-
Notifications
You must be signed in to change notification settings - Fork 30
/
os-virt.te
46 lines (41 loc) · 1.37 KB
/
os-virt.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
policy_module(os-virt,0.1)
gen_require(`
type container_file_t;
type systemd_logind_t;
type systemd_logind_inhibit_var_run_t;
type virtlogd_t;
type virt_var_run_t;
type svirt_t;
type spc_t;
type unlabeled_t;
class dbus send_msg;
class fifo_file write;
class tun_socket attach_queue;
')
# #1561711 - work around inability to send message
# over dbus. Will be superseded once #1547250 is
# fixed.
allow virtlogd_t systemd_logind_t:dbus send_msg;
allow systemd_logind_t virtlogd_t:dbus send_msg;
allow virtlogd_t systemd_logind_inhibit_var_run_t:fifo_file write;
# allow access to /var/lib/nova directories which are labeled with container_file_t
# This is required for https://issues.redhat.com//browse/OSPRH-960
manage_files_pattern(virtlogd_t, container_file_t, container_file_t)
allow virtlogd_t self:capability dac_override;
# #1566973
# Tunable to allow virtlogd to write to NFS
gen_tunable(os_virtlogd_use_nfs, false)
tunable_policy(`os_virtlogd_use_nfs',`
fs_manage_nfs_dirs(virtlogd_t)
fs_manage_nfs_files(virtlogd_t)
fs_read_nfs_symlinks(virtlogd_t)
')
# Bugzilla 1642102
allow svirt_t spc_t:tun_socket attach_queue;
# Bugzilla 1751300
allow spc_t unlabeled_t:key manage_key_perms;
# Bugzilla 2007314
gen_tunable(os_enable_vtpm, false)
tunable_policy(`os_enable_vtpm',`
manage_sock_files_pattern(svirt_t, container_file_t, container_file_t)
')