From: Stefano Brivio <sbrivio@redhat.com>
To: passt-dev@passt.top
Cc: Laine Stump <laine@redhat.com>, Andrea Bolognani <abologna@redhat.com>
Subject: [PATCH 4/4] contrib/selinux: Let interface users set paths for log, PID, socket files
Date: Tue, 7 Mar 2023 00:28:39 +0100 [thread overview]
Message-ID: <20230306232839.1996920-5-sbrivio@redhat.com> (raw)
In-Reply-To: <20230306232839.1996920-1-sbrivio@redhat.com>
Even libvirt itself will configure passt to write log, PID and socket
files to different locations depending on whether the domain is
started as root (/var/log/libvirt/...) or as a regular user
(/var/log/<PID>/libvirt/...), and user_tmp_t would only cover the
latter.
Create interfaces for log and PID files, so that callers can specify
different file contexts for those, and modify the interface for the
UNIX socket file to allow different paths as well.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
contrib/selinux/passt.if | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if
index 893395b..6a6105c 100644
--- a/contrib/selinux/passt.if
+++ b/contrib/selinux/passt.if
@@ -30,8 +30,32 @@ interface(`passt_socket',`
type passt_t;
')
- allow $1 user_tmp_t:sock_file write;
+ allow $1 $2:sock_file write;
allow $1 passt_t:unix_stream_socket connectto;
+
+ allow passt_t $2:sock_file { create read write unlink };
+')
+
+interface(`passt_logfile',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ logging_log_file($1);
+ allow passt_t $1:dir { search write add_name };
+ allow passt_t $1:file { create open read write };
+')
+
+interface(`passt_pidfile',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ allow $1 $2:file { open read unlink };
+
+ files_pid_file($2);
+ allow passt_t $2:dir { search write add_name };
+ allow passt_t $2:file { create open write };
')
interface(`passt_kill',`
--
@@ -30,8 +30,32 @@ interface(`passt_socket',`
type passt_t;
')
- allow $1 user_tmp_t:sock_file write;
+ allow $1 $2:sock_file write;
allow $1 passt_t:unix_stream_socket connectto;
+
+ allow passt_t $2:sock_file { create read write unlink };
+')
+
+interface(`passt_logfile',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ logging_log_file($1);
+ allow passt_t $1:dir { search write add_name };
+ allow passt_t $1:file { create open read write };
+')
+
+interface(`passt_pidfile',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ allow $1 $2:file { open read unlink };
+
+ files_pid_file($2);
+ allow passt_t $2:dir { search write add_name };
+ allow passt_t $2:file { create open write };
')
interface(`passt_kill',`
--
2.39.2
next prev parent reply other threads:[~2023-03-06 23:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-06 23:28 [PATCH 0/4] Further adjustments for SELinux policy files Stefano Brivio
2023-03-06 23:28 ` [PATCH 1/4] contrib/selinux: Drop duplicate init_daemon_domain() rule Stefano Brivio
2023-03-06 23:28 ` [PATCH 2/4] contrib/selinux: Let passt write to stdout and stderr when it starts Stefano Brivio
2023-03-06 23:28 ` [PATCH 3/4] contrib/selinux: Allow binding and connecting to all UDP and TCP ports Stefano Brivio
2023-03-06 23:28 ` Stefano Brivio [this message]
2023-03-08 21:05 ` [PATCH 0/4] Further adjustments for SELinux policy files Laine Stump
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230306232839.1996920-5-sbrivio@redhat.com \
--to=sbrivio@redhat.com \
--cc=abologna@redhat.com \
--cc=laine@redhat.com \
--cc=passt-dev@passt.top \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://passt.top/passt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).