2010-04-06 20:56:07 +00:00
|
|
|
# Last Modified: Mon Apr 5 15:03:58 2010
|
2009-10-08 14:42:05 +00:00
|
|
|
#include <tunables/global>
|
|
|
|
@{LIBVIRT}="libvirt"
|
|
|
|
|
2016-12-19 07:15:15 +00:00
|
|
|
/usr/sbin/libvirtd flags=(attach_disconnected) {
|
2009-10-08 14:42:05 +00:00
|
|
|
#include <abstractions/base>
|
2014-01-26 21:47:35 +00:00
|
|
|
#include <abstractions/dbus>
|
2009-10-08 14:42:05 +00:00
|
|
|
|
|
|
|
capability kill,
|
|
|
|
capability net_admin,
|
|
|
|
capability net_raw,
|
|
|
|
capability setgid,
|
|
|
|
capability sys_admin,
|
|
|
|
capability sys_module,
|
|
|
|
capability sys_ptrace,
|
2015-01-20 01:25:40 +00:00
|
|
|
capability sys_pacct,
|
2009-10-08 14:42:05 +00:00
|
|
|
capability sys_nice,
|
|
|
|
capability sys_chroot,
|
|
|
|
capability setuid,
|
|
|
|
capability dac_override,
|
|
|
|
capability dac_read_search,
|
|
|
|
capability fowner,
|
|
|
|
capability chown,
|
|
|
|
capability setpcap,
|
|
|
|
capability mknod,
|
2010-04-06 20:56:07 +00:00
|
|
|
capability fsetid,
|
2014-01-26 21:47:35 +00:00
|
|
|
capability audit_write,
|
2015-01-20 01:25:40 +00:00
|
|
|
capability ipc_lock,
|
2009-10-08 14:42:05 +00:00
|
|
|
|
2014-03-25 11:48:26 +00:00
|
|
|
# Needed for vfio
|
|
|
|
capability sys_resource,
|
|
|
|
|
2017-11-19 14:57:34 +00:00
|
|
|
mount options=(rw,rslave) -> /,
|
|
|
|
mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
|
|
|
|
|
|
|
|
mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/,
|
|
|
|
mount options=(rw, move) /dev/hugepages/ -> /{var/,}run/libvirt/qemu/*.hugepages/,
|
|
|
|
mount options=(rw, move) /dev/mqueue/ -> /{var/,}run/libvirt/qemu/*.mqueue/,
|
|
|
|
mount options=(rw, move) /dev/pts/ -> /{var/,}run/libvirt/qemu/*.pts/,
|
|
|
|
mount options=(rw, move) /dev/shm/ -> /{var/,}run/libvirt/qemu/*.shm/,
|
|
|
|
|
|
|
|
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/,
|
|
|
|
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ -> /dev/hugepages/,
|
|
|
|
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ -> /dev/mqueue/,
|
|
|
|
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ -> /dev/pts/,
|
|
|
|
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ -> /dev/shm/,
|
|
|
|
|
2009-10-08 14:42:05 +00:00
|
|
|
network inet stream,
|
2009-11-13 14:19:05 +00:00
|
|
|
network inet dgram,
|
|
|
|
network inet6 stream,
|
|
|
|
network inet6 dgram,
|
2017-11-19 14:57:33 +00:00
|
|
|
network netlink raw,
|
2014-01-26 21:47:35 +00:00
|
|
|
network packet dgram,
|
2015-01-20 01:25:42 +00:00
|
|
|
network packet raw,
|
2009-10-08 14:42:05 +00:00
|
|
|
|
2017-12-19 13:13:06 +00:00
|
|
|
# for --p2p migrations
|
|
|
|
unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
|
|
|
|
|
2017-09-22 23:02:42 +00:00
|
|
|
ptrace (trace) peer=unconfined,
|
|
|
|
ptrace (trace) peer=/usr/sbin/libvirtd,
|
2017-10-06 20:20:36 +00:00
|
|
|
ptrace (trace) peer=/usr/sbin/dnsmasq,
|
2017-09-22 23:02:42 +00:00
|
|
|
ptrace (trace) peer=libvirt-*,
|
|
|
|
|
2017-11-19 14:57:33 +00:00
|
|
|
signal (send) peer=/usr/sbin/dnsmasq,
|
|
|
|
signal (read, send) peer=libvirt-*,
|
|
|
|
|
2009-10-08 14:42:05 +00:00
|
|
|
# Very lenient profile for libvirtd since we want to first focus on confining
|
|
|
|
# the guests. Guests will have a very restricted profile.
|
2014-01-26 21:47:35 +00:00
|
|
|
/ r,
|
2009-10-08 14:42:05 +00:00
|
|
|
/** rwmkl,
|
|
|
|
|
2014-01-26 21:47:35 +00:00
|
|
|
/bin/* PUx,
|
|
|
|
/sbin/* PUx,
|
|
|
|
/usr/bin/* PUx,
|
2016-06-11 19:22:00 +00:00
|
|
|
/usr/sbin/virtlogd pix,
|
2014-01-26 21:47:35 +00:00
|
|
|
/usr/sbin/* PUx,
|
2016-12-03 18:32:48 +00:00
|
|
|
/{usr/,}lib/udev/scsi_id PUx,
|
2014-12-15 14:14:48 +00:00
|
|
|
/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
|
2015-01-20 01:25:40 +00:00
|
|
|
/usr/{lib,lib64}/xen/bin/* Ux,
|
2017-06-16 08:20:11 +00:00
|
|
|
/usr/lib/xen-*/bin/libxl-save-helper PUx,
|
2009-10-08 14:42:05 +00:00
|
|
|
|
2017-12-19 15:03:43 +00:00
|
|
|
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
|
|
|
|
# read and run an ebtables script.
|
|
|
|
/var/lib/libvirt/virtd* ixr,
|
|
|
|
|
2009-10-08 14:42:05 +00:00
|
|
|
# force the use of virt-aa-helper
|
2016-12-03 18:32:48 +00:00
|
|
|
audit deny /{usr/,}sbin/apparmor_parser rwxl,
|
2009-10-08 14:42:05 +00:00
|
|
|
audit deny /etc/apparmor.d/libvirt/** wxl,
|
|
|
|
audit deny /sys/kernel/security/apparmor/features rwxl,
|
|
|
|
audit deny /sys/kernel/security/apparmor/matching rwxl,
|
|
|
|
audit deny /sys/kernel/security/apparmor/.* rwxl,
|
|
|
|
/sys/kernel/security/apparmor/profiles r,
|
2014-12-15 14:14:48 +00:00
|
|
|
/usr/{lib,lib64}/libvirt/* PUxr,
|
2015-01-20 01:25:41 +00:00
|
|
|
/usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
|
|
|
|
/usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
|
2014-01-26 21:47:35 +00:00
|
|
|
/etc/libvirt/hooks/** rmix,
|
|
|
|
/etc/xen/scripts/** rmix,
|
2009-10-08 14:42:05 +00:00
|
|
|
|
|
|
|
# allow changing to our UUID-based named profiles
|
|
|
|
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
|
|
|
|
|
2017-03-17 08:59:42 +00:00
|
|
|
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
|
2016-08-05 07:32:54 +00:00
|
|
|
# child profile for bridge helper process
|
|
|
|
profile qemu_bridge_helper {
|
|
|
|
#include <abstractions/base>
|
|
|
|
|
|
|
|
capability setuid,
|
|
|
|
capability setgid,
|
|
|
|
capability setpcap,
|
|
|
|
capability net_admin,
|
|
|
|
|
|
|
|
network inet stream,
|
|
|
|
|
|
|
|
/dev/net/tun rw,
|
|
|
|
/etc/qemu/** r,
|
|
|
|
owner @{PROC}/*/status r,
|
|
|
|
|
2017-03-17 08:59:42 +00:00
|
|
|
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
|
2016-08-05 07:32:54 +00:00
|
|
|
}
|
2009-10-08 14:42:05 +00:00
|
|
|
}
|