mirror of
https://github.com/SELinuxProject/refpolicy
synced 2025-02-20 22:47:38 +00:00
Xen patch from Dan Walsh.
This commit is contained in:
Chris PeBenito
parent
b60df9f57d
commit
0d86ea1d7b
@ -217,3 +217,22 @@ interface(`xen_domtrans_xm',`
|
||||
|
||||
domtrans_pattern($1, xm_exec_t, xm_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to xm over an unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`xen_stream_connect_xm',`
|
||||
gen_require(`
|
||||
type xm_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(xen, 1.9.1)
|
||||
policy_module(xen, 1.9.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -209,6 +209,7 @@ files_read_kernel_img(xend_t)
|
||||
files_manage_etc_runtime_files(xend_t)
|
||||
files_etc_filetrans_etc_runtime(xend_t, file)
|
||||
files_read_usr_files(xend_t)
|
||||
files_read_default_symlinks(xend_t)
|
||||
|
||||
storage_raw_read_fixed_disk(xend_t)
|
||||
storage_raw_write_fixed_disk(xend_t)
|
||||
@ -259,6 +260,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
|
||||
allow xenconsoled_t self:process setrlimit;
|
||||
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
@ -279,6 +281,7 @@ dev_rw_sysfs(xenconsoled_t)
|
||||
|
||||
domain_dontaudit_ptrace_all_domains(xenconsoled_t)
|
||||
|
||||
files_read_etc_files(xenconsoled_t)
|
||||
files_read_usr_files(xenconsoled_t)
|
||||
|
||||
fs_list_tmpfs(xenconsoled_t)
|
||||
@ -297,6 +300,10 @@ miscfiles_read_localization(xenconsoled_t)
|
||||
xen_manage_log(xenconsoled_t)
|
||||
xen_stream_connect_xenstore(xenconsoled_t)
|
||||
|
||||
optional_policy(`
|
||||
ptchown_domtrans(xenconsoled_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Xen store local policy
|
||||
@ -340,6 +347,8 @@ dev_read_sysfs(xenstored_t)
|
||||
|
||||
files_read_usr_files(xenstored_t)
|
||||
|
||||
fs_manage_xenfs_files(xenstored_t)
|
||||
|
||||
storage_raw_read_fixed_disk(xenstored_t)
|
||||
storage_raw_write_fixed_disk(xenstored_t)
|
||||
storage_raw_read_removable_device(xenstored_t)
|
||||
@ -421,7 +430,17 @@ xen_stream_connect(xm_t)
|
||||
xen_stream_connect_xenstore(xm_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(xm_t)
|
||||
|
||||
optional_policy(`
|
||||
hal_dbus_chat(xm_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
virt_domtrans(xm_t)
|
||||
virt_manage_images(xm_t)
|
||||
virt_manage_config(xm_t)
|
||||
virt_stream_connect(xm_t)
|
||||
')
|
||||
|
||||
@ -435,6 +454,8 @@ optional_policy(`
|
||||
kernel_read_xen_state(xm_ssh_t)
|
||||
kernel_write_xen_state(xm_ssh_t)
|
||||
|
||||
files_search_tmp(xm_ssh_t)
|
||||
|
||||
fs_manage_xenfs_dirs(xm_ssh_t)
|
||||
fs_manage_xenfs_files(xm_ssh_t)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user