From bd3ddbe970be466a8fcaef5460ab0b701948c194 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 22 Mar 2022 17:06:32 +0100
Subject: [PATCH] Virt: Fix issues reported by selint

virt.te:  807: (C): Permissions in av rule not ordered (read_lnk_file_perms before ioctl) (C-005)
virt.te: 1843: (C): Permissions in av rule not ordered (create before connect) (C-005)
virt.te: 2038: (C): Permissions in av rule not ordered (setuid before setgid) (C-005)
virt.if:   51: (C): No comment before interface definition for virt_stub_svirt_sandbox_file (C-004)
virt.if:   82: (W): Attribute virt_image_type is listed in require block but not used in interface (W-003)
virt.if:   83: (W): Attribute virt_tmpfs_type is listed in require block but not used in interface (W-003)
virt.if:  100: (W): Type qemu_exec_t is used in interface but not required (W-002)
virt.if:  151: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
virt.if:  152: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
virt.if:  153: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
virt.if:  154: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
virt.if:  155: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
virt.if:  876: (W): Type virt_var_lib_t is listed in require block but not used in interface (W-003)
virt.if:  971: (W): Type virt_var_lib_t is listed in require block but not used in interface (W-003)
virt.if:  996: (W): Type virt_var_lib_t is listed in require block but not used in interface (W-003)
virt.if: 1246: (W): Definition of declared type virt_bridgehelper_t not found in own module, but in module virt_supplementary (W-011)
virt.if: 1717: (S): Permission macro rw_file_perms does not match class chr_file (S-009)
virt_supplementary.te:283: (S): Permission macro read_file_perms does not match class dir (S-009)

Also, replace spaces in virt_prog_run_bpf interface with tabs and remove
some trailing whitespaces.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 policy/modules/contrib/virt.if               | 52 +++++++++++---------
 policy/modules/contrib/virt.te               |  8 +--
 policy/modules/contrib/virt_supplementary.if | 19 +++++++
 policy/modules/contrib/virt_supplementary.te |  5 +-
 4 files changed, 54 insertions(+), 30 deletions(-)

diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index 12bdc698e..cbff92e4d 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -48,6 +48,17 @@ interface(`virt_stub_container_image',`
 	')
 ')
 
+########################################
+## <summary>
+##	container_file_t and container_ro_file_t stub interface.
+##	No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`virt_stub_svirt_sandbox_file',`
 	gen_require(`
 		type container_file_t;
@@ -68,8 +79,7 @@ interface(`virt_stub_svirt_sandbox_file',`
 #
 template(`virt_domain_template',`
 	gen_require(`
-		attribute virt_image_type, virt_domain;
-		attribute virt_tmpfs_type;
+		attribute virt_domain;
 		attribute virt_ptynode;
 		type virtlogd_t;
 	')
@@ -97,14 +107,8 @@ template(`virt_domain_template',`
 	allow $1_t virtlogd_t:fd use;
 	allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
 
-	optional_policy(`
-		gen_require(`
-			type qemu_exec_t;
-		')
+	qemu_entry_type($1_t)
 
-		application_executable_file(qemu_exec_t)
-		domain_entry_file($1_t, qemu_exec_t)
-	')
 ')
 
 ######################################
@@ -125,6 +129,7 @@ template(`virt_driver_template',`
 		attribute virt_driver_var_run;
 		type virtd_t;
 		type virtqemud_t;
+		type virt_common_var_run_t;
 		type virt_etc_t;
 		type virt_etc_rw_t;
 		type virt_var_run_t;
@@ -298,20 +303,20 @@ interface(`virt_exec',`
 
 ########################################
 ## <summary>
-##      Allow caller domain to run bpftool.
+##	Allow caller domain to run bpftool.
 ## </summary>
 ## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`virt_prog_run_bpf',`
-        gen_require(`
-                type virtd_t;
-        ')
+	gen_require(`
+		type virtd_t;
+	')
 
-    allow $1 virtd_t:bpf { map_create map_read map_write prog_load prog_run };
+	allow $1 virtd_t:bpf { map_create map_read map_write prog_load prog_run };
 ')
 
 
@@ -867,7 +872,6 @@ interface(`virt_search_images',`
 #
 interface(`virt_read_images',`
 	gen_require(`
-		type virt_var_lib_t;
 		attribute virt_image_type;
 	')
 
@@ -962,7 +966,6 @@ interface(`virt_manage_cache',`
 #
 interface(`virt_manage_images',`
 	gen_require(`
-		type virt_var_lib_t;
 		attribute virt_image_type;
 	')
 
@@ -987,7 +990,6 @@ interface(`virt_manage_images',`
 #
 interface(`virt_manage_default_image_type',`
 	gen_require(`
-		type virt_var_lib_t;
 		type virt_image_t;
 	')
 
@@ -1249,15 +1251,16 @@ interface(`virt_stream_connect_sandbox',`
 interface(`virt_transition_svirt',`
 	gen_require(`
 		attribute virt_domain;
-		type virt_bridgehelper_t;
 		type svirt_image_t;
 		type svirt_socket_t;
 	')
 
 	allow $1 virt_domain:process transition;
 	role $2 types virt_domain;
-	role $2 types virt_bridgehelper_t;
 	role $2 types svirt_socket_t;
+	optional_policy(`
+		virt_bridgehelper_role($2)
+	')
 
 	allow $1 virt_domain:process { sigkill signal signull sigstop };
 	allow $1 svirt_image_t:file { relabelfrom relabelto };
@@ -1529,7 +1532,7 @@ interface(`virt_file_types',`
 
 ########################################
 ## <summary>
-##	Make the specified type usable as a svirt file type 
+##	Make the specified type usable as a svirt file type
 ## </summary>
 ## <param name="type">
 ##	<summary>
@@ -1720,9 +1723,10 @@ interface(`virt_rw_svirt_dev',`
 		type svirt_image_t;
 	')
 
-	allow $1 svirt_image_t:chr_file rw_file_perms;
+	allow $1 svirt_image_t:chr_file rw_chr_file_perms;
 ')
 
+
 ########################################
 ## <summary>
 ##	Read and write to svirt_image files.
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 954098c8e..1ffc2faca 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -128,7 +128,7 @@ gen_tunable(virt_sandbox_use_netlink, false)
 # The following three tunables are not used anywhere in selinux-policy,
 # but they are referred to from container-selinux
 # virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps
- 
+
 ## <desc>
 ## <p>
 ## Allow sandbox containers to use sys_admin system calls, for example mount
@@ -804,7 +804,7 @@ manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
 allow virtlogd_t virtlogd_etc_t:file read_file_perms;
 files_search_etc(virtlogd_t)
 allow virtlogd_t virt_etc_t:file read_file_perms;
-allow virtlogd_t virt_etc_t:lnk_file { read_lnk_file_perms ioctl lock };
+allow virtlogd_t virt_etc_t:lnk_file { ioctl lock read_lnk_file_perms };
 allow virtlogd_t virt_etc_t:dir search;
 
 manage_dirs_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t)
@@ -1840,7 +1840,7 @@ allow virtqemud_t self:netlink_audit_socket { nlmsg_relay read write };
 allow virtqemud_t self:process { setcap setexec setrlimit setsched setsockcreate };
 allow virtqemud_t self:tcp_socket create_socket_perms;
 allow virtqemud_t self:tun_socket create;
-allow virtqemud_t self:udp_socket { create connect getattr };
+allow virtqemud_t self:udp_socket { connect create getattr };
 
 allow virtqemud_t svirt_t:process { getattr setsched signal signull transition };
 allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms };
@@ -2035,7 +2035,7 @@ tunable_policy(`virt_transition_userdomain',`
 virt_sandbox_domain_template(svirt_kvm_net)
 typeattribute svirt_kvm_net_t sandbox_net_domain;
 
-allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search  fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+allow svirt_kvm_net_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_ptrace sys_resource };
 dontaudit svirt_kvm_net_t self:capability2 block_suspend;
 
 tunable_policy(`virt_sandbox_use_netlink',`
diff --git a/policy/modules/contrib/virt_supplementary.if b/policy/modules/contrib/virt_supplementary.if
index f28bca97c..a95c2fc65 100644
--- a/policy/modules/contrib/virt_supplementary.if
+++ b/policy/modules/contrib/virt_supplementary.if
@@ -33,3 +33,22 @@ interface(`virt_exec_qemu',`
 
         can_exec($1, qemu_exec_t)
 ')
+
+
+########################################
+## <summary>
+##      Role access for virt_bridgehelper
+## </summary>
+## <param name="role">
+##      <summary>
+##      Role allowed access
+##      </summary>
+## </param>
+#
+interface(`virt_bridgehelper_role',`
+        gen_require(`
+                type virt_bridgehelper_t;
+        ')
+
+        role $1 types virt_bridgehelper_t;
+')
diff --git a/policy/modules/contrib/virt_supplementary.te b/policy/modules/contrib/virt_supplementary.te
index 09344c947..b990063fc 100644
--- a/policy/modules/contrib/virt_supplementary.te
+++ b/policy/modules/contrib/virt_supplementary.te
@@ -31,6 +31,7 @@ gen_require(`
 ')
 
 type qemu_exec_t;
+application_executable_file(qemu_exec_t)
 
 type virt_qmf_t;
 type virt_qmf_exec_t;
@@ -278,8 +279,8 @@ optional_policy(`
 
 	domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t)
 
-	allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
-	allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
+	allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir list_dir_perms;
+
 	allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
 
 	init_domtrans_script(virt_qemu_ga_unconfined_t)
-- 
2.30.2