[PATCH 0/6] selinux: Assorted fixes, libvirt support
This series exports interfaces that are useful for libvirt, updates type enforcement rules to current needs, and fixes some issues. Stefano Brivio (6): selinux/passt.if: Fix typo in passt_read_data interface definition selinux: Define interfaces for libvirt and similar frameworks selinux: Switch to a more reasonable model for PID and socket files selinux/passt.te: Allow setcap on the process itself selinux/passt.te: Allow /etc/resolv.conf symlinks to be followed selinux/passt.te: Allow setting socket option on routing netlink socket contrib/selinux/passt.fc | 1 - contrib/selinux/passt.if | 28 +++++++++++++++++++++++++++- contrib/selinux/passt.te | 16 +++++++++++----- 3 files changed, 38 insertions(+), 7 deletions(-) -- 2.39.1
This is an example interface, currently unused, so it went undetected:
m4 macros need a backtick at the beginning of a block instead of a
single quote.
Fixes: 1f4b7fa0d75d ("passt, pasta: Add examples of SELinux policy modules")
Signed-off-by: Stefano Brivio
Services running passt will commonly need to transition to its
domain, terminate it, connect and write to its socket.
The init_daemon_domain() macro now defines the default transition to
the passt_t domain, using the passt_exec_t type.
Signed-off-by: Stefano Brivio
Instead of restricting PID files to /var/run/passt.pid, which is a
single file and unlikely to be used, use the user_tmp_t type which
should cover any reasonable need.
Signed-off-by: Stefano Brivio
This is needed by the new functions in isolate.c, add the
corresponding rule.
Signed-off-by: Stefano Brivio
Signed-off-by: Stefano Brivio
Signed-off-by: Stefano Brivio
participants (1)
-
Stefano Brivio