--- nsaserefpolicy/policy/modules/apps/qemu.if 2008-08-07 11:15:02.000000000 -0400 +++ serefpolicy-3.5.5/policy/modules/apps/qemu.if 2008-08-14 13:53:54.000000000 -0400 @@ -48,6 +48,48 @@ allow qemu_t $3:chr_file rw_file_perms; ') +####################################### +## +## The per role template for the qemu module. +## +## +##

+## This template creates a derived domains which are used +## for qemu web browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`qemu_per_role_template_notrans',` + gen_require(` + type qemu_t; + ') + + role $3 types qemu_t; + + xserver_common_app($1, qemu_t) +') + ######################################## ## ## Allow the domain to read state files in /proc. @@ -104,7 +146,71 @@ ######################################## ## -## Execute a domain transition to run qemu unconfined. +## Execute qemu programs in the qemu domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the PAM domain. +## +## +## +## +## The type of the terminal allow the PAM domain to use. +## +## +# +interface(`qemu_runas',` + gen_require(` + type qemu_t; + ') + + qemu_domtrans($1) + allow qemu_t $3:chr_file rw_file_perms; +') + +######################################## +## +## Execute qemu programs in the role. +## +## +## +## The role to allow the PAM domain. +## +## +# +interface(`qemu_role',` + gen_require(` + type qemu_t; + ') + role $1 types qemu_t; +') + +######################################## +## +## Execute qemu unconfined programs in the role. +## +## +## +## The role to allow the PAM domain. +## +## +# +interface(`qemu_unconfined_role',` + gen_require(` + type qemu_unconfined_t; + ') + role $1 types qemu_unconfined_t; +') + + +######################################## +## +## Execute a domain transition to run qemu. ## ## ## @@ -122,6 +228,36 @@ ######################################## ## +## Execute qemu programs in the qemu unconfined domain. +## +## +## +## Domain allowed access. +## +## +## +## +## The role to allow the PAM domain. +## +## +## +## +## The type of the terminal allow the PAM domain to use. +## +## +# +interface(`qemu_runas_unconfined',` + gen_require(` + type qemu_unconfined_t; + ') + + qemu_domtrans_unconfined($1) + allow qemu_unconfined_t $3:chr_file rw_file_perms; +') + + +######################################## +## ## Creates types and rules for a basic ## qemu process domain. ## @@ -132,86 +268,135 @@ ## # template(`qemu_domain_template',` + gen_require(` + attribute qemutype; + ') - ############################## - # - # Local Policy - # - - type $1_t; + type $1_t, qemutype; domain_type($1_t) type $1_tmp_t; files_tmp_file($1_tmp_t) - ############################## - # - # Local Policy - # + type $1_tmpfs_t; + files_tmpfs_file($1_tmpfs_t) - allow $1_t self:capability { dac_read_search dac_override }; - allow $1_t self:process { execstack execmem signal getsched }; - allow $1_t self:fifo_file rw_file_perms; - allow $1_t self:shm create_shm_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; + type $1_image_t; + virt_image($1_image_t) + + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) + manage_files_pattern($1_t, $1_image_t, $1_image_t) + read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) + rw_blk_files_pattern($1_t, $1_image_t, $1_image_t) manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) - kernel_read_system_state($1_t) - - corenet_all_recvfrom_unlabeled($1_t) - corenet_all_recvfrom_netlabel($1_t) - corenet_tcp_sendrecv_all_if($1_t) - corenet_tcp_sendrecv_all_nodes($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_tcp_bind_all_nodes($1_t) - corenet_tcp_bind_vnc_port($1_t) - corenet_rw_tun_tap_dev($1_t) - -# dev_rw_kvm($1_t) - - domain_use_interactive_fds($1_t) - - files_read_etc_files($1_t) - files_read_usr_files($1_t) - files_read_var_files($1_t) - files_search_all($1_t) + manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) +') - fs_list_inotifyfs($1_t) - fs_rw_anon_inodefs_files($1_t) - fs_rw_tmpfs_files($1_t) +######################################## +## +## Set the schedule on qemu. +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_setsched',` + gen_require(` + type qemu_t; + ') - storage_raw_write_removable_device($1_t) - storage_raw_read_removable_device($1_t) + allow $1 qemu_t:process setsched; + ') - term_use_ptmx($1_t) - term_getattr_pty_fs($1_t) - term_use_generic_ptys($1_t) +######################################## +## +## Execute qemu_exec_t +## in the specified domain but do not +## do it automatically. This is an explicit +## transition, requiring the caller to use setexeccon(). +## +## +##

+## Execute qemu_exec_t +## in the specified domain. This allows +## the specified domain to qemu programs +## on these filesystems in the specified +## domain. +##

+## +## +## +## Domain allowed access. +## +## +## +## +## The type of the new process. +## +## +# +interface(`qemu_spec_domtrans',` + gen_require(` + type qemu_exec_t; + ') - libs_use_ld_so($1_t) - libs_use_shared_libs($1_t) + read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) + domain_transition_pattern($1, qemu_exec_t, $2) - miscfiles_read_localization($1_t) + allow $3 $1:fd use; + allow $3 $1:fifo_file rw_fifo_file_perms; + allow $3 $1:process sigchld; +') - sysnet_read_config($1_t) +####################################### +## +## The per role template for the qemu module. +## +## +##

+## This template creates a derived domains which are used +## for qemu web browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+## +## +## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## +## +## The type of the user domain. +## +## +## +## +## The role associated with the user domain. +## +## +# +template(`qemu_per_role_template',` + gen_require(` + type qemu_exec_t; + ') -# optional_policy(` -# samba_domtrans_smb($1_t) -# ') + qemu_per_role_template_notrans($1, $2, $3) - optional_policy(` - virt_manage_images($1_t) - virt_read_config($1_t) - virt_read_lib_files($1_t) + domtrans_pattern($2, qemu_exec_t, qemu_t) + domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) ') - optional_policy(` - xserver_stream_connect_xdm_xserver($1_t) - xserver_read_xdm_tmp_files($1_t) - xserver_read_xdm_pid($1_t) -# xserver_xdm_rw_shm($1_t) - ') -') --- nsaserefpolicy/policy/modules/apps/qemu.te 2008-08-07 11:15:03.000000000 -0400 +++ serefpolicy-3.5.5/policy/modules/apps/qemu.te 2008-08-14 13:53:54.000000000 -0400 @@ -6,6 +6,8 @@ # Declarations # +attribute qemutype; + ## ##

## Allow qemu to connect fully to the network @@ -13,6 +15,20 @@ ## gen_tunable(qemu_full_network, false) +## +##

+## Allow qemu to use nfs file systems +##

+## +gen_tunable(qemu_use_nfs, true) + +## +##

+## Allow qemu to use cifs/Samba file systems +##

+## +gen_tunable(qemu_use_cifs, true) + type qemu_exec_t; qemu_domain_template(qemu) application_domain(qemu_t, qemu_exec_t) @@ -20,9 +36,74 @@ ######################################## # +# qemu common policy +# +allow qemutype self:capability { dac_read_search dac_override }; +allow qemutype self:process { execstack execmem signal getsched signull }; + +allow qemutype self:fifo_file rw_file_perms; +allow qemutype self:shm create_shm_perms; +allow qemutype self:unix_stream_socket create_stream_socket_perms; +allow qemutype self:tcp_socket create_stream_socket_perms; + +kernel_read_system_state(qemutype) + +corenet_all_recvfrom_unlabeled(qemutype) +corenet_all_recvfrom_netlabel(qemutype) +corenet_tcp_sendrecv_all_if(qemutype) +corenet_tcp_sendrecv_all_nodes(qemutype) +corenet_tcp_sendrecv_all_ports(qemutype) +corenet_tcp_bind_all_nodes(qemutype) +corenet_tcp_bind_vnc_port(qemutype) +corenet_rw_tun_tap_dev(qemutype) + +dev_read_sound(qemutype) +dev_write_sound(qemutype) +dev_rw_kvm(qemutype) +dev_rw_qemu(qemutype) + +domain_use_interactive_fds(qemutype) + +files_read_etc_files(qemutype) +files_read_usr_files(qemutype) +files_read_var_files(qemutype) +files_search_all(qemutype) + +fs_list_inotifyfs(qemutype) +fs_rw_anon_inodefs_files(qemutype) +fs_rw_tmpfs_files(qemutype) + +term_use_ptmx(qemutype) +term_getattr_pty_fs(qemutype) +term_use_generic_ptys(qemutype) + +auth_use_nsswitch(qemutype) + +libs_use_ld_so(qemutype) +libs_use_shared_libs(qemutype) + +miscfiles_read_localization(qemutype) + +optional_policy(` + virt_read_config(qemutype) + virt_read_lib_files(qemutype) +') + +optional_policy(` + xserver_stream_connect_xdm_xserver(qemutype) + xserver_read_xdm_tmp_files(qemutype) + xserver_read_xdm_pid(qemutype) + xserver_xdm_rw_shm(qemutype) +') + +######################################## +# # qemu local policy # +storage_raw_write_removable_device(qemu_t) +storage_raw_read_removable_device(qemu_t) + tunable_policy(`qemu_full_network',` allow qemu_t self:udp_socket create_socket_perms; @@ -35,6 +116,30 @@ corenet_tcp_connect_all_ports(qemu_t) ') +tunable_policy(`qemu_use_nfs',` + fs_manage_nfs_files(qemu_t) +') + +tunable_policy(`qemu_use_cifs',` + fs_manage_cifs_dirs(qemu_t) +') + +optional_policy(` + samba_domtrans_smb(qemu_t) +') + +optional_policy(` + virt_manage_images(qemu_t) +') + +optional_policy(` + xen_rw_image_files(qemu_t) +') + +optional_policy(` + xen_rw_image_files(qemu_t) +') + ######################################## # # qemu_unconfined local policy