mirror of
https://passt.top/passt
synced 2024-07-02 07:52:41 +00:00
ca2749e1bd
In practical terms, passt doesn't benefit from the additional protection offered by the AGPL over the GPL, because it's not suitable to be executed over a computer network. Further, restricting the distribution under the version 3 of the GPL wouldn't provide any practical advantage either, as long as the passt codebase is concerned, and might cause unnecessary compatibility dilemmas. Change licensing terms to the GNU General Public License Version 2, or any later version, with written permission from all current and past contributors, namely: myself, David Gibson, Laine Stump, Andrea Bolognani, Paul Holzinger, Richard W.M. Jones, Chris Kuhn, Florian Weimer, Giuseppe Scrivano, Stefan Hajnoczi, and Vasiliy Ulyanov. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
121 lines
3.7 KiB
Plaintext
121 lines
3.7 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-or-later
|
|
#
|
|
# PASST - Plug A Simple Socket Transport
|
|
# for qemu/UNIX domain socket mode
|
|
#
|
|
# contrib/selinux/passt.te - SELinux profile: Type Enforcement for passt
|
|
#
|
|
# Copyright (c) 2022 Red Hat GmbH
|
|
# Author: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
policy_module(passt, 0.1)
|
|
|
|
require {
|
|
type unconfined_t;
|
|
role unconfined_r;
|
|
class process transition;
|
|
|
|
type bin_t;
|
|
type user_home_dir_t;
|
|
type fs_t;
|
|
type tmp_t;
|
|
type user_tmp_t;
|
|
type tmpfs_t;
|
|
type root_t;
|
|
|
|
class file { ioctl getattr setattr create read write unlink open relabelto execute execute_no_trans map };
|
|
class dir { search write add_name remove_name mounton };
|
|
class chr_file { append read write open getattr ioctl };
|
|
class filesystem { getattr mount unmount };
|
|
|
|
type console_device_t;
|
|
type user_devpts_t;
|
|
type devlog_t;
|
|
type syslogd_t;
|
|
type var_run_t;
|
|
class unix_dgram_socket { create connect sendto };
|
|
|
|
type net_conf_t;
|
|
type proc_net_t;
|
|
type node_t;
|
|
class tcp_socket { create accept listen name_bind name_connect };
|
|
class udp_socket { create accept listen };
|
|
class icmp_socket { bind create name_bind node_bind setopt read write };
|
|
class sock_file { create unlink write };
|
|
|
|
attribute port_type;
|
|
type port_t;
|
|
type http_port_t;
|
|
|
|
class netlink_route_socket { bind create nlmsg_read };
|
|
|
|
class capability sys_tty_config;
|
|
class cap_userns { setpcap sys_admin sys_ptrace };
|
|
}
|
|
|
|
type passt_t;
|
|
domain_type(passt_t);
|
|
type passt_exec_t;
|
|
files_type(passt_exec_t);
|
|
type passt_log_t;
|
|
logging_log_file(passt_log_t);
|
|
type passt_etc_t;
|
|
files_config_file(passt_etc_t);
|
|
|
|
role unconfined_r types passt_t;
|
|
|
|
allow passt_t passt_exec_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ;
|
|
type_transition unconfined_t passt_exec_t : process passt_t;
|
|
allow unconfined_t passt_t : process transition ;
|
|
|
|
init_daemon_domain(passt_t, passt_exec_t)
|
|
term_use_all_inherited_terms(passt_t)
|
|
|
|
allow passt_t bin_t:file { execute execute_no_trans map };
|
|
allow passt_t user_home_dir_t:dir { search add_name write };
|
|
allow passt_t user_home_dir_t:file { create open write };
|
|
allow passt_t root_t:dir mounton;
|
|
allow passt_t tmp_t:dir { add_name mounton remove_name write };
|
|
allow passt_t tmpfs_t:filesystem mount;
|
|
allow passt_t fs_t:filesystem unmount;
|
|
|
|
manage_files_pattern(passt_t, user_tmp_t, user_tmp_t)
|
|
files_pid_filetrans(passt_t, user_tmp_t, file)
|
|
|
|
allow passt_t console_device_t:chr_file { open write getattr ioctl };
|
|
allow passt_t user_devpts_t:chr_file { getattr read write ioctl };
|
|
logging_send_syslog_msg(passt_t)
|
|
allow syslogd_t self:cap_userns sys_ptrace;
|
|
|
|
allow passt_t self:process setcap;
|
|
allow passt_t self:capability { sys_tty_config setpcap net_bind_service };
|
|
allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace };
|
|
|
|
allow passt_t proc_net_t:file read;
|
|
allow passt_t net_conf_t:file { open read };
|
|
allow passt_t net_conf_t:lnk_file read;
|
|
allow passt_t tmp_t:sock_file { create unlink write };
|
|
allow passt_t self:netlink_route_socket { bind create nlmsg_read read write setopt };
|
|
|
|
corenet_tcp_bind_all_nodes(passt_t)
|
|
corenet_udp_bind_all_nodes(passt_t)
|
|
|
|
corenet_tcp_bind_all_ports(passt_t)
|
|
corenet_udp_bind_all_ports(passt_t)
|
|
|
|
corenet_tcp_connect_all_ports(passt_t)
|
|
|
|
corenet_tcp_sendrecv_all_ports(passt_t)
|
|
corenet_udp_sendrecv_all_ports(passt_t)
|
|
|
|
allow passt_t node_t:icmp_socket { name_bind node_bind };
|
|
allow passt_t port_t:icmp_socket name_bind;
|
|
|
|
allow passt_t self:tcp_socket { create getopt setopt connect bind listen accept shutdown read write };
|
|
allow passt_t self:udp_socket { create getopt setopt connect bind read write };
|
|
allow passt_t self:icmp_socket { bind create setopt read write };
|
|
|
|
allow passt_t user_tmp_t:dir { add_name write };
|
|
allow passt_t user_tmp_t:file { create open };
|
|
allow passt_t user_tmp_t:sock_file { create read write unlink };
|