From 6130d52b7c8a7727782ebbe2da927a60ad1b28e2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 27 2009 00:01:52 +0000 Subject: - Fixes for svirt --- diff --git a/policy-20090105.patch b/policy-20090105.patch index 5a10e59..225ba98 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -4524,8 +4524,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.10/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-03-05 14:09:51.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc 2009-03-24 15:09:41.000000000 -0400 -@@ -91,6 +91,7 @@ ++++ serefpolicy-3.6.10/policy/modules/kernel/devices.fc 2009-03-25 08:24:42.000000000 -0400 +@@ -91,6 +90,7 @@ /dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0) /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -12127,7 +12127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.10/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-24 10:36:54.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/hal.te 2009-03-26 08:23:58.000000000 -0400 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -12251,7 +12251,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(hald_mac_t) ######################################## -@@ -418,3 +459,49 @@ +@@ -415,6 +456,53 @@ + + dev_rw_input_dev(hald_keymap_t) + ++files_read_etc_files(hald_keymap_t) files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -21299,7 +21303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.10/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-24 15:41:15.000000000 -0400 ++++ serefpolicy-3.6.10/policy/modules/services/virt.te 2009-03-26 14:25:09.000000000 -0400 @@ -8,20 +8,18 @@ ## @@ -21338,7 +21342,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type virt_log_t; logging_log_file(virt_log_t) -@@ -48,17 +50,40 @@ +@@ -48,17 +50,39 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -21351,7 +21355,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +virt_domain_template(svirt) -+virtual_separated_domain(svirt_t) +role system_r types svirt_t; + +type svirt_cache_t; @@ -21381,7 +21384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -67,7 +92,11 @@ +@@ -67,7 +91,11 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -21394,7 +21397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -86,6 +115,7 @@ +@@ -86,6 +114,7 @@ kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) kernel_load_module(virtd_t) @@ -21402,7 +21405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -96,7 +126,7 @@ +@@ -96,7 +125,7 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -21411,11 +21414,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_vnc_port(virtd_t) corenet_tcp_connect_vnc_port(virtd_t) corenet_tcp_connect_soundd_port(virtd_t) -@@ -104,21 +134,38 @@ +@@ -104,21 +133,39 @@ dev_read_sysfs(virtd_t) dev_read_rand(virtd_t) -+dev_read_kvm(virtd_t) ++dev_rw_kvm(virtd_t) +dev_getattr_all_chr_files(virtd_t) # Init script handling @@ -21440,6 +21443,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_list_auto_mountpoints(virtd_t) +fs_getattr_xattr_fs(virtd_t) ++fs_rw_anon_inodefs_files(virtd_t) +storage_manage_fixed_disk(virtd_t) +storage_relabel_fixed_disk(virtd_t) @@ -21451,19 +21455,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_getattr_pty_fs(virtd_t) term_use_ptmx(virtd_t) -@@ -129,6 +176,11 @@ +@@ -129,6 +176,13 @@ logging_send_syslog_msg(virtd_t) +sysnet_domtrans_ifconfig(virtd_t) + ++virtual_transition(virtd_t) ++ +userdom_dontaudit_list_admin_dir(virtd_t) +userdom_getattr_all_users(virtd_t) +userdom_search_user_home_content(virtd_t) userdom_read_all_users_state(virtd_t) tunable_policy(`virt_use_nfs',` -@@ -167,22 +219,34 @@ +@@ -167,22 +221,34 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -21482,13 +21488,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + kerberos_keytab_template(virtd, virtd_t) +') ++ ++optional_policy(` ++ lvm_domtrans(virtd_t) ++') optional_policy(` - qemu_domtrans(virtd_t) -+ lvm_domtrans(virtd_t) -+') -+ -+optional_policy(` + polkit_domtrans_auth(virtd_t) + polkit_domtrans_resolve(virtd_t) + polkit_read_lib(virtd_t) @@ -21503,7 +21509,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -198,5 +262,76 @@ +@@ -198,5 +264,74 @@ ') optional_policy(` @@ -21524,8 +21530,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +# svirt local policy +# -+domain_user_exemption_target(svirt_t) -+allow virtd_t svirt_t:process { setsched transition signal signull sigkill }; + +manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) @@ -29350,8 +29354,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# No application file contexts. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.10/policy/modules/system/virtual.if --- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-24 09:03:48.000000000 -0400 -@@ -0,0 +1,118 @@ ++++ serefpolicy-3.6.10/policy/modules/system/virtual.if 2009-03-26 14:24:01.000000000 -0400 +@@ -0,0 +1,110 @@ +## Virtual machine emulator and virtualizer + +######################################## @@ -29385,32 +29389,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## -+## Make the specified type a virtual domain -+## -+## -+##

-+## Make the specified type a virtual domain -+##

-+##

-+## Gives the basic access required for a virtual operatins system -+##

-+##
-+## -+## -+## Type granted access -+## -+## -+# -+interface(`virtual_separated_domain',` -+ gen_require(` -+ attribute virtualseparateddomain; -+ ') -+ -+ typeattribute $1 virtualseparateddomain; -+') -+ -+######################################## -+## +## Make the specified type usable as a virtual os image +## +## @@ -29470,10 +29448,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow $1 virtual_image_type:file { relabelfrom relabelto }; +') + ++######################################## ++## ++## Allow domain to transition and control virtualdomain ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`virtual_transition',` ++ gen_require(` ++ attribute virtualdomain; ++ ') ++ ++ allow $1 virtualdomain:process { setsched transition signal signull sigkill }; ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.10/policy/modules/system/virtual.te --- nsaserefpolicy/policy/modules/system/virtual.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-24 09:03:48.000000000 -0400 -@@ -0,0 +1,80 @@ ++++ serefpolicy-3.6.10/policy/modules/system/virtual.te 2009-03-26 14:21:16.000000000 -0400 +@@ -0,0 +1,81 @@ + +policy_module(virtualization, 1.1.2) + @@ -29517,6 +29513,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dev_rw_qemu(virtualdomain) + +domain_use_interactive_fds(virtualdomain) ++domain_user_exemption_target(virtualdomain) + +files_read_etc_files(virtualdomain) +files_read_usr_files(virtualdomain) diff --git a/selinux-policy.spec b/selinux-policy.spec index 61bca9b..b11bdb0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.10 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -444,6 +444,9 @@ exit 0 %endif %changelog +* Thu Mar 26 2009 Dan Walsh 3.6.10-3 +- Fixes for svirt + * Thu Mar 19 2009 Dan Walsh 3.6.10-2 - Fixes to allow svirt read iso files in homedir