commit: 55adb3cf528beb44e210e7a8f3d6cd6340a365fc
Author: Marc Schiffbauer <m <AT> sys4 <DOT> de>
AuthorDate: Tue Jun 24 15:20:00 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:04:54 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=55adb3cf
modules: add new incus service module
this includes new interfaces in the following modules:
* container
* devices
* files
* filesystem
* iptables
* kernel
* terminal
Signed-off-by: Marc Schiffbauer <mschiff <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/devices.if | 19 +++
policy/modules/kernel/files.if | 19 +++
policy/modules/kernel/filesystem.if | 281 +++++++++++++++++++++++++++++++++++
policy/modules/kernel/kernel.if | 38 +++++
policy/modules/kernel/terminal.if | 38 +++++
policy/modules/services/container.if | 204 +++++++++++++++++++++++++
policy/modules/services/incus.fc | 4 +
policy/modules/services/incus.if | 276 ++++++++++++++++++++++++++++++++++
policy/modules/services/incus.te | 198 ++++++++++++++++++++++++
policy/modules/system/iptables.if | 18 +++
10 files changed, 1095 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 2e7ba6c05..61a7d6f60 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -144,6 +144,25 @@ interface(`dev_remount_fs',`
allow $1 device_t:filesystem remount;
')
+########################################
+## <summary>
+## Allow to watch filesystem and to
+## watch and watch_sb dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow
+## </summary>
+## </param>
+interface(`dev_watch_dev_fs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:filesystem watch;
+ allow $1 device_t:dir { watch watch_sb };
+')
+
########################################
## <summary>
## Watch the directories in /dev.
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 194cdba39..592d0c2d8 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -452,6 +452,25 @@ interface(`files_dontaudit_getattr_all_tmpfs_files',`
dontaudit $1 tmpfsfile:file getattr;
')
+########################################
+## <summary>
+## Do not audit attempts to unlink
+## sockets in tmp_t directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_delete_generic_tmp_named_sockets',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ dontaudit $1 tmp_t:sock_file unlink;
+')
+
########################################
## <summary>
## Get the attributes of all directories.
diff --git a/policy/modules/kernel/filesystem.if
b/policy/modules/kernel/filesystem.if
index 64d569cd0..421fb9f26 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -620,6 +620,44 @@ interface(`fs_getattr_binfmt_misc_fs',`
allow $1 binfmt_misc_fs_t:filesystem getattr;
')
+########################################
+## <summary>
+## Do not audit attempts to getattr a
+## binfmt_misc_fs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_binfmt_misc_fs',`
+ gen_require(`
+ type binfmt_misc_fs_t;
+ ')
+
+ dontaudit $1 binfmt_misc_fs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Mount binfmt_misc_fs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_binfmt_misc_fs',`
+ gen_require(`
+ type binfmt_misc_fs_t;
+ ')
+
+ allow $1 binfmt_misc_fs_t:filesystem mount;
+')
+
########################################
## <summary>
## Get the attributes of directories on
@@ -2269,6 +2307,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
+########################################
+## <summary>
+## Do not audit attempts to getattr a configfs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_configfs',`
+ gen_require(`
+ type configfs_t;
+ ')
+
+ dontaudit $1 configfs_t:filesystem getattr;
+')
+
#######################################
## <summary>
## Create, read, write, and delete dirs
@@ -2307,6 +2364,25 @@ interface(`fs_manage_configfs_files',`
manage_files_pattern($1, configfs_t, configfs_t)
')
+########################################
+## <summary>
+## Do not audit attempts to remount a configfs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_remount_configfs',`
+ gen_require(`
+ type configfs_t;
+ ')
+
+ dontaudit $1 configfs_t:filesystem remount;
+')
+
########################################
## <summary>
## Mount a DOS filesystem, such as
@@ -2629,6 +2705,62 @@ interface(`fs_getattr_efivarfs',`
allow $1 efivarfs_t:filesystem getattr;
')
+########################################
+## <summary>
+## Do not audit attempts to getattr an efivarfs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_efivarfs',`
+ gen_require(`
+ type efivarfs_t;
+ ')
+
+ dontaudit $1 efivarfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Remount an efivarfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_efivarfs',`
+ gen_require(`
+ type efivarfs_t;
+ ')
+
+ allow $1 efivarfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to remount an efivarfs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_remount_efivarfs',`
+ gen_require(`
+ type efivarfs_t;
+ ')
+
+ dontaudit $1 efivarfs_t:filesystem remount;
+')
+
########################################
## <summary>
## List dirs in efivarfs filesystem.
@@ -5007,6 +5139,25 @@ interface(`fs_getattr_pstorefs',`
allow $1 pstore_t:filesystem getattr;
')
+########################################
+## <summary>
+## Do not audit attempts to get
+## attributes of dirs on a pstorefs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_pstorefs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ dontaudit $1 pstore_t:filesystem getattr;
+')
+
########################################
## <summary>
## Get the attributes of directories
@@ -5122,6 +5273,43 @@ interface(`fs_delete_pstore_files',`
dev_search_sysfs($1)
')
+########################################
+## <summary>
+## Remount a pstorefs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain sllowd access.
+## </summary>
+## </param>
+#
+interface(`fs_remount_pstorefs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ allow $1 pstore_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to remount a pstorefs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_remount_pstorefs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ dontaudit $1 pstore_t:filesystem remount;
+')
+
########################################
## <summary>
## Allow the type to associate to ramfs filesystems.
@@ -5268,6 +5456,24 @@ interface(`fs_setattr_ramfs_dirs',`
allow $1 ramfs_t:dir setattr;
')
+########################################
+## <summary>
+## List directories on a ramfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_ramfs_dirs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:dir list_dir_perms;
+')
+
########################################
## <summary>
## Create, read, write, and delete
@@ -6130,6 +6336,24 @@ interface(`fs_read_tmpfs_files',`
read_files_pattern($1, tmpfs_t, tmpfs_t)
')
+########################################
+## <summary>
+## Read and map generic tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mmap_read_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ mmap_read_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
########################################
## <summary>
## Read and write generic tmpfs files.
@@ -6447,6 +6671,25 @@ interface(`fs_getattr_tracefs',`
allow $1 tracefs_t:filesystem getattr;
')
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of a trace filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_tracefs',`
+ gen_require(`
+ type tracefs_t;
+ ')
+
+ dontaudit $1 tracefs_t:filesystem getattr;
+')
+
########################################
## <summary>
## Get attributes of dirs on tracefs filesystem.
@@ -6465,6 +6708,25 @@ interface(`fs_getattr_tracefs_dirs',`
allow $1 tracefs_t:dir getattr;
')
+########################################
+## <summary>
+## Do not audit attempts to get
+## attributes of dirs on tracefs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_tracefs_dirs',`
+ gen_require(`
+ type tracefs_t;
+ ')
+
+ dontaudit $1 tracefs_t:dir getattr;
+')
+
########################################
## <summary>
## search directories on a tracefs filesystem
@@ -6539,6 +6801,25 @@ interface(`fs_create_tracefs_dirs',`
allow $1 tracefs_t:dir { create rw_dir_perms };
')
+########################################
+## <summary>
+## Do not audit attempts to remount a tracefs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_remount_tracefs',`
+ gen_require(`
+ type tracefs_t;
+ ')
+
+ dontaudit $1 tracefs_t:filesystem remount;
+')
+
########################################
## <summary>
## Mount a XENFS filesystem.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index d55e764f2..01a06eb37 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -709,6 +709,25 @@ interface(`kernel_getattr_debugfs',`
allow $1 debugfs_t:filesystem getattr;
')
+########################################
+## <summary>
+## Do not audit attempt to getattr a debugfs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ dontaudit $1 debugfs_t:filesystem getattr;
+')
+
########################################
## <summary>
## Mount a kernel debugging filesystem.
@@ -763,6 +782,25 @@ interface(`kernel_remount_debugfs',`
allow $1 debugfs_t:filesystem remount;
')
+########################################
+## <summary>
+## Do not audit attempt to remount a debugfs
+## filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_remount_debugfs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ dontaudit $1 debugfs_t:filesystem remount;
+')
+
########################################
## <summary>
## Search the contents of a kernel debugging filesystem.
diff --git a/policy/modules/kernel/terminal.if
b/policy/modules/kernel/terminal.if
index da4be21df..48310450b 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -166,6 +166,44 @@ interface(`term_remount_devpts',`
allow $1 devpts_t:filesystem remount;
')
+########################################
+## <summary>
+## Do not audit attempts to remount
+## devpts_t filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_dontaudit_remount_devpts',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dontaudit $1 devpts_t:filesystem remount;
+')
+
+########################################
+## <summary>
+## Unmount a devpts_t filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to unmount it
+## </summary>
+## </param>
+#
+interface(`term_unmount_devpts',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:filesystem unmount;
+')
+
########################################
## <summary>
## Create directory /dev/pts.
diff --git a/policy/modules/services/container.if
b/policy/modules/services/container.if
index a7a2ff684..52a211bfa 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -496,6 +496,63 @@ interface(`container_runtime_named_socket_activation',`
init_named_socket_activation($1, container_runtime_t)
')
+########################################
+## <summary>
+## Allow the specified domain to manage
+## container engine tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_engine_tmpfs_dirs',`
+ gen_require(`
+ type container_engine_tmpfs_t;
+ ')
+
+ manage_dirs_pattern($1, container_engine_tmpfs_t,
container_engine_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## container engine tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_engine_tmpfs_files',`
+ gen_require(`
+ type container_engine_tmpfs_t;
+ ')
+
+ manage_files_pattern($1, container_engine_tmpfs_t,
container_engine_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to manage
+## container engine tmpfs symlinks.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_manage_engine_tmpfs_symlinks',`
+ gen_require(`
+ type container_engine_tmpfs_t;
+ ')
+
+ manage_lnk_files_pattern($1, container_engine_tmpfs_t,
container_engine_tmpfs_t)
+')
+
########################################
## <summary>
## Allow the specified domain to search
@@ -536,6 +593,25 @@ interface(`container_read_engine_tmp_files',`
allow $1 container_engine_tmp_t:file read_file_perms;
')
+########################################
+## <summary>
+## Allow the specified domain to execute
+## container engine temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_exec_engine_tmp_files',`
+ gen_require(`
+ type container_engine_tmp_t;
+ ')
+
+ can_exec($1, container_engine_tmp_t)
+')
+
########################################
## <summary>
## Allow the specified domain to manage
@@ -1088,6 +1164,98 @@ interface(`container_read_device_blk_files',`
allow $1 container_device_t:blk_file read_blk_file_perms;
')
+########################################
+## <summary>
+## Watch container tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_watch_tmpfs_dirs',`
+ gen_require(`
+ type container_tmpfs_t;
+ ')
+
+ allow $1 container_tmpfs_t:dir watch;
+')
+
+########################################
+## <summary>
+## Read container tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_read_tmpfs_files',`
+ gen_require(`
+ type container_tmpfs_t;
+ ')
+
+ read_files_pattern($1, container_tmpfs_t, container_tmpfs_t)
+')
+
+########################################
+## <summary>
+## Watch container tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_watch_tmpfs_files',`
+ gen_require(`
+ type container_tmpfs_t;
+ ')
+
+ allow $1 container_tmpfs_t:file watch;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to create
+## container chr files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_create_tmpfs_chr_files',`
+ gen_require(`
+ type container_tmpfs_t;
+ ')
+
+ allow $1 container_tmpfs_t:chr_file create_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to delete
+## container chr files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_delete_tmpfs_chr_files',`
+ gen_require(`
+ type container_tmpfs_t;
+ ')
+
+ allow $1 container_tmpfs_t:chr_file delete_chr_file_perms;
+')
+
########################################
## <summary>
## Mount on all container devices.
@@ -1106,6 +1274,24 @@ interface(`container_mounton_all_devices',`
allow $1 container_device_t:dir_file_class_set mounton;
')
+########################################
+## <summary>
+## Lock container ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_lock_container_ptys',`
+ gen_require(`
+ type container_devpts_t;
+ ')
+
+ allow $1 container_devpts_t:chr_file lock;
+')
+
########################################
## <summary>
## Set the attributes of container ptys.
@@ -1142,6 +1328,24 @@ interface(`container_use_container_ptys',`
allow $1 container_devpts_t:chr_file rw_term_perms;
')
+########################################
+## <summary>
+## Watch container ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`container_watch_container_ptys',`
+ gen_require(`
+ type container_devpts_t;
+ ')
+
+ allow $1 container_devpts_t:chr_file watch;
+')
+
########################################
## <summary>
## Make the specified type usable as a mountpoint
diff --git a/policy/modules/services/incus.fc b/policy/modules/services/incus.fc
new file mode 100644
index 000000000..05e5eef05
--- /dev/null
+++ b/policy/modules/services/incus.fc
@@ -0,0 +1,4 @@
+/usr/bin/incus -- gen_context(system_u:object_r:incusc_exec_t,s0)
+/usr/bin/incus-benchmark --
gen_context(system_u:object_r:incusc_exec_t,s0)
+/usr/bin/incus-user -- gen_context(system_u:object_r:incusd_exec_t,s0)
+/usr/bin/incusd --
gen_context(system_u:object_r:incusd_exec_t,s0)
diff --git a/policy/modules/services/incus.if b/policy/modules/services/incus.if
new file mode 100644
index 000000000..a50f99e1b
--- /dev/null
+++ b/policy/modules/services/incus.if
@@ -0,0 +1,276 @@
+## <summary>Policy for incus</summary>
+
+########################################
+## <summary>
+## Associated the specified domain to
+## be a domain which is capable of
+## operating as a container domain
+## which can be controlled by incus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`incus_container',`
+ gen_require(`
+ attribute incus_container_domain;
+ ')
+
+ typeattribute $1 incus_container_domain;
+')
+
+########################################
+## <summary>
+## Execute incus CLI in the incus CLI domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`incus_domtrans_cli',`
+ gen_require(`
+ type incusc_t, incusc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, incusc_exec_t, incusc_t)
+')
+
+########################################
+## <summary>
+## Execute incus CLI in the incus CLI
+## domain, and allow the specified role
+## the incus CLI domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the incus domain.
+## </summary>
+## </param>
+#
+interface(`incus_run_cli',`
+ gen_require(`
+ type incusc_t;
+ ')
+
+ role $2 types incusc_t;
+
+ incus_domtrans_cli($1)
+')
+
+########################################
+## <summary>
+## Execute incus in the incus user domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+#interface(`incus_domtrans_user_daemon',`
+# gen_require(`
+# type incusd_user_t, incusd_exec_t;
+# ')
+#
+# corecmd_search_bin($1)
+# domtrans_pattern($1, incusd_exec_t, incusd_user_t)
+#')
+
+########################################
+## <summary>
+## Execute incus in the incus user
+## domain, and allow the specified
+## role the incus user domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the incus domain.
+## </summary>
+## </param>
+#
+#interface(`incus_run_user_daemon',`
+# gen_require(`
+# type incusd_user_t;
+# ')
+#
+# role $2 types incusd_user_t;
+#
+# incus_domtrans_user_daemon($1)
+#')
+
+########################################
+## <summary>
+## Execute incus CLI in the incus CLI
+## user domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`incus_domtrans_user_cli',`
+ gen_require(`
+ type incusc_user_t, incusc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, incusc_exec_t, incusc_user_t)
+')
+
+########################################
+## <summary>
+## Execute incus CLI in the incus CLI
+## user domain, and allow the specified
+## role the incus CLI user domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the incus
+## user domain.
+## </summary>
+## </param>
+#
+interface(`incus_run_user_cli',`
+ gen_require(`
+ type incusc_user_t;
+ ')
+
+ role $2 types incusc_user_t;
+
+ incus_domtrans_user_cli($1)
+')
+
+########################################
+## <summary>
+## Connect to the incus daemon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+interface(`incus_stream_connect_daemon',`
+ gen_require(`
+ type incusd_t;
+ ')
+
+ allow $1 incusd_t:unix_stream_socket { connectto rw_socket_perms };
+')
+
+########################################
+## <summary>
+## Role access for rootless incus.
+## </summary>
+## <param name="role_prefix">
+## <summary>
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## User domain for the role.
+## </summary>
+## </param>
+## <param name="user_exec_domain">
+## <summary>
+## User exec domain for execute and transition access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+#template(`incus_user_role',`
+# gen_require(`
+# type incusd_user_t;
+# type incusd_exec_t;
+# ')
+#
+# role $4 types incusd_user_t;
+#
+# incus_run_user_daemon($3, $4)
+# incus_run_user_cli($3, $4)
+#
+# ifdef(`init_systemd',`
+# systemd_user_daemon_domain($1, incusd_exec_t, incusd_user_t)
+# systemd_user_send_systemd_notify($1, incusd_user_t)
+# ')
+#
+# optional_policy(`
+# dbus_spec_session_bus_client($1, incusd_user_t)
+# ')
+#
+# optional_policy(`
+# rootlesskit_role($1, $2, $3, $4)
+# ')
+#')
+
+########################################
+## <summary>
+## Send signals to the rootless incus daemon.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+#interface(`incus_signal_user_daemon',`
+# gen_require(`
+# type incusd_user_t;
+# ')
+#
+# allow $1 incusd_user_t:process signal;
+#')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate a incus
+## environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`incus_admin',`
+ incus_run_cli($1, $2)
+
+ optional_policy(`
+ rootlesskit_run($1, $2)
+ ')
+')
diff --git a/policy/modules/services/incus.te b/policy/modules/services/incus.te
new file mode 100644
index 000000000..87758ff62
--- /dev/null
+++ b/policy/modules/services/incus.te
@@ -0,0 +1,198 @@
+policy_module(incus)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow incusd to mount filesystems inside
+## lxc containers that might be required
+## by some legacy init systems.
+## </p>
+## </desc>
+gen_tunable(incus_lxc_legacy_mounts, false)
+
+# common attribute for all container domains
+# that may be used with incus
+attribute incus_container_domain;
+
+container_engine_domain_template(incusd)
+container_system_engine(incusd_t)
+
+type incusd_exec_t;
+container_engine_executable_file(incusd_exec_t)
+init_daemon_domain(incusd_t, incusd_exec_t)
+
+type incusc_exec_t;
+container_engine_executable_file(incusc_exec_t)
+
+type incusc_t;
+application_domain(incusc_t, incusc_exec_t)
+
+type incusc_user_t;
+application_domain(incusc_user_t, incusc_exec_t)
+
+ifdef(`enable_mls',`
+ init_ranged_daemon_domain(incusd_t, incusd_exec_t, s0 - mls_systemhigh)
+')
+
+########################################
+#
+# incus daemon local policy
+
+allow incusd_t self:process getattr;
+dontaudit incusd_t self:capability sys_module;
+allow incusd_t self:anon_inode { create map read write };
+allow incusd_t self:io_uring sqpoll;
+allow incusd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow incusd_t self:vsock_socket create_stream_socket_perms;
+
+# incusd needs to manage the host network
+allow incusd_t self:rawip_socket create_socket_perms;
+allow incusd_t self:tun_socket { create relabelfrom relabelto };
+
+# mounton access to /proc/sys/kernel/random/boot_id
+kernel_mounton_kernel_sysctl_files(incusd_t)
+
+# incusd wants to load netdev-phys*
+kernel_request_load_module(incusd_t)
+
+kernel_setsched(incusd_t)
+
+# for bridge management
+dev_create_sysfs_files(incusd_t)
+dev_write_sysfs(incusd_t)
+
+dev_getattr_vhost_dev(incusd_t)
+
+# incusd won't start without access to /dev/urandom
+dev_read_urand(incusd_t)
+
+# losetup required for instance creation
+dev_rw_loop_control(incusd_t)
+dev_rw_vhost(incusd_t)
+
+# required for fanotify on
/dev/zvol/zdata/incus/virtual-machines/.#vm1.block...
+dev_watch_dev_fs(incusd_t)
+
+# read /etc/machine-id
+files_read_etc_runtime_files(incusd_t)
+
+# incus apparmor support wants to handle /sys/kernel/tracing
+fs_dontaudit_getattr_configfs(incusd_t)
+fs_dontaudit_getattr_tracefs(incusd_t)
+fs_dontaudit_getattr_tracefs_dirs(incusd_t)
+fs_dontaudit_remount_configfs(incusd_t)
+fs_dontaudit_remount_tracefs(incusd_t)
+
+fs_dontaudit_manage_fusefs_files(incusd_t)
+fs_getattr_binfmt_misc_dirs(incusd_t)
+fs_getattr_binfmt_misc_fs(incusd_t)
+fs_mount_binfmt_misc_fs(incusd_t)
+
+# here dontaudit would also work, but consuming more resources
+fs_watch_tmpfs_dirs(incusd_t)
+
+# name="stub-resolv.conf"
+fs_read_tmpfs_files(incusd_t)
+
+iptables_domtrans(incusd_t)
+iptables_kill(incusd_t)
+
+# incus idmap support: checks whether the kernel supports VFS v3 fscaps
+container_exec_engine_tmp_files(incusd_t)
+
+# comm="incusd" path="/run/systemd/resolve/stub-resolv.conf"
+container_read_tmpfs_files(incusd_t)
+
+ifdef(`init_systemd',`
+ init_get_system_status(incusd_t)
+ init_start_system(incusd_t)
+ init_stop_generic_units(incusd_t)
+ init_stop_system(incusd_t)
+')
+
+tunable_policy(`incus_lxc_legacy_mounts',`
+ kernel_getattr_debugfs(incusd_t)
+ kernel_search_debugfs(incusd_t)
+ kernel_remount_debugfs(incusd_t)
+
+ fs_getattr_binfmt_misc_fs(incusd_t)
+ fs_getattr_efivarfs(incusd_t)
+ fs_getattr_pstorefs(incusd_t)
+ fs_remount_efivarfs(incusd_t)
+ fs_remount_pstorefs(incusd_t)
+',`
+ kernel_dontaudit_getattr_debugfs(incusd_t)
+ kernel_dontaudit_search_debugfs(incusd_t)
+ kernel_dontaudit_remount_debugfs(incusd_t)
+
+ fs_dontaudit_getattr_binfmt_misc_fs(incusd_t)
+ fs_dontaudit_getattr_efivarfs(incusd_t)
+ fs_dontaudit_getattr_pstorefs(incusd_t)
+ fs_dontaudit_remount_efivarfs(incusd_t)
+ fs_dontaudit_remount_pstorefs(incusd_t)
+')
+
+optional_policy(`
+ dnsmasq_domtrans(incusd_t)
+ dnsmasq_kill(incusd_t)
+ dnsmasq_signal(incusd_t)
+ dnsmasq_signull(incusd_t)
+')
+
+optional_policy(`
+ dpkg_dontaudit_manage_db(incusd_t)
+')
+
+optional_policy(`
+ mount_exec(incusd_t)
+')
+
+optional_policy(`
+ # these are required for incusd to check and execute qemu
+ qemu_domtrans(incusd_t)
+ qemu_exec(incusd_t)
+
+ # required so that incus will get the VM PID
+ # and make "incus info VM" work
+ # Error: stat /proc/628420: permission denied
+ qemu_read_state(incusd_t)
+
+ qemu_kill(incusd_t)
+ qemu_stream_connect(incusd_t)
+
+ # avc: denied { read } for pid=20404 comm="qemu-system-x86"
+ # name="overcommit_memory" dev="proc" ino=16557
+ # scontext=system_u:system_r:incusd_t:s0
+ # tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file
permissive=0
+ kernel_read_vm_overcommit_sysctl(incusd_t)
+
+ # incusd needs support to label VM files before launching
+ # until then, VM files will unfortunately be unlabeled
+ kernel_manage_unlabeled_dirs(incusd_t)
+ kernel_manage_unlabeled_files(incusd_t)
+ kernel_manage_unlabeled_symlinks(incusd_t)
+ kernel_mounton_unlabeled_dirs(incusd_t)
+
+ # required for QEMU feature check, will not start otherwise
+ files_dontaudit_delete_generic_tmp_named_sockets(incusd_t)
+ files_rw_generic_tmp_sockets(incusd_t)
+ files_search_default(incusd_t)
+')
+
+optional_policy(`
+ rsync_exec(incusd_t)
+')
+
+########################################
+#
+# incus lxc container local policy
+
+allow incus_container_domain self:cap_userns { chown dac_read_search fowner
fsetid kill net_admin net_bind_service net_raw setgid setpcap setuid sys_admin
sys_boot sys_chroot sys_ptrace };
+
+container_manage_engine_tmpfs_dirs(incus_container_domain)
+container_manage_engine_tmpfs_files(incus_container_domain)
+container_manage_engine_tmpfs_symlinks(incus_container_domain)
diff --git a/policy/modules/system/iptables.if
b/policy/modules/system/iptables.if
index f1ddfcdee..746a8dc02 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -253,6 +253,24 @@ interface(`iptables_dontaudit_read_runtime_files',`
dontaudit $1 iptables_runtime_t:file read;
')
+########################################
+## <summary>
+## Send kill signals to iptables.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iptables_kill',`
+ gen_require(`
+ type iptables_t;
+ ')
+
+ allow $1 iptables_t:process sigkill;
+')
+
########################################
## <summary>
## Allow specified domain to start and stop iptables service
