[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Jason Zaman Fri, 31 Jul 2015 07:18:47 -0700

commit:     539bbc9b693447bf2dadb0031b318eb4049ada9b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jul  2 18:36:39 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:44:43 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=539bbc9b


qemu: add policy for qemu-guest-agent

 policy/modules/contrib/qemu.fc |  9 +++++++++
 policy/modules/contrib/qemu.te | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/policy/modules/contrib/qemu.fc b/policy/modules/contrib/qemu.fc
index 86ea53c..f1304fb 100644
--- a/policy/modules/contrib/qemu.fc
+++ b/policy/modules/contrib/qemu.fc
@@ -4,3 +4,12 @@
 /usr/bin/kvm           --      gen_context(system_u:object_r:qemu_exec_t,s0)
 
 /usr/libexec/qemu.*    --      gen_context(system_u:object_r:qemu_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/qemu-ga       --      gen_context(system_u:object_r:qemu_ga_exec_t,s0)
+
+/var/log/qemu-ga.log   --      gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga(/.*)? --      gen_context(system_u:object_r:qemu_ga_log_t,s0)
+
+/var/run/qemu-ga.pid   --      gen_context(system_u:object_r:qemu_ga_run_t,s0)
+')

diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te
index cf647bb..136f6f3 100644
--- a/policy/modules/contrib/qemu.te
+++ b/policy/modules/contrib/qemu.te
@@ -77,4 +77,39 @@ ifdef(`distro_gentoo',`
        optional_policy(`
                vde_connect(qemu_t)
        ')
+
+       #################################
+       #
+       # QEMU Guest Agent policy
+       #
+       type qemu_ga_t;
+       type qemu_ga_exec_t;
+       init_system_domain(qemu_ga_t, qemu_ga_exec_t)
+
+       type qemu_ga_log_t;
+       logging_log_file(qemu_ga_log_t)
+
+       type qemu_ga_run_t;
+       files_pid_file(qemu_ga_run_t)
+
+       allow qemu_ga_t self:capability sys_admin;
+       allow qemu_ga_t self:unix_dgram_socket create_socket_perms;
+
+       manage_dirs_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+       append_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+       create_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+       setattr_files_pattern(qemu_ga_t, qemu_ga_log_t, qemu_ga_log_t)
+       logging_log_filetrans(qemu_ga_t, qemu_ga_log_t, { dir file })
+
+       allow qemu_ga_t qemu_ga_run_t:file manage_file_perms;
+       files_pid_filetrans(qemu_ga_t, qemu_ga_run_t, file)
+
+       corecmd_exec_bin(qemu_ga_t)
+       corecmd_exec_shell(qemu_ga_t)
+
+       miscfiles_read_localization(qemu_ga_t)
+
+       userdom_use_user_terminals(qemu_ga_t)
+
+       term_use_virtio_console(qemu_ga_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Reply via email to