mirrors/passt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
passt/contrib/selinux/passt.if
Stefano Brivio d361fe6e80 contrib/selinux: Let interface users set paths for log, PID, socket files 
Even libvirt itself will configure passt to write log, PID and socket
files to different locations depending on whether the domain is
started as root (/var/log/libvirt/...) or as a regular user
(/var/log/<PID>/libvirt/...), and user_tmp_t would only cover the
latter.

Create interfaces for log and PID files, so that callers can specify
different file contexts for those, and modify the interface for the
UNIX socket file to allow different paths as well.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Tested-by: Laine Stump <laine@redhat.com>
Reviewed-by: Laine Stump <laine@redhat.com>
2023-03-09 00:36:08 +01:00

67 lines
1.3 KiB
Text
Raw Blame History

# SPDX-License-Identifier: AGPL-3.0-or-later
#
# PASST - Plug A Simple Socket Transport
# for qemu/UNIX domain socket mode
#
# contrib/selinux/passt.if - SELinux profile example: Interface File for passt
#
# Copyright (c) 2022 Red Hat GmbH
# Author: Stefano Brivio <sbrivio@redhat.com>
interface(`passt_read_data',`
gen_require(`
type passt_data_t;
')
allow $1 passt_t:dir { search add_name };
allow $1 passt_t:file { open read getattr };
')
interface(`passt_domtrans',`
gen_require(`
type passt_t, passt_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, passt_exec_t, passt_t)
')
interface(`passt_socket',`
gen_require(`
type passt_t;
')
allow $1 $2:sock_file write;
allow $1 passt_t:unix_stream_socket connectto;
allow passt_t $2:sock_file { create read write unlink };
')
interface(`passt_logfile',`
gen_require(`
type passt_t;
')
logging_log_file($1);
allow passt_t $1:dir { search write add_name };
allow passt_t $1:file { create open read write };
')
interface(`passt_pidfile',`
gen_require(`
type passt_t;
')
allow $1 $2:file { open read unlink };
files_pid_file($2);
allow passt_t $2:dir { search write add_name };
allow passt_t $2:file { create open write };
')
interface(`passt_kill',`
gen_require(`
type passt_t;
')
allow $1 passt_t:process { signal sigkill };
')
Reference in a new issue View git blame Copy permalink