[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Mon, 31 Mar 2014 11:50:26 -0700 

commit:     447936782bfb89286beb2373ca41ae460e862750
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Mar 31 17:24:43 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 31 17:41:03 2014 +0000
URL:        
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=44793678

Qemu socket support

The VDE switch implementation in Qemu, depending on how it is called
command-line, requires Qemu to create a socket through which network
communication is to be handled.

Without this, qemu fails to start.

---
 policy/modules/contrib/qemu.if | 20 ++++++++++++++++++++
 policy/modules/contrib/qemu.te |  9 +++++++++
 policy/modules/contrib/vde.te  |  4 ++++
 3 files changed, 33 insertions(+)

diff --git a/policy/modules/contrib/qemu.if b/policy/modules/contrib/qemu.if
index eaf56b8..ea947bc 100644
--- a/policy/modules/contrib/qemu.if
+++ b/policy/modules/contrib/qemu.if
@@ -374,3 +374,23 @@ interface(`qemu_entry_type',`
 
        domain_entry_file($1, qemu_exec_t)
 ')
+
+# Gentoo specific but cannot use ifdef distro_gentoo here
+
+#######################################
+## <summary>
+##     Read/write to qemu socket files in /var/run
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`qemu_rw_pid_sock_files',`
+       gen_require(`
+               type qemu_var_run_t;
+       ')
+
+       allow $1 qemu_var_run_t:sock_file rw_sock_file_perms;
+')

diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index 9a6a082..cf647bb 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -62,9 +62,18 @@ ifdef(`distro_gentoo',`
        #
        # Local policy
        #
+       type qemu_var_run_t;
+       files_pid_file(qemu_var_run_t)
+
+       # VNC/GDB support
        allow qemu_t self:tcp_socket create_stream_socket_perms;
        allow qemu_t self:udp_socket create_socket_perms;
 
+       # Network related socket
+       allow qemu_t qemu_var_run_t:sock_file manage_sock_file_perms;
+
+       files_pid_filetrans(qemu_t, qemu_var_run_t, sock_file)
+
        optional_policy(`
                vde_connect(qemu_t)
        ')

diff --git a/policy/modules/contrib/vde.te b/policy/modules/contrib/vde.te
index 3b89491..56f668d 100644
--- a/policy/modules/contrib/vde.te
+++ b/policy/modules/contrib/vde.te
@@ -47,3 +47,7 @@ miscfiles_read_localization(vde_t)
 corenet_rw_tun_tap_dev(vde_t)
 
 logging_send_syslog_msg(vde_t)
+
+optional_policy(`
+       qemu_rw_pid_sock_files(vde_t)
+')

Reply via email to