SELinux Type Enforcement for multi-process QEMU

1. module mpqemu 1.0;
2.  
3.  
4. require {
5. class process transition;
6. class file { execute read };
7. class file entrypoint;
8. class dir search;
9. class file { getattr open read };
10. class file { getattr map open read };
11. class file { execute map read };
12. class lnk_file read;
13. class chr_file { lock open read write };
14. class file { getattr ioctl lock open read write };
15. class process fork;
16. class fd use;
17. class unix_stream_socket { read write };
18. class file open;
19. class process { noatsecure rlimitinh siginh };
20. class file write;
21. class dir { getattr search };
22. class file { open read };
23. class process getattr;
24. type qemu_t;
25. type qemu_exec_t;
26. type virtd_t;
27. type ld_so_cache_t;
28. type ld_so_t;
29. type lib_t;
30. type null_device_t;
31. type virt_image_t;
32. type shell_exec_t;
33. type init_t;
34. attribute domain;
35. attribute entry_type;
36. attribute exec_type;
37. attribute application_exec_type;
38. attribute file_type, non_security_file_type, non_auth_file_type;
39. attribute virt_domain;
40. attribute virt_image_type;
41.  
42. };
43.  
44.  
45. type qemu_lsi53c895a_exec_t;
46. type qemu_lsi53c895a_img_t;
47. type qemu_lsi53c895a_t;
48.  
49. typeattribute qemu_lsi53c895a_t virt_domain;
50.  
51. typeattribute qemu_lsi53c895a_exec_t file_type, non_security_file_type, non_auth_file_type;
52. typeattribute qemu_lsi53c895a_exec_t exec_type;
53. typeattribute qemu_lsi53c895a_exec_t application_exec_type;
54. typeattribute qemu_lsi53c895a_exec_t entry_type;
55. typeattribute qemu_lsi53c895a_img_t file_type, non_security_file_type, non_auth_file_type;
56. typeattribute qemu_lsi53c895a_img_t virt_image_type;
57. type_transition qemu_t qemu_lsi53c895a_exec_t : process qemu_lsi53c895a_t;
58. type_transition virtd_t qemu_exec_t : process qemu_t;
59.  
60. #============= init_t ==============
61. allow init_t qemu_lsi53c895a_t:dir search;
62. allow init_t qemu_lsi53c895a_t:file { getattr open read };
63.  
64. #============= qemu_lsi53c895a_t ==============
65. allow qemu_lsi53c895a_t ld_so_cache_t : file { getattr map open read };
66. allow qemu_lsi53c895a_t ld_so_t : file { execute map read };
67. allow qemu_lsi53c895a_t lib_t : lnk_file read;
68. allow qemu_lsi53c895a_t null_device_t : chr_file { lock open read write };
69. allow qemu_lsi53c895a_t qemu_lsi53c895a_exec_t : file { execute map read };
70. allow qemu_lsi53c895a_t qemu_lsi53c895a_img_t : file { getattr ioctl lock open read write };
71. allow qemu_lsi53c895a_t self : process fork;
72. allow qemu_lsi53c895a_t qemu_t : fd use;
73. allow qemu_lsi53c895a_t qemu_t : unix_stream_socket { read write };
74. allow qemu_lsi53c895a_t qemu_lsi53c895a_exec_t : file entrypoint;
75.  
76. #============= qemu_t ==============
77. allow qemu_t qemu_lsi53c895a_exec_t : file open;
78. allow qemu_t qemu_lsi53c895a_t : process { noatsecure rlimitinh siginh };
79. allow qemu_t virt_image_t : file write;
80. allow qemu_t qemu_lsi53c895a_t : process transition;
81. allow qemu_t qemu_lsi53c895a_exec_t : file { execute read };
82.  
83. #============= virtd_t ==============
84. allow virtd_t shell_exec_t : file entrypoint;