-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathos-nova.te
156 lines (131 loc) · 4.24 KB
/
os-nova.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
policy_module(os-nova,0.1)
gen_require(`
type nova_t;
type nova_network_t;
type nova_var_lib_t;
type nova_api_t;
type nova_scheduler_t;
type nova_console_t;
type nova_cert_t;
type cert_t;
type nova_log_t;
type httpd_t;
type netutils_exec_t;
type virtd_t;
type virt_image_t;
type svirt_t;
type svirt_image_t;
type svirt_tcg_t;
type virtlogd_t;
type virt_log_t;
type iptables_t;
type modules_conf_t;
type container_share_t;
type container_runtime_t;
attribute nova_domain;
class key write;
class packet_socket { bind create getattr };
class capability { dac_override net_raw sys_ptrace kill };
class capability2 block_suspend;
class file { getattr read write open create execute execute_no_trans entrypoint };
class sock_file write;
class dir { add_name write search read };
class lnk_file read;
class process sigchld;
')
# Bugzilla 1181428
iscsid_domtrans(virtd_t);
# Bugzilla 1170839
allow nova_network_t netutils_exec_t:file { read execute open execute_no_trans };
allow nova_network_t self:packet_socket { bind create getattr };
netutils_domtrans(nova_network_t)
# Bugzilla 1149975
allow nova_scheduler_t cert_t:dir search;
# from upstream - Bugzilla 1107861
auth_read_passwd(nova_domain)
init_read_utmp(nova_domain)
# Bugzilla 1095869
# Allow create/modify/delete virtual networks
allow nova_network_t self:capability { net_raw sys_ptrace kill };
allow nova_network_t self:capability2 block_suspend;
# Bugzilla 1210271
allow svirt_t nova_var_lib_t:lnk_file read;
# Bugzilla 1211628
allow svirt_t nova_var_lib_t:file write;
allow svirt_tcg_t nova_var_lib_t:file write;
# Bugzilla 1315457
allow httpd_t nova_log_t:dir { add_name write };
allow httpd_t nova_log_t:file { open create };
# Bugzilla 1375766
nova_manage_lib_files(virtlogd_t)
# Bugzilla 1377272
gen_tunable(os_virtlog_dac_override, false)
tunable_policy(`os_virtlog_dac_override',`
allow virtlogd_t self:capability dac_override;
')
# Bugzilla #1499800 (workaround)
# src: https://eucalyptus.atlassian.net/browse/EUCA-13447
create_files_pattern(virtlogd_t, virt_image_t, virt_log_t)
delete_files_pattern(virtlogd_t, virt_image_t, virt_log_t)
rename_files_pattern(virtlogd_t, virt_image_t, virt_log_t)
delete_files_pattern(virtlogd_t, virt_image_t, svirt_image_t)
rename_files_pattern(virtlogd_t, virt_image_t, svirt_image_t)
filetrans_pattern(virtlogd_t, virt_image_t, virt_log_t, file, "console.log")
# Bugzilla 1249685
gen_tunable(os_nova_use_execmem, false)
tunable_policy(`os_nova_use_execmem',`
allow nova_api_t self:process execmem;
allow nova_cert_t self:process execmem;
allow nova_console_t self:process execmem;
allow nova_scheduler_t self:process execmem;
')
kernel_rw_net_sysctls(nova_network_t)
dev_rw_vhost(nova_network_t)
optional_policy(`
gen_require(`
type nova_t;
type httpd_config_t;
class dir search;
class process execmem;
')
# bugzilla 1281547
allow nova_t httpd_config_t:dir search;
# bugzilla 1280101
allow nova_t self:process execmem;
')
# Bug 1430402
optional_policy(`
mysql_read_config(nova_t)
')
# Bug 1494907 and related
allow iptables_t modules_conf_t:file read_file_perms;
optional_policy(`
gen_require(`
type systemd_machined_t;
type container_runtime_t;
type container_share_t;
type container_unit_file_t;
type svirt_sandbox_file_t;
type spc_t;
')
# presumably this is "init_start|stop|status"
allow systemd_machined_t container_unit_file_t:service { start stop status };
# Already present in 2.26
virt_transition_svirt(spc_t, system_r)
virt_sandbox_entrypoint(svirt_sandbox_file_t)
# Needs fixed in >2.26
allow svirt_t container_runtime_t:process sigchld;
container_read_share_files(svirt_t)
allow svirt_t container_share_t:file { entrypoint execute };
allow svirt_t spc_t:dir search;
allow svirt_t spc_t:fifo_file write_file_perms;
allow svirt_t spc_t:file read_file_perms;
')
# Requested for podman container engine
allow svirt_tcg_t container_runtime_t:process sigchld;
allow svirt_tcg_t container_share_t:file { execute getattr read entrypoint open };
allow svirt_tcg_t container_share_t:lnk_file read;
allow svirt_tcg_t container_share_t:dir read;
# Bug 1640528
auth_use_pam(nova_t)
init_rw_utmp(nova_t)