aschmidt75/virttest.te

## virttest.te
policy_module(virttest, 1.0);

gen_require( type svirt_sandbox_file_t; )
gen_require( type svirt_lxc_mynet_t; )
gen_require( type virt_lxc_var_run_t; )
gen_require( attribute sandbox_net_domain; )

########################################
#
# svirt_lxc_mynet_t local policy
#
virt_sandbox_domain_template(svirt_lxc_mynet)
typeattribute svirt_lxc_mynet_t sandbox_net_domain;

allow svirt_lxc_mynet_t self:capability { kill setuid setgid ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace };
dontaudit svirt_lxc_mynet_t self:capability2 block_suspend;
allow svirt_lxc_mynet_t self:process { execstack execmem };

tunable_policy(`virt_sandbox_use_sys_admin',`
	allow svirt_lxc_mynet_t self:capability sys_admin;
')

tunable_policy(`virt_sandbox_use_netlink',`
	allow svirt_lxc_mynet_t self:netlink_socket create_socket_perms;
	allow svirt_lxc_mynet_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
	allow svirt_lxc_mynet_t self:netlink_kobject_uevent_socket create_socket_perms;
', `
	logging_dontaudit_send_audit_msgs(svirt_lxc_mynet_t)
')

allow svirt_lxc_mynet_t virt_lxc_var_run_t:dir list_dir_perms;
allow svirt_lxc_mynet_t virt_lxc_var_run_t:file read_file_perms;

kernel_read_irq_sysctls(svirt_lxc_mynet_t)
kernel_read_messages(svirt_lxc_mynet_t)

dev_read_sysfs(svirt_lxc_mynet_t)
dev_getattr_mtrr_dev(svirt_lxc_mynet_t)
dev_read_rand(svirt_lxc_mynet_t)
dev_read_urand(svirt_lxc_mynet_t)

files_read_kernel_modules(svirt_lxc_mynet_t)

fs_noxattr_type(svirt_sandbox_file_t)
# Do we actually need these?
fs_mount_cgroup(svirt_lxc_mynet_t)
fs_manage_cgroup_dirs(svirt_lxc_mynet_t)
fs_manage_cgroup_files(svirt_lxc_mynet_t)
# Needed for docker
fs_unmount_xattr_fs(svirt_lxc_mynet_t)

term_pty(svirt_sandbox_file_t)

auth_use_nsswitch(svirt_lxc_mynet_t)

rpm_read_db(svirt_lxc_mynet_t)

logging_send_syslog_msg(svirt_lxc_mynet_t)

tunable_policy(`virt_sandbox_use_audit',`
	logging_send_audit_msgs(svirt_lxc_mynet_t)
')

userdom_use_user_ptys(svirt_lxc_mynet_t)
	policy_module(virttest, 1.0);

	gen_require( type svirt_sandbox_file_t; )
	gen_require( type svirt_lxc_mynet_t; )
	gen_require( type virt_lxc_var_run_t; )
	gen_require( attribute sandbox_net_domain; )

	########################################
	#
	# svirt_lxc_mynet_t local policy
	#
	virt_sandbox_domain_template(svirt_lxc_mynet)
	typeattribute svirt_lxc_mynet_t sandbox_net_domain;

	allow svirt_lxc_mynet_t self:capability { kill setuid setgid ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace };
	dontaudit svirt_lxc_mynet_t self:capability2 block_suspend;
	allow svirt_lxc_mynet_t self:process { execstack execmem };

	tunable_policy(`virt_sandbox_use_sys_admin',`
	allow svirt_lxc_mynet_t self:capability sys_admin;
	')

	tunable_policy(`virt_sandbox_use_netlink',`
	allow svirt_lxc_mynet_t self:netlink_socket create_socket_perms;
	allow svirt_lxc_mynet_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
	allow svirt_lxc_mynet_t self:netlink_kobject_uevent_socket create_socket_perms;
	', `
	logging_dontaudit_send_audit_msgs(svirt_lxc_mynet_t)
	')

	allow svirt_lxc_mynet_t virt_lxc_var_run_t:dir list_dir_perms;
	allow svirt_lxc_mynet_t virt_lxc_var_run_t:file read_file_perms;

	kernel_read_irq_sysctls(svirt_lxc_mynet_t)
	kernel_read_messages(svirt_lxc_mynet_t)

	dev_read_sysfs(svirt_lxc_mynet_t)
	dev_getattr_mtrr_dev(svirt_lxc_mynet_t)
	dev_read_rand(svirt_lxc_mynet_t)
	dev_read_urand(svirt_lxc_mynet_t)

	files_read_kernel_modules(svirt_lxc_mynet_t)

	fs_noxattr_type(svirt_sandbox_file_t)
	# Do we actually need these?
	fs_mount_cgroup(svirt_lxc_mynet_t)
	fs_manage_cgroup_dirs(svirt_lxc_mynet_t)
	fs_manage_cgroup_files(svirt_lxc_mynet_t)
	# Needed for docker
	fs_unmount_xattr_fs(svirt_lxc_mynet_t)

	term_pty(svirt_sandbox_file_t)

	auth_use_nsswitch(svirt_lxc_mynet_t)

	rpm_read_db(svirt_lxc_mynet_t)

	logging_send_syslog_msg(svirt_lxc_mynet_t)

	tunable_policy(`virt_sandbox_use_audit',`
	logging_send_audit_msgs(svirt_lxc_mynet_t)
	')

	userdom_use_user_ptys(svirt_lxc_mynet_t)