171 lines
3.9 KiB
Text
171 lines
3.9 KiB
Text
policy_module(hypervkvp, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute hyperv_domain;
|
|
|
|
type hypervkvp_t, hyperv_domain;
|
|
type hypervkvp_exec_t;
|
|
init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
|
|
|
|
type hypervkvp_initrc_exec_t;
|
|
init_script_file(hypervkvp_initrc_exec_t)
|
|
|
|
type hypervkvp_unit_file_t;
|
|
systemd_unit_file(hypervkvp_unit_file_t)
|
|
|
|
type hypervkvp_var_lib_t;
|
|
files_type(hypervkvp_var_lib_t)
|
|
|
|
type hypervkvp_tmp_t;
|
|
files_tmpfs_file(hypervkvp_tmp_t)
|
|
|
|
type hypervvssd_t, hyperv_domain;
|
|
type hypervvssd_exec_t;
|
|
init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)
|
|
|
|
type hypervvssd_unit_file_t;
|
|
systemd_unit_file(hypervvssd_unit_file_t)
|
|
|
|
########################################
|
|
#
|
|
# hyperv domain local policy
|
|
#
|
|
|
|
allow hyperv_domain self:capability net_admin;
|
|
allow hyperv_domain self:netlink_socket create_socket_perms;
|
|
|
|
allow hyperv_domain self:fifo_file rw_fifo_file_perms;
|
|
allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
corecmd_exec_shell(hyperv_domain)
|
|
corecmd_exec_bin(hyperv_domain)
|
|
|
|
dev_read_sysfs(hyperv_domain)
|
|
|
|
########################################
|
|
#
|
|
# hypervkvp local policy
|
|
#
|
|
|
|
allow hypervkvp_t self:capability sys_ptrace;
|
|
allow hypervkvp_t self:process setfscreate;
|
|
allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
|
|
manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
|
|
manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
|
|
files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
|
|
|
|
manage_files_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
|
|
manage_dirs_pattern(hypervkvp_t, hypervkvp_tmp_t, hypervkvp_tmp_t)
|
|
files_tmp_filetrans(hypervkvp_t, hypervkvp_tmp_t, { file dir })
|
|
|
|
kernel_read_system_state(hypervkvp_t)
|
|
kernel_read_network_state(hypervkvp_t)
|
|
kernel_request_load_module(hypervkvp_t)
|
|
kernel_rw_net_sysctls(hypervkvp_t)
|
|
|
|
corecmd_getattr_all_executables(hypervkvp_t)
|
|
|
|
dev_rw_hypervkvp(hypervkvp_t)
|
|
|
|
domain_read_all_domains_state(hypervkvp_t)
|
|
|
|
seutil_exec_setfiles(hypervkvp_t)
|
|
seutil_read_file_contexts(hypervkvp_t)
|
|
|
|
domain_read_all_domains_state(hypervkvp_t)
|
|
|
|
dev_read_urand(hypervkvp_t)
|
|
|
|
files_dontaudit_search_home(hypervkvp_t)
|
|
files_dontaudit_getattr_non_security_files(hypervkvp_t)
|
|
|
|
fs_getattr_all_fs(hypervkvp_t)
|
|
fs_read_hugetlbfs_files(hypervkvp_t)
|
|
fs_list_hugetlbfs(hypervkvp_t)
|
|
|
|
auth_use_nsswitch(hypervkvp_t)
|
|
|
|
logging_send_syslog_msg(hypervkvp_t)
|
|
logging_read_syslog_config(hypervkvp_t)
|
|
|
|
libs_exec_ldconfig(hypervkvp_t)
|
|
|
|
modutils_domtrans_kmod(hypervkvp_t)
|
|
|
|
seutil_domtrans_setfiles(hypervkvp_t)
|
|
|
|
sysnet_dns_name_resolve(hypervkvp_t)
|
|
sysnet_domtrans_dhcpc(hypervkvp_t)
|
|
sysnet_domtrans_ifconfig(hypervkvp_t)
|
|
|
|
sysnet_manage_dhcpc_pid(hypervkvp_t)
|
|
sysnet_signal_dhcpc(hypervkvp_t)
|
|
|
|
sysnet_manage_config(hypervkvp_t)
|
|
sysnet_read_dhcpc_state(hypervkvp_t)
|
|
sysnet_read_dhcp_config(hypervkvp_t)
|
|
sysnet_etc_filetrans_config(hypervkvp_t)
|
|
|
|
systemd_exec_systemctl(hypervkvp_t)
|
|
|
|
userdom_dontaudit_search_admin_dir(hypervkvp_t)
|
|
|
|
optional_policy(`
|
|
brctl_domtrans(hypervkvp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_read_pid_files(hypervkvp_t)
|
|
dbus_system_bus_client(hypervkvp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hostname_exec(hypervkvp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
firewalld_dbus_chat(hypervkvp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
netutils_domtrans_ping(hypervkvp_t)
|
|
netutils_domtrans(hypervkvp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
networkmanager_read_pid_files(hypervkvp_t)
|
|
networkmanager_dbus_chat(hypervkvp_t)
|
|
networkmanager_write_rw_conf(hypervkvp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_exec_ifconfig(hypervkvp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_exec(hypervkvp_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# hypervvssd local policy
|
|
#
|
|
|
|
allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin };
|
|
|
|
dev_rw_hypervvssd(hypervvssd_t)
|
|
|
|
files_list_boot(hypervvssd_t)
|
|
|
|
files_list_all_mountpoints(hypervvssd_t)
|
|
files_write_all_mountpoints(hypervvssd_t)
|
|
files_list_non_auth_dirs(hypervvssd_t)
|
|
|
|
logging_send_syslog_msg(hypervvssd_t)
|
|
|
|
storage_raw_read_fixed_disk(hypervvssd_t)
|