aboutgitcodebugslistschat
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2023-02-21 18:00:13 +0000
committerStefano Brivio <sbrivio@redhat.com>2023-02-21 19:12:37 +0100
commit49024476309df1f6f32f34c40e793592687c9f26 (patch)
tree63b88c6a37ab9c5fd7fb6813cc33624160dd6809
parent9136f74015106e938db6e91672d502d007d59816 (diff)
downloadpasst-49024476309df1f6f32f34c40e793592687c9f26.tar
passt-49024476309df1f6f32f34c40e793592687c9f26.tar.gz
passt-49024476309df1f6f32f34c40e793592687c9f26.tar.bz2
passt-49024476309df1f6f32f34c40e793592687c9f26.tar.lz
passt-49024476309df1f6f32f34c40e793592687c9f26.tar.xz
passt-49024476309df1f6f32f34c40e793592687c9f26.tar.zst
passt-49024476309df1f6f32f34c40e793592687c9f26.zip
selinux: Define interfaces for libvirt and similar frameworks
Services running passt will commonly need to transition to its domain, terminate it, connect and write to its socket. The init_daemon_domain() macro now defines the default transition to the passt_t domain, using the passt_exec_t type. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
-rw-r--r--contrib/selinux/passt.if26
-rw-r--r--contrib/selinux/passt.te1
2 files changed, 27 insertions, 0 deletions
diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if
index f689a99..893395b 100644
--- a/contrib/selinux/passt.if
+++ b/contrib/selinux/passt.if
@@ -15,3 +15,29 @@ interface(`passt_read_data',`
allow $1 passt_t:dir { search add_name };
allow $1 passt_t:file { open read getattr };
')
+
+interface(`passt_domtrans',`
+ gen_require(`
+ type passt_t, passt_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, passt_exec_t, passt_t)
+')
+
+interface(`passt_socket',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ allow $1 user_tmp_t:sock_file write;
+ allow $1 passt_t:unix_stream_socket connectto;
+')
+
+interface(`passt_kill',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ allow $1 passt_t:process { signal sigkill };
+')
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index b38304b..1f45fcd 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -56,6 +56,7 @@ type passt_t;
domain_type(passt_t);
type passt_exec_t;
files_type(passt_exec_t);
+init_daemon_domain(passt_t, passt_exec_t)
type passt_log_t;
logging_log_file(passt_log_t);
type passt_pid_t;