From bd3ddbe970be466a8fcaef5460ab0b701948c194 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 22 Mar 2022 17:06:32 +0100
Subject: [PATCH] Virt: Fix issues reported by selint
virt.te: 807: (C): Permissions in av rule not ordered (read_lnk_file_perms before ioctl) (C-005)
virt.te: 1843: (C): Permissions in av rule not ordered (create before connect) (C-005)
virt.te: 2038: (C): Permissions in av rule not ordered (setuid before setgid) (C-005)
virt.if: 51: (C): No comment before interface definition for virt_stub_svirt_sandbox_file (C-004)
virt.if: 82: (W): Attribute virt_image_type is listed in require block but not used in interface (W-003)
virt.if: 83: (W): Attribute virt_tmpfs_type is listed in require block but not used in interface (W-003)
virt.if: 100: (W): Type qemu_exec_t is used in interface but not required (W-002)
virt.if: 151: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
virt.if: 152: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
virt.if: 153: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
virt.if: 154: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
virt.if: 155: (W): Type virt_common_var_run_t is used in interface but not required (W-002)
virt.if: 876: (W): Type virt_var_lib_t is listed in require block but not used in interface (W-003)
virt.if: 971: (W): Type virt_var_lib_t is listed in require block but not used in interface (W-003)
virt.if: 996: (W): Type virt_var_lib_t is listed in require block but not used in interface (W-003)
virt.if: 1246: (W): Definition of declared type virt_bridgehelper_t not found in own module, but in module virt_supplementary (W-011)
virt.if: 1717: (S): Permission macro rw_file_perms does not match class chr_file (S-009)
virt_supplementary.te:283: (S): Permission macro read_file_perms does not match class dir (S-009)
Also, replace spaces in virt_prog_run_bpf interface with tabs and remove
some trailing whitespaces.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
policy/modules/contrib/virt.if | 52 +++++++++++---------
policy/modules/contrib/virt.te | 8 +--
policy/modules/contrib/virt_supplementary.if | 19 +++++++
policy/modules/contrib/virt_supplementary.te | 5 +-
4 files changed, 54 insertions(+), 30 deletions(-)
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
index 12bdc698e..cbff92e4d 100644
--- a/policy/modules/contrib/virt.if
+++ b/policy/modules/contrib/virt.if
@@ -48,6 +48,17 @@ interface(`virt_stub_container_image',`
')
')
+########################################
+## <summary>
+## container_file_t and container_ro_file_t stub interface.
+## No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`virt_stub_svirt_sandbox_file',`
gen_require(`
type container_file_t;
@@ -68,8 +79,7 @@ interface(`virt_stub_svirt_sandbox_file',`
#
template(`virt_domain_template',`
gen_require(`
- attribute virt_image_type, virt_domain;
- attribute virt_tmpfs_type;
+ attribute virt_domain;
attribute virt_ptynode;
type virtlogd_t;
')
@@ -97,14 +107,8 @@ template(`virt_domain_template',`
allow $1_t virtlogd_t:fd use;
allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
- optional_policy(`
- gen_require(`
- type qemu_exec_t;
- ')
+ qemu_entry_type($1_t)
- application_executable_file(qemu_exec_t)
- domain_entry_file($1_t, qemu_exec_t)
- ')
')
######################################
@@ -125,6 +129,7 @@ template(`virt_driver_template',`
attribute virt_driver_var_run;
type virtd_t;
type virtqemud_t;
+ type virt_common_var_run_t;
type virt_etc_t;
type virt_etc_rw_t;
type virt_var_run_t;
@@ -298,20 +303,20 @@ interface(`virt_exec',`
########################################
## <summary>
-## Allow caller domain to run bpftool.
+## Allow caller domain to run bpftool.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
#
interface(`virt_prog_run_bpf',`
- gen_require(`
- type virtd_t;
- ')
+ gen_require(`
+ type virtd_t;
+ ')
- allow $1 virtd_t:bpf { map_create map_read map_write prog_load prog_run };
+ allow $1 virtd_t:bpf { map_create map_read map_write prog_load prog_run };
')
@@ -867,7 +872,6 @@ interface(`virt_search_images',`
#
interface(`virt_read_images',`
gen_require(`
- type virt_var_lib_t;
attribute virt_image_type;
')
@@ -962,7 +966,6 @@ interface(`virt_manage_cache',`
#
interface(`virt_manage_images',`
gen_require(`
- type virt_var_lib_t;
attribute virt_image_type;
')
@@ -987,7 +990,6 @@ interface(`virt_manage_images',`
#
interface(`virt_manage_default_image_type',`
gen_require(`
- type virt_var_lib_t;
type virt_image_t;
')
@@ -1249,15 +1251,16 @@ interface(`virt_stream_connect_sandbox',`
interface(`virt_transition_svirt',`
gen_require(`
attribute virt_domain;
- type virt_bridgehelper_t;
type svirt_image_t;
type svirt_socket_t;
')
allow $1 virt_domain:process transition;
role $2 types virt_domain;
- role $2 types virt_bridgehelper_t;
role $2 types svirt_socket_t;
+ optional_policy(`
+ virt_bridgehelper_role($2)
+ ')
allow $1 virt_domain:process { sigkill signal signull sigstop };
allow $1 svirt_image_t:file { relabelfrom relabelto };
@@ -1529,7 +1532,7 @@ interface(`virt_file_types',`
########################################
## <summary>
-## Make the specified type usable as a svirt file type
+## Make the specified type usable as a svirt file type
## </summary>
## <param name="type">
## <summary>
@@ -1720,9 +1723,10 @@ interface(`virt_rw_svirt_dev',`
type svirt_image_t;
')
- allow $1 svirt_image_t:chr_file rw_file_perms;
+ allow $1 svirt_image_t:chr_file rw_chr_file_perms;
')
+
########################################
## <summary>
## Read and write to svirt_image files.
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 954098c8e..1ffc2faca 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -128,7 +128,7 @@ gen_tunable(virt_sandbox_use_netlink, false)
# The following three tunables are not used anywhere in selinux-policy,
# but they are referred to from container-selinux
# virt_sandbox_use_sys_admin virt_sandbox_use_mknod virt_sandbox_use_all_caps
-
+
## <desc>
## <p>
## Allow sandbox containers to use sys_admin system calls, for example mount
@@ -804,7 +804,7 @@ manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t)
allow virtlogd_t virtlogd_etc_t:file read_file_perms;
files_search_etc(virtlogd_t)
allow virtlogd_t virt_etc_t:file read_file_perms;
-allow virtlogd_t virt_etc_t:lnk_file { read_lnk_file_perms ioctl lock };
+allow virtlogd_t virt_etc_t:lnk_file { ioctl lock read_lnk_file_perms };
allow virtlogd_t virt_etc_t:dir search;
manage_dirs_pattern(virtlogd_t, virt_etc_rw_t, virt_etc_rw_t)
@@ -1840,7 +1840,7 @@ allow virtqemud_t self:netlink_audit_socket { nlmsg_relay read write };
allow virtqemud_t self:process { setcap setexec setrlimit setsched setsockcreate };
allow virtqemud_t self:tcp_socket create_socket_perms;
allow virtqemud_t self:tun_socket create;
-allow virtqemud_t self:udp_socket { create connect getattr };
+allow virtqemud_t self:udp_socket { connect create getattr };
allow virtqemud_t svirt_t:process { getattr setsched signal signull transition };
allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms };
@@ -2035,7 +2035,7 @@ tunable_policy(`virt_transition_userdomain',`
virt_sandbox_domain_template(svirt_kvm_net)
typeattribute svirt_kvm_net_t sandbox_net_domain;
-allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+allow svirt_kvm_net_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_ptrace sys_resource };
dontaudit svirt_kvm_net_t self:capability2 block_suspend;
tunable_policy(`virt_sandbox_use_netlink',`
diff --git a/policy/modules/contrib/virt_supplementary.if b/policy/modules/contrib/virt_supplementary.if
index f28bca97c..a95c2fc65 100644
--- a/policy/modules/contrib/virt_supplementary.if
+++ b/policy/modules/contrib/virt_supplementary.if
@@ -33,3 +33,22 @@ interface(`virt_exec_qemu',`
can_exec($1, qemu_exec_t)
')
+
+
+########################################
+## <summary>
+## Role access for virt_bridgehelper
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+#
+interface(`virt_bridgehelper_role',`
+ gen_require(`
+ type virt_bridgehelper_t;
+ ')
+
+ role $1 types virt_bridgehelper_t;
+')
diff --git a/policy/modules/contrib/virt_supplementary.te b/policy/modules/contrib/virt_supplementary.te
index 09344c947..b990063fc 100644
--- a/policy/modules/contrib/virt_supplementary.te
+++ b/policy/modules/contrib/virt_supplementary.te
@@ -31,6 +31,7 @@ gen_require(`
')
type qemu_exec_t;
+application_executable_file(qemu_exec_t)
type virt_qmf_t;
type virt_qmf_exec_t;
@@ -278,8 +279,8 @@ optional_policy(`
domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t)
- allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
- allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
+ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir list_dir_perms;
+
allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
init_domtrans_script(virt_qemu_ga_unconfined_t)
--
2.30.2