-
Notifications
You must be signed in to change notification settings - Fork 1.3k
/
virt_launcher.cil
56 lines (56 loc) · 3.04 KB
/
virt_launcher.cil
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
; This is the custom SELinux policy for virt-launcher. This file is hopefully temporary.
; Applications running in regular container usually have container_t as an SELinux type.
; However, some applications running in virt-launcher (namely libvirtd) need more permissions.
(block virt_launcher
;
; In the virt_launcher block, everything we define will be prefixed with "virt_launcher."
; Therefore, every mention of "process" really means "virt_launcher.process".
;
; virt_launcher.process is defined as a run-able domain type
(type process)
(roletype system_r process)
(typeattributeset domain (process))
;
; Giving virt_launcher.process the same attributes as container_t
(typeattributeset container_domain (process))
(typeattributeset container_net_domain (process))
(typeattributeset svirt_sandbox_domain (process))
(typeattributeset sandbox_net_domain (process))
; This one is particularly important, without it the type would not be mcs-constrained.
; MCS is leveraged by container_t and others, like us, to prevent cross-pod communication.
(typeattributeset mcs_constrained_type (process))
;
;
; Adding the permissions missing from container_t to be able to run programs like libvirtd
; The list of "allow" rules should be as short and as documented as possible
;
;
; Allowing virt-launcher to read files under /proc
; libvirtd seems to run fine without it, but it will trigger AVCs without the permission.
; This could potentially be replaced by a dontaudit, here or upstream (better)
(allow process proc_type (file (getattr open read)))
;
; Allowing libvirtd to relay network-related debug messages
; libvirtd seems to run fine without it.
; There is already a dontaudit covering it, removing the permission would not trigger AVCs.
; However, without this permission, there would be a lot of warnings poluting the logs.
(allow process self (netlink_audit_socket (nlmsg_relay)))
;
; Allowing tun sockets to be relabelled from "virt_launcher.process" to itself.
; That might seem useless, but when libvirtd adds a tun socket to a network multiqueue,
; that triggers a relabelling, even if the label is already correct.
; "relabelfrom" and "relabelto" were added upstream and won't be necessary in the future.
; It is unclear if "attach_queue" is actually needed
(allow process self (tun_socket (relabelfrom relabelto attach_queue)))
;
; Allowing libvirtd to access the hugetlbfs to setup huge tables.
; Huge tables won't work without it, unless the memory backend is memfd.
; The 2 following rules could be removed if memfd was the only supported memoty backend.
(allow process hugetlbfs_t (dir (add_name create write remove_name rmdir setattr)))
(allow process hugetlbfs_t (file (create unlink)))
;
; This is needed to allow virtiofs to mount filesystem and access NFS
(allow process nfs_t (dir (mounton)))
(allow process proc_t (dir (mounton)))
(allow process proc_t (filesystem (mount unmount)))
)