_files_pattern($1, virt_image_type, virt_image_type) ') ####################################### ## ## Allow domain to manage virt image files ## ## ## ## Domain allowed access. ## ## # interface(`virt_manage_default_image_type',` gen_require(` type virt_image_t; ') virt_search_lib($1) manage_dirs_pattern($1, virt_image_t, virt_image_t) manage_files_pattern($1, virt_image_t, virt_image_t) read_lnk_files_pattern($1, virt_image_t, virt_image_t) ') ####################################### ## ## Get virtd services status ## ## ## ## Domain allowed to transition. ## ## # interface(`virtd_service_status',` gen_require(` type virtd_unit_file_t; ') allow $1 virtd_unit_file_t:service status; ') ######################################## ## ## Execute virt server in the virt domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`virt_systemctl',` gen_require(` type virtd_unit_file_t; type virtd_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 virtd_unit_file_t:file read_file_perms; allow $1 virtd_unit_file_t:service manage_service_perms; ps_process_pattern($1, virtd_t) ') ######################################## ## ## Ptrace the svirt domain ## ## ## ## Domain allowed to transition. ## ## # interface(`virt_ptrace',` gen_require(` attribute virt_domain; ') allow $1 virt_domain:process ptrace; ') ####################################### ## ## Execute Sandbox Files ## ## ## ## Domain allowed access. ## ## # interface(`virt_exec_sandbox_files',` gen_require(` attribute svirt_file_type; ') can_exec($1, svirt_file_type) ') ######################################## ## ## Allow any svirt_file_type to be an entrypoint of this domain ## ## ## ## Domain allowed access. ## ## ## # interface(`virt_sandbox_entrypoint',` gen_require(` attribute svirt_file_type; ') allow $1 svirt_file_type:file entrypoint; ') ####################################### ## ## List Sandbox Dirs ## ## ## ## Domain allowed access. ## ## # interface(`virt_list_sandbox_dirs',` gen_require(` type svirt_sandbox_file_t; ') list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) ') ####################################### ## ## Read Sandbox Files ## ## ## ## Domain allowed access. ## ## # interface(`virt_read_sandbox_files',` gen_require(` attribute svirt_file_type; ') list_dirs_pattern($1, svirt_file_type, svirt_file_type) read_files_pattern($1, svirt_file_type, svirt_file_type) read_lnk_files_pattern($1, svirt_file_type, svirt_file_type) ') ####################################### ## ## Manage Sandbox Files ## ## ## ## Domain allowed access. ## ## # interface(`virt_manage_sandbox_files',` gen_require(` attribute svirt_file_type; ') manage_dirs_pattern($1, svirt_file_type, svirt_file_type) manage_files_pattern($1, svirt_file_type, svirt_file_type) manage_fifo_files_pattern($1, svirt_file_type, svirt_file_type) manage_chr_files_pattern($1, svirt_file_type, svirt_file_type) manage_lnk_files_pattern($1, svirt_file_type, svirt_file_type) allow $1 svirt_file_type:dir_file_class_set { relabelfrom relabelto }; ') ####################################### ## ## Getattr Sandbox File systems ## ## ## ## Domain allowed access. ## ## # interface(`virt_getattr_sandbox_filesystem',` gen_require(` attribute svirt_file_type; ') allow $1 svirt_file_type:filesystem getattr; ') ####################################### ## ## Relabel Sandbox File systems ## ## ## ## Domain allowed access. ## ## # interface(`virt_relabel_sandbox_filesystem',` gen_require(` attribute svirt_file_type; ') allow $1 svirt_file_type:filesystem { relabelfrom relabelto }; ') ####################################### ## ## Mounton Sandbox Files ## ## ## ## Domain allowed access. ## ## # interface(`virt_mounton_sandbox_file',` gen_require(` attribute svirt_file_type; ') allow $1 svirt_file_type:dir_file_class_set mounton; ') ####################################### ## ## Connect to virt over a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`virt_stream_connect_sandbox',` gen_require(` attribute svirt_sandbox_domain; attribute svirt_file_type; ') files_search_pids($1) stream_connect_pattern($1, svirt_file_type, svirt_file_type, svirt_sandbox_domain) ps_process_pattern(svirt_sandbox_domain, $1) ') ######################################## ## ## Execute qemu in the svirt domain, and ## allow the specified role the svirt domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the sandbox domain. ## ## ## # interface(`virt_transition_svirt',` gen_require(` attribute virt_domain; type svirt_image_t; type svirt_socket_t; ') allow $1 virt_domain:process transition; role $2 types virt_domain; role $2 types svirt_socket_t; optional_policy(` virt_bridgehelper_role($2) ') allow $1 virt_domain:process { sigkill signal signull sigstop }; allow $1 svirt_image_t:file { relabelfrom relabelto }; allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms; optional_policy(` ptchown_run(virt_domain, $2) ') ') ######################################## ## ## Do not audit attempts to write virt daemon unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`virt_dontaudit_write_pipes',` gen_require(` type virtd_t; ') dontaudit $1 virtd_t:fd use; dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ') ######################################## ## ## Send a sigkill to virtual machines ## ## ## ## Domain allowed access. ## ## # interface(`virt_kill_svirt',` gen_require(` attribute virt_domain; ') allow $1 virt_domain:process sigkill; ') ######################################## ## ## Send a sigkill to virtd daemon. ## ## ## ## Domain allowed access. ## ## # interface(`virt_kill',` gen_require(` attribute virt_driver_domain; type virtd_t; ') allow $1 virtd_t:process sigkill; allow $1 virt_driver_domain:process sigkill; ') ######################################## ## ## Send a signal to virtd daemon. ## ## ## ## Domain allowed access. ## ## # interface(`virt_signal',` gen_require(` attribute virt_driver_domain; type virtd_t; ') allow $1 virtd_t:process signal; allow $1 virt_driver_domain:process signal; ') ######################################## ## ## Send null signal to virtd daemon. ## ## ## ## Domain allowed access. ## ## # interface(`virt_signull',` gen_require(` attribute virt_driver_domain; type virtd_t; ') allow $1 virtd_t:process signull; allow $1 virt_driver_domain:process signull; ') ######################################## ## ## Send a signal to virtual machines ## ## ## ## Domain allowed access. ## ## # interface(`virt_signal_svirt',` gen_require(` attribute virt_domain; ') allow $1 virt_domain:process signal; ') ######################################## ## ## Send a signal to sandbox domains ## ## ## ## Domain allowed access. ## ## # interface(`virt_signal_sandbox',` gen_require(` attribute svirt_sandbox_domain; ') allow $1 svirt_sandbox_domain:process signal; ') ######################################## ## ## Manage virt home files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_manage_home_files',` gen_require(` type virt_home_t; ') userdom_search_user_home_dirs($1) manage_files_pattern($1, virt_home_t, virt_home_t) ') ######################################## ## ## allow domain to read ## virt tmpfs files ## ## ## ## Domain allowed access ## ## # interface(`virt_read_tmpfs_files',` gen_require(` attribute virt_tmpfs_type; ') allow $1 virt_tmpfs_type:file read_file_perms; ') ######################################## ## ## allow domain to manage ## virt tmpfs files ## ## ## ## Domain allowed access ## ## # interface(`virt_manage_tmpfs_files',` gen_require(` attribute virt_tmpfs_type; ') allow $1 virt_tmpfs_type:file manage_file_perms; ') ######################################## ## ## Create .virt directory in the user home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # interface(`virt_filetrans_home_content',` gen_require(` type virt_home_t; type svirt_home_t; ') userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") optional_policy(` gnome_config_filetrans($1, virt_home_t, dir, "libvirt") gnome_cache_filetrans($1, virt_home_t, dir, "libvirt") gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox") gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") gnome_data_filetrans($1, svirt_home_t, dir, "images") gnome_data_filetrans($1, svirt_home_t, dir, "boot") ') ') ######################################## ## ## Dontaudit attempts to Read virt_image_type devices. ## ## ## ## Domain allowed access. ## ## # interface(`virt_dontaudit_read_chr_dev',` gen_require(` attribute virt_image_type; ') dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') ######################################## ## ## Make the specified type usable as a virt file type ## ## ## ## Type to be used as a virt file type ## ## # interface(`virt_file_types',` gen_require(` attribute virt_file_type; ') typeattribute $1 virt_file_type; ') ######################################## ## ## Make the specified type usable as a svirt file type ## ## ## ## Type to be used as a svirt file type ## ## # interface(`svirt_file_types',` gen_require(` attribute svirt_file_type; ') typeattribute $1 svirt_file_type; ') ######################################## ## ## Creates types and rules for a basic ## virt_lxc process domain. ## ## ## ## Prefix for the domain. ## ## # template(`virt_sandbox_domain_template',` gen_require(` attribute svirt_sandbox_domain; ') type $1_t, svirt_sandbox_domain; domain_type($1_t) domain_user_exemption_target($1_t) mls_rangetrans_target($1_t) mcs_constrained($1_t) role system_r types $1_t; logging_send_syslog_msg($1_t) kernel_read_system_state($1_t) kernel_read_all_proc($1_t) # optional_policy(` # container_runtime_typebounds($1_t) # ') ') ######################################## ## ## Make the specified type usable as a lxc domain ## ## ## ## Type to be used as a lxc domain ## ## # template(`virt_sandbox_domain',` gen_require(` attribute svirt_sandbox_domain; ') typeattribute $1 svirt_sandbox_domain; ') ######################################## ## ## Make the specified type usable as a lxc network domain ## ## ## ## Type to be used as a lxc network domain ## ## # template(`virt_sandbox_net_domain',` gen_require(` attribute sandbox_net_domain; ') virt_sandbox_domain($1) typeattribute $1 sandbox_net_domain; ') ######################################## ## ## Make the specified type usable as a virt system domain ## ## ## ## Type to be used as a virt system domain ## ## # interface(`virt_system_domain_type',` gen_require(` attribute virt_system_domain; ') typeattribute $1 virt_system_domain; ') ######################################## ## ## Transition to virt named content ## ## ## ## Domain allowed access. ## ## # interface(`virt_filetrans_named_content',` gen_require(` type virt_lxc_var_run_t; type virt_var_run_t; ') files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") ') ######################################## ## ## Execute qemu in the svirt domain, and ## allow the specified role the svirt domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the sandbox domain. ## ## ## # interface(`virt_transition_svirt_sandbox',` gen_require(` attribute svirt_sandbox_domain; ') allow $1 svirt_sandbox_domain:process { signal_perms transition }; role $2 types svirt_sandbox_domain; allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; allow svirt_sandbox_domain $1:fd use; allow svirt_sandbox_domain $1:process sigchld; ps_process_pattern($1, svirt_sandbox_domain) ') ######################################## ## ## Read the process state of virt sandbox containers ## ## ## ## Domain allowed access. ## ## # interface(`virt_sandbox_read_state',` gen_require(` attribute svirt_sandbox_domain; ') ps_process_pattern($1, svirt_sandbox_domain) ') ######################################## ## ## Read and write to svirt_image devices. ## ## ## ## Domain allowed access. ## ## # interface(`virt_rw_svirt_dev',` gen_require(` type svirt_image_t; ') allow $1 svirt_image_t:chr_file rw_chr_file_perms; ') ######################################## ## ## Read and write to svirt_image files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_rw_svirt_image',` gen_require(` type svirt_image_t; ') allow $1 svirt_image_t:file rw_file_perms; ') ######################################## ## ## Read and write to svirt_image devices. ## ## ## ## Domain allowed access. ## ## # interface(`virt_rlimitinh',` gen_require(` type virtd_t; ') allow $1 virtd_t:process { rlimitinh }; ') ######################################## ## ## Read and write to svirt_image devices. ## ## ## ## Domain allowed access. ## ## # interface(`virt_noatsecure',` gen_require(` type virtd_t; ') allow $1 virtd_t:process { noatsecure rlimitinh }; ') ######################################## ## ## All of the rules required to administrate ## an virt environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`virt_admin',` gen_require(` attribute virt_domain; attribute virt_system_domain; attribute svirt_file_type; attribute virt_file_type; type virtd_initrc_exec_t; type virtd_unit_file_t; ') allow $1 virt_system_domain:process signal_perms; allow $1 virt_domain:process signal_perms; ps_process_pattern($1, virt_system_domain) ps_process_pattern($1, virt_domain) tunable_policy(`deny_ptrace',`',` allow $1 virt_system_domain:process ptrace; allow $1 virt_domain:process ptrace; ') init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 virtd_initrc_exec_t system_r; allow $2 system_r; allow $1 virt_domain:process signal_perms; admin_pattern($1, virt_file_type) admin_pattern($1, svirt_file_type) virt_systemctl($1) allow $1 virtd_unit_file_t:service all_service_perms; virt_stream_connect_sandbox($1) virt_stream_connect_svirt($1) virt_stream_connect($1) ') ####################################### ## ## Getattr on virt executable. ## ## ## ## Domain allowed to transition. ## ## # interface(`virt_default_capabilities',` gen_require(` attribute sandbox_caps_domain; ') typeattribute $1 sandbox_caps_domain; ') ######################################## ## ## Send and receive messages from ## virt over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`virt_dbus_chat',` gen_require(` attribute virt_driver_domain; type virtd_t; class dbus send_msg; ') allow $1 virtd_t:dbus send_msg; allow virtd_t $1:dbus send_msg; allow $1 virt_driver_domain:dbus send_msg; allow virt_driver_domain $1:dbus send_msg; ps_process_pattern(virtd_t, $1) ps_process_pattern(virt_driver_domain, $1) ') ######################################## ## ## Execute a file in a sandbox directory ## in the specified domain. ## ## ##

## Execute a file in a sandbox directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # interface(`virt_sandbox_domtrans',` gen_require(` type container_file_t; ') domtrans_pattern($1,container_file_t, $2) ') ######################################## ## ## Dontaudit read the process state (/proc/pid) of libvirt ## ## ## ## Domain allowed access. ## ## # interface(`virt_dontaudit_read_state',` gen_require(` type virtd_t; ') dontaudit $1 virtd_t:dir search_dir_perms; dontaudit $1 virtd_t:file read_file_perms; dontaudit $1 virtd_t:lnk_file read_lnk_file_perms; ') ####################################### ## ## Send to libvirt with a unix dgram socket. ## ## ## ## Domain allowed access. ## ## # interface(`virt_dgram_send',` gen_require(` type virtd_t, virt_var_run_t; ') files_search_pids($1) dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) ') ######################################## ## ## Manage svirt home files,dirs and sockfiles. ## ## ## ## Domain allowed access. ## ## # interface(`virt_svirt_manage_home',` gen_require(` type svirt_home_t; ') manage_files_pattern($1, svirt_home_t, svirt_home_t) manage_dirs_pattern($1, svirt_home_t, svirt_home_t) manage_sock_files_pattern($1, svirt_home_t, svirt_home_t) ') ######################################## ## ## Write svirt tmp files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_svirt_write_tmp',` gen_require(` type svirt_tmp_t; ') write_files_pattern($1, svirt_tmp_t, svirt_tmp_t) ') ######################################## ## ## Manage svirt tmp files,dirs and sockfiles. ## ## ## ## Domain allowed access. ## ## # interface(`virt_svirt_manage_tmp',` gen_require(` type svirt_tmp_t; ') manage_files_pattern($1, svirt_tmp_t, svirt_tmp_t) manage_dirs_pattern($1, svirt_tmp_t, svirt_tmp_t) manage_sock_files_pattern($1, svirt_tmp_t, svirt_tmp_t) ') ######################################## ## ## Read qemu PID files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_read_qemu_pid_files',` gen_require(` type qemu_var_run_t; ') files_search_pids($1) list_dirs_pattern($1, qemu_var_run_t, qemu_var_run_t) read_files_pattern($1, qemu_var_run_t, qemu_var_run_t) ') ######################################## ## ## Write qemu PID files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_write_qemu_pid_files',` gen_require(` type qemu_var_run_t; ') files_search_pids($1) write_files_pattern($1, qemu_var_run_t, qemu_var_run_t) ') ######################################## ## ## Create qemu PID files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_create_qemu_pid_files',` gen_require(` type qemu_var_run_t; ') files_search_pids($1) create_files_pattern($1, qemu_var_run_t, qemu_var_run_t) ') ######################################## ## ## Manage qemu PID socket files. ## ## ## ## Domain allowed access. ## ## # interface(`virt_manage_qemu_pid_sock_files',` gen_require(` type qemu_var_run_t; ') files_search_pids($1) manage_sock_files_pattern($1, qemu_var_run_t, qemu_var_run_t) ')