various: fixes for libvirtd and systemd-machined

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2022-12-07 11:14:47 -05:00
parent 2354b4f1be
commit a364dd4e2a
6 changed files with 59 additions and 1 deletions

View File

@ -4820,6 +4820,24 @@ interface(`dev_create_urand_dev',`
create_chr_files_pattern($1, device_t, urandom_device_t)
')
########################################
## <summary>
## Set attributes on the urandom device (/dev/urandom).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_urand_dev',`
gen_require(`
type device_t, urandom_device_t;
')
setattr_chr_files_pattern($1, device_t, urandom_device_t)
')
########################################
## <summary>
## Getattr generic the USB devices.

View File

@ -236,6 +236,7 @@ optional_policy(`
systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
systemd_connect_machined(system_dbusd_t)
# for passing around terminal file handles for machinectl shell
systemd_use_inherited_machined_ptys(system_dbusd_t)

View File

@ -134,7 +134,9 @@ optional_policy(`
optional_policy(`
# for /run/systemd/machines
systemd_connect_machined(policykit_t)
systemd_read_machines(policykit_t)
systemd_watch_machines_dirs(policykit_t)
# for /run/systemd/seats/seat*
systemd_read_logind_sessions_files(policykit_t)

View File

@ -206,6 +206,7 @@ files_type(virtlockd_var_lib_t)
type virtlogd_t;
type virtlogd_exec_t;
init_daemon_domain(virtlogd_t, virtlogd_exec_t)
init_named_socket_activation(virtlogd_t, virt_runtime_t)
type virtlogd_run_t;
files_runtime_file(virtlogd_run_t)
@ -451,6 +452,8 @@ tunable_policy(`virt_use_evdev',`
allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace };
dontaudit virtd_t self:capability { sys_module sys_ptrace };
allow virtd_t self:capability2 { bpf perfmon };
allow virtd_t self:bpf { map_create map_read map_write prog_load prog_run };
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
@ -522,7 +525,8 @@ allow virtd_t virt_image_type:file relabel_file_perms;
allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_image_type:sock_file manage_sock_file_perms;
# relabel needed for qemu guest agent sockets
allow virtd_t virt_image_type:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@ -691,6 +695,15 @@ sysnet_domtrans_ifconfig(virtd_t)
userdom_read_all_users_state(virtd_t)
ifdef(`init_systemd',`
init_read_utmp(virtd_t)
systemd_dbus_chat_logind(virtd_t)
systemd_connect_machined(virtd_t)
systemd_dbus_chat_machined(virtd_t)
')
tunable_policy(`virt_use_fusefs',`
fs_manage_fusefs_dirs(virtd_t)
fs_manage_fusefs_files(virtd_t)

View File

@ -1461,6 +1461,24 @@ interface(`systemd_read_machines',`
allow $1 systemd_machined_runtime_t:file read_file_perms;
')
########################################
## <summary>
## Allow watching /run/systemd/machines
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_watch_machines_dirs',`
gen_require(`
type systemd_machined_runtime_t;
')
allow $1 systemd_machined_runtime_t:dir watch;
')
########################################
## <summary>
## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket

View File

@ -992,15 +992,18 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per
manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
kernel_getattr_proc(systemd_machined_t)
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
dev_getattr_fs(systemd_machined_t)
dev_setattr_urand_dev(systemd_machined_t)
files_read_etc_files(systemd_machined_t)
fs_getattr_cgroup(systemd_machined_t)
fs_getattr_tmpfs(systemd_machined_t)
fs_getattr_xattr_fs(systemd_machined_t)
fs_read_nsfs_files(systemd_machined_t)
selinux_getattr_fs(systemd_machined_t)
@ -1015,6 +1018,9 @@ init_stop_system(systemd_machined_t)
init_get_generic_units_status(systemd_machined_t)
init_start_generic_units(systemd_machined_t)
init_stop_generic_units(systemd_machined_t)
init_get_transient_units_status(systemd_machined_t)
init_start_transient_units(systemd_machined_t)
init_stop_transient_units(systemd_machined_t)
logging_send_syslog_msg(systemd_machined_t)