commit: 3e4daaf3bad04646ec4d16fba6dfe802ad2dd77e
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 31 15:03:49 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 11:32:41 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e4daaf3
WIP virt: image type perms
policy/modules/contrib/virt.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod
net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull
execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom
relabelto };
allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type,
virt_image_type)
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t,
virtd_lxc_var_run_t)
filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t,
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, {
virt_image_type svirt_var_run_t}, virt_domain)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
- allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
')
