diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2023-02-21 18:00:13 +0000 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2023-02-21 19:12:37 +0100 |
commit | 49024476309df1f6f32f34c40e793592687c9f26 (patch) | |
tree | 63b88c6a37ab9c5fd7fb6813cc33624160dd6809 | |
parent | 9136f74015106e938db6e91672d502d007d59816 (diff) | |
download | passt-49024476309df1f6f32f34c40e793592687c9f26.tar passt-49024476309df1f6f32f34c40e793592687c9f26.tar.gz passt-49024476309df1f6f32f34c40e793592687c9f26.tar.bz2 passt-49024476309df1f6f32f34c40e793592687c9f26.tar.lz passt-49024476309df1f6f32f34c40e793592687c9f26.tar.xz passt-49024476309df1f6f32f34c40e793592687c9f26.tar.zst passt-49024476309df1f6f32f34c40e793592687c9f26.zip |
selinux: Define interfaces for libvirt and similar frameworks
Services running passt will commonly need to transition to its
domain, terminate it, connect and write to its socket.
The init_daemon_domain() macro now defines the default transition to
the passt_t domain, using the passt_exec_t type.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
-rw-r--r-- | contrib/selinux/passt.if | 26 | ||||
-rw-r--r-- | contrib/selinux/passt.te | 1 |
2 files changed, 27 insertions, 0 deletions
diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if index f689a99..893395b 100644 --- a/contrib/selinux/passt.if +++ b/contrib/selinux/passt.if @@ -15,3 +15,29 @@ interface(`passt_read_data',` allow $1 passt_t:dir { search add_name }; allow $1 passt_t:file { open read getattr }; ') + +interface(`passt_domtrans',` + gen_require(` + type passt_t, passt_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, passt_exec_t, passt_t) +') + +interface(`passt_socket',` + gen_require(` + type passt_t; + ') + + allow $1 user_tmp_t:sock_file write; + allow $1 passt_t:unix_stream_socket connectto; +') + +interface(`passt_kill',` + gen_require(` + type passt_t; + ') + + allow $1 passt_t:process { signal sigkill }; +') diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te index b38304b..1f45fcd 100644 --- a/contrib/selinux/passt.te +++ b/contrib/selinux/passt.te @@ -56,6 +56,7 @@ type passt_t; domain_type(passt_t); type passt_exec_t; files_type(passt_exec_t); +init_daemon_domain(passt_t, passt_exec_t) type passt_log_t; logging_log_file(passt_log_t); type passt_pid_t; |