From mboxrd@z Thu Jan  1 00:00:00 1970
Received: by passt.top (Postfix, from userid 1000)
	id 7D41E5A026C; Tue, 21 Feb 2023 19:39:15 +0100 (CET)
From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Subject: [PATCH 2/6] selinux: Define interfaces for libvirt and similar frameworks
Date: Tue, 21 Feb 2023 19:39:11 +0100
Message-Id: <20230221183915.3740123-3-sbrivio@redhat.com>
X-Mailer: git-send-email 2.39.1
In-Reply-To: <20230221183915.3740123-1-sbrivio@redhat.com>
References: <20230221183915.3740123-1-sbrivio@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID-Hash: TDCY3DVT3CZKZZ32USBED6RHIDGPUDNF
X-Message-ID-Hash: TDCY3DVT3CZKZZ32USBED6RHIDGPUDNF
X-MailFrom: sbrivio@passt.top
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Laine Stump <laine@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20230221183915.3740123-3-sbrivio@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/TDCY3DVT3CZKZZ32USBED6RHIDGPUDNF/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

Services running passt will commonly need to transition to its
domain, terminate it, connect and write to its socket.

The init_daemon_domain() macro now defines the default transition to
the passt_t domain, using the passt_exec_t type.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 contrib/selinux/passt.if | 26 ++++++++++++++++++++++++++
 contrib/selinux/passt.te |  1 +
 2 files changed, 27 insertions(+)

diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if
index f689a99..893395b 100644
--- a/contrib/selinux/passt.if
+++ b/contrib/selinux/passt.if
@@ -15,3 +15,29 @@ interface(`passt_read_data',`
 	allow $1 passt_t:dir { search add_name };
 	allow $1 passt_t:file { open read getattr };
 ')
+
+interface(`passt_domtrans',`
+	gen_require(`
+		type passt_t, passt_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, passt_exec_t, passt_t)
+')
+
+interface(`passt_socket',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow $1 user_tmp_t:sock_file write;
+	allow $1 passt_t:unix_stream_socket connectto;
+')
+
+interface(`passt_kill',`
+	gen_require(`
+		type passt_t;
+	')
+
+	allow $1 passt_t:process { signal sigkill };
+')
diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te
index b38304b..1f45fcd 100644
--- a/contrib/selinux/passt.te
+++ b/contrib/selinux/passt.te
@@ -56,6 +56,7 @@ type passt_t;
 domain_type(passt_t);
 type passt_exec_t;
 files_type(passt_exec_t);
+init_daemon_domain(passt_t, passt_exec_t)
 type passt_log_t;
 logging_log_file(passt_log_t);
 type passt_pid_t;
-- 
2.39.1