Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[xen] Add policy for xen #12

Merged
merged 1 commit into from
Dec 6, 2023
Merged

[xen] Add policy for xen #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions policy/modules/admin/brctl.if
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,26 @@ interface(`brctl_domtrans',`
domtrans_pattern($1, brctl_exec_t, brctl_t)
')

########################################
## <summary>
## Allow a specified domain to execute, execute without transition,
## get attributes, map, open, and read the brctl_exec_t file type.
## </summary>
## <param name="domain">
## <summary>
## Domain being granted permissions on brctl_exec_t file type.
## </summary>
## </param>
#
interface(`brctl_exec_permissions',`
gen_require(`
type brctl_exec_t;
')

allow $1 brctl_exec_t:file exec_file_perms;
')


########################################
## <summary>
## Execute brctl in the brctl domain, and
Expand Down
21 changes: 21 additions & 0 deletions policy/modules/kernel/files.if
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6978,6 +6978,27 @@ interface(`files_rw_runtime_files',`
rw_files_pattern($1, var_run_t, var_run_t)
')

########################################
## <summary>
## Allow a specified domain to create, lock, open, read, and write
## files labeled with var_run_t. This is a generic interface that can be
## applied to any domain passed as a parameter.
## </summary>
## <param name="domain">
## <summary>
## Domain being granted file operation permissions on var_run_t file type.
## </summary>
## </param>
#
interface(`var_run_file_operations',`
gen_require(`
type var_run_t;
')

allow $1 var_run_t:file manage_file_perms;
')


########################################
## <summary>
## Delete generic runtime symlinks.
Expand Down
4 changes: 3 additions & 1 deletion policy/modules/system/iptables.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,9 @@ sysnet_dns_name_resolve(iptables_t)

userdom_use_inherited_user_terminals(iptables_t)


dev_rw_xen(iptables_t)
xen_append_log(iptables_t)
var_run_file_operations(iptables_t)

optional_policy(`
# iptables may try to rw /ptmx in a container
Expand Down
4 changes: 4 additions & 0 deletions policy/modules/system/sysnetwork.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -369,6 +369,10 @@ seutil_use_runinit_fds(ifconfig_t)

sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)

dev_rw_xen(ifconfig_t)

var_run_file_operations(ifconfig_t)

# For "ip netns identify $$"
userdom_read_all_users_state(ifconfig_t)
userdom_use_user_terminals(ifconfig_t)
Expand Down
10 changes: 10 additions & 0 deletions policy/modules/system/xen.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -562,6 +562,16 @@ userdom_dontaudit_search_user_home_content(xm_t)

dev_rw_xen(xm_t)

brctl_exec_permissions(xm_t)

files_map_etc_files(xm_t)

write_logging_runtime_dirs(xm_t)

files_manage_var_run_dirs(xm_t)

var_run_file_operations(xm_t)

tunable_policy(`xen_use_fusefs',`
fs_manage_fusefs_dirs(xm_t)
fs_manage_fusefs_files(xm_t)
Expand Down
Loading