SELinux policies for xendriverdomain.service

Another step towards making Qubes OS work with SELinux enforcing.
QubesOS · Dec 23, 2022 · f955f2f · f955f2f
1 parent 8c712b9
commit f955f2f
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 3 deletions.
diff --git a/Makefile b/Makefile
@@ -14,13 +14,13 @@ all:
 	$(MAKE) -C qubes-rpc
 ifdef WITH_SELINUX
 ifeq ($(WITH_SELINUX),1)
-	$(MAKE) -C selinux -f /usr/share/selinux/devel/Makefile qubes-qfile-unpacker.pp
+	$(MAKE) -C selinux -f /usr/share/selinux/devel/Makefile qubes-qfile-unpacker.pp qubes-xendriverdomain.pp
 
 install-rh: install-selinux
 
 install-selinux:
 	install -D -m 0644 -t $(DESTDIR)/usr/share/selinux/packages/targeted -- \
-		selinux/qubes-qfile-unpacker.pp
+		selinux/qubes-qfile-unpacker.pp selinux/qubes-xendriverdomain.pp
 .PHONY: install-selinux
 else ifneq ($(WITH_SELINUX),0)
 $(error bad value for WITH_SELINUX)

diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
@@ -334,6 +334,7 @@ a VM with SELinux enforcing, as is the default on Red Hat-family distributions.
 
 %files selinux
 %_datadir/selinux/packages/targeted/qubes-qfile-unpacker.pp
+%_datadir/selinux/packages/targeted/qubes-xendriverdomain.pp
 
 %endif
 
@@ -614,7 +615,7 @@ fi
 %if %{with selinux}
 %post selinux
 
-%selinux_modules_install %{_datadir}/selinux/packages/targeted/qubes-qfile-unpacker.pp
+%selinux_modules_install %{_datadir}/selinux/packages/targeted/qubes-qfile-unpacker.pp %{_datadir}/selinux/packages/targeted/qubes-xendriverdomain.pp
 
 contexts='### QUBES START ###\
 /rw/home /home\

diff --git a/selinux/qubes-xendriverdomain.fc b/selinux/qubes-xendriverdomain.fc
@@ -0,0 +1 @@
+# Intentionally left blank
diff --git a/selinux/qubes-xendriverdomain.te b/selinux/qubes-xendriverdomain.te
@@ -0,0 +1,13 @@
+policy_module(``qubes-xendriverdomain'', ``0.0.1'')
+
+require {
+	type NetworkManager_t, initrc_t, virsh_exec_t, xend_t;
+	class dbus send_msg;
+	class file { entrypoint exec_file_perms };
+}
+
+allow xend_t virsh_exec_t:file { entrypoint exec_file_perms };
+iptables_domtrans(xend_t)
+dbus_system_bus_client(xend_t)
+init_domtrans_script(xend_t)
+allow xend_t NetworkManager_t:dbus send_msg;
diff --git a/vm-systemd/xendriverdomain.service b/vm-systemd/xendriverdomain.service
@@ -5,6 +5,7 @@ ConditionVirtualization=xen
 [Service]
 Type=forking
 ExecStart=/usr/sbin/xl devd
+SELinuxContext=system_u:system_r:xend_t:s0-s0:c0.c1023
 
 [Install]
 WantedBy=multi-user.target