Signed-off-by: Stefano Brivio --- contrib/selinux/passt.fc | 2 +- contrib/selinux/passt.if | 2 +- contrib/selinux/passt.te | 2 +- contrib/selinux/pasta.fc | 2 +- contrib/selinux/pasta.if | 2 +- contrib/selinux/pasta.te | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/contrib/selinux/passt.fc b/contrib/selinux/passt.fc index 286c868..88e388e 100644 --- a/contrib/selinux/passt.fc +++ b/contrib/selinux/passt.fc @@ -3,7 +3,7 @@ # PASST - Plug A Simple Socket Transport # for qemu/UNIX domain socket mode # -# contrib/selinux/passt.fc - SELinux profile example: File Context for passt +# contrib/selinux/passt.fc - SELinux profile: File Context for passt # # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if index 6a6105c..a79a8ec 100644 --- a/contrib/selinux/passt.if +++ b/contrib/selinux/passt.if @@ -3,7 +3,7 @@ # PASST - Plug A Simple Socket Transport # for qemu/UNIX domain socket mode # -# contrib/selinux/passt.if - SELinux profile example: Interface File for passt +# contrib/selinux/passt.if - SELinux profile: Interface File for passt # # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te index 438155d..590ad40 100644 --- a/contrib/selinux/passt.te +++ b/contrib/selinux/passt.te @@ -3,7 +3,7 @@ # PASST - Plug A Simple Socket Transport # for qemu/UNIX domain socket mode # -# contrib/selinux/passt.te - SELinux profile example: Type Enforcement for passt +# contrib/selinux/passt.te - SELinux profile: Type Enforcement for passt # # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio diff --git a/contrib/selinux/pasta.fc b/contrib/selinux/pasta.fc index f8fa0fa..e72b4ac 100644 --- a/contrib/selinux/pasta.fc +++ b/contrib/selinux/pasta.fc @@ -3,7 +3,7 @@ # PASTA - Pack A Subtle Tap Abstraction # for network namespace/tap device mode # -# contrib/selinux/pasta.fc - SELinux profile example: File Context for pasta +# contrib/selinux/pasta.fc - SELinux profile: File Context for pasta # # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio diff --git a/contrib/selinux/pasta.if b/contrib/selinux/pasta.if index a42bfcd..149045a 100644 --- a/contrib/selinux/pasta.if +++ b/contrib/selinux/pasta.if @@ -3,7 +3,7 @@ # PASTA - Pack A Subtle Tap Abstraction # for network namespace/tap device mode # -# contrib/selinux/pasta.if - SELinux profile example: Interface File for pasta +# contrib/selinux/pasta.if - SELinux profile: Interface File for pasta # # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 8986c0c..7856019 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -3,7 +3,7 @@ # PASTA - Pack A Subtle Tap Abstraction # for network namespace/tap device mode # -# contrib/selinux/pasta.te - SELinux profile example: Type Enforcement for pasta +# contrib/selinux/pasta.te - SELinux profile: Type Enforcement for pasta # # Copyright (c) 2022 Red Hat GmbH # Author: Stefano Brivio -- 2.39.2

...to fit accepted Fedora practices. Link: https://github.com/fedora-selinux/selinux-policy/pull/1613 Signed-off-by: Stefano Brivio --- contrib/selinux/passt.if | 71 ++++++++++++++++++++++++++++++++++------ 1 file changed, 61 insertions(+), 10 deletions(-) diff --git a/contrib/selinux/passt.if b/contrib/selinux/passt.if index 3e37c5b..f7560a7 100644 --- a/contrib/selinux/passt.if +++ b/contrib/selinux/passt.if @@ -17,37 +17,88 @@ interface(`passt_domtrans',` domtrans_pattern($1, passt_exec_t, passt_t) ') -interface(`passt_socket',` +interface(`passt_socket_dir',` + gen_require(` + type passt_t; + ') + + allow passt_t $1:dir add_entry_dir_perms; +') + +interface(`passt_socket_create',` + gen_require(` + type passt_t; + ') + + allow passt_t $1:sock_file create; +') + +interface(`passt_socket_use',` gen_require(` type passt_t; ') - allow $1 $2:sock_file write; allow $1 passt_t:unix_stream_socket connectto; + allow $1 $2:sock_file { read write }; + allow passt_t $2:sock_file { read write }; +') + +interface(`passt_socket_delete',` + gen_require(` + type passt_t; + ') + + allow $1 $2:sock_file unlink; +') + +interface(`passt_logfile_dir',` + gen_require(` + type passt_t; + ') - allow passt_t $2:sock_file { create read write unlink }; + allow passt_t $1:dir add_entry_dir_perms; ') -interface(`passt_logfile',` +interface(`passt_logfile_use',` gen_require(` type passt_t; ') logging_log_file($1); - allow passt_t $1:dir { search write add_name }; allow passt_t $1:file { create open read write }; ') -interface(`passt_pidfile',` +interface(`passt_pidfile_dir',` + gen_require(` + type passt_t; + ') + + allow passt_t $1:dir add_entry_dir_perms; +') + +interface(`passt_pidfile_write',` + gen_require(` + type passt_t; + ') + + files_pid_file($1); + allow passt_t $1:file { create open write }; +') + +interface(`passt_pidfile_read',` gen_require(` type passt_t; ') - allow $1 $2:file { open read unlink }; + allow $1 $2:file { open read }; +') + +interface(`passt_pidfile_delete',` + gen_require(` + type passt_t; + ') - files_pid_file($2); - allow passt_t $2:dir { search write add_name }; - allow passt_t $2:file { create open write }; + allow $1 $2:file unlink; ') interface(`passt_kill',` -- 2.39.2