various: fixes for libvirtd and systemd-machined
Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
parent
2354b4f1be
commit
a364dd4e2a
@ -4820,6 +4820,24 @@ interface(`dev_create_urand_dev',`
|
||||
create_chr_files_pattern($1, device_t, urandom_device_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Set attributes on the urandom device (/dev/urandom).
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_setattr_urand_dev',`
|
||||
gen_require(`
|
||||
type device_t, urandom_device_t;
|
||||
')
|
||||
|
||||
setattr_chr_files_pattern($1, device_t, urandom_device_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Getattr generic the USB devices.
|
||||
|
@ -236,6 +236,7 @@ optional_policy(`
|
||||
systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
|
||||
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
|
||||
|
||||
systemd_connect_machined(system_dbusd_t)
|
||||
# for passing around terminal file handles for machinectl shell
|
||||
systemd_use_inherited_machined_ptys(system_dbusd_t)
|
||||
|
||||
|
@ -134,7 +134,9 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
# for /run/systemd/machines
|
||||
systemd_connect_machined(policykit_t)
|
||||
systemd_read_machines(policykit_t)
|
||||
systemd_watch_machines_dirs(policykit_t)
|
||||
|
||||
# for /run/systemd/seats/seat*
|
||||
systemd_read_logind_sessions_files(policykit_t)
|
||||
|
@ -206,6 +206,7 @@ files_type(virtlockd_var_lib_t)
|
||||
type virtlogd_t;
|
||||
type virtlogd_exec_t;
|
||||
init_daemon_domain(virtlogd_t, virtlogd_exec_t)
|
||||
init_named_socket_activation(virtlogd_t, virt_runtime_t)
|
||||
|
||||
type virtlogd_run_t;
|
||||
files_runtime_file(virtlogd_run_t)
|
||||
@ -451,6 +452,8 @@ tunable_policy(`virt_use_evdev',`
|
||||
|
||||
allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace };
|
||||
dontaudit virtd_t self:capability { sys_module sys_ptrace };
|
||||
allow virtd_t self:capability2 { bpf perfmon };
|
||||
allow virtd_t self:bpf { map_create map_read map_write prog_load prog_run };
|
||||
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
|
||||
allow virtd_t self:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
||||
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
|
||||
@ -522,7 +525,8 @@ allow virtd_t virt_image_type:file relabel_file_perms;
|
||||
allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
|
||||
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
|
||||
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
|
||||
allow virtd_t virt_image_type:sock_file manage_sock_file_perms;
|
||||
# relabel needed for qemu guest agent sockets
|
||||
allow virtd_t virt_image_type:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
|
||||
allow virtd_t virt_ptynode:chr_file rw_term_perms;
|
||||
|
||||
@ -691,6 +695,15 @@ sysnet_domtrans_ifconfig(virtd_t)
|
||||
|
||||
userdom_read_all_users_state(virtd_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
init_read_utmp(virtd_t)
|
||||
|
||||
systemd_dbus_chat_logind(virtd_t)
|
||||
|
||||
systemd_connect_machined(virtd_t)
|
||||
systemd_dbus_chat_machined(virtd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`virt_use_fusefs',`
|
||||
fs_manage_fusefs_dirs(virtd_t)
|
||||
fs_manage_fusefs_files(virtd_t)
|
||||
|
@ -1461,6 +1461,24 @@ interface(`systemd_read_machines',`
|
||||
allow $1 systemd_machined_runtime_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow watching /run/systemd/machines
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_watch_machines_dirs',`
|
||||
gen_require(`
|
||||
type systemd_machined_runtime_t;
|
||||
')
|
||||
|
||||
allow $1 systemd_machined_runtime_t:dir watch;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
|
||||
|
@ -992,15 +992,18 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per
|
||||
|
||||
manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
||||
|
||||
kernel_getattr_proc(systemd_machined_t)
|
||||
kernel_read_kernel_sysctls(systemd_machined_t)
|
||||
kernel_read_system_state(systemd_machined_t)
|
||||
|
||||
dev_getattr_fs(systemd_machined_t)
|
||||
dev_setattr_urand_dev(systemd_machined_t)
|
||||
|
||||
files_read_etc_files(systemd_machined_t)
|
||||
|
||||
fs_getattr_cgroup(systemd_machined_t)
|
||||
fs_getattr_tmpfs(systemd_machined_t)
|
||||
fs_getattr_xattr_fs(systemd_machined_t)
|
||||
fs_read_nsfs_files(systemd_machined_t)
|
||||
|
||||
selinux_getattr_fs(systemd_machined_t)
|
||||
@ -1015,6 +1018,9 @@ init_stop_system(systemd_machined_t)
|
||||
init_get_generic_units_status(systemd_machined_t)
|
||||
init_start_generic_units(systemd_machined_t)
|
||||
init_stop_generic_units(systemd_machined_t)
|
||||
init_get_transient_units_status(systemd_machined_t)
|
||||
init_start_transient_units(systemd_machined_t)
|
||||
init_stop_transient_units(systemd_machined_t)
|
||||
|
||||
logging_send_syslog_msg(systemd_machined_t)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user