nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

virt: allow more accesses to libvirt_leaseshelper

Browse Source 
When using libvirt to manage virtual machines, libvirt_leaseshelper
wants to:

* read /etc/libnl/classid
* list the content of /sys/devices/system/node/ in order to read files
  such as /sys/devices/system/node/node0/meminfo
* use getsched

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2020-01-04 11:07:12 +01:00
parent cb5e78abe7
commit a887c9628b
No known key found for this signature in database
GPG Key ID: C191415F340DAAA0
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
policy/modules/services/virt.te
View File

@ -1305,6 +1305,8 @@ userdom_use_user_ptys(virt_bridgehelper_t)
# Leaseshelper local policy
#
allow virt_leaseshelper_t self:process getsched;
allow virt_leaseshelper_t virtd_t:fd use;
allow virt_leaseshelper_t virtd_t:fifo_file write_fifo_file_perms;
@ -1317,6 +1319,13 @@ files_pid_filetrans(virt_leaseshelper_t, virt_runtime_t, file)
kernel_dontaudit_read_system_state(virt_leaseshelper_t)
# Read /sys/devices/system/node/node*/meminfo
dev_list_sysfs(virt_leaseshelper_t)
dev_read_sysfs(virt_leaseshelper_t)
# Read /etc/libnl/classid
files_read_etc_files(virt_leaseshelper_t)
########################################
#
# Virtlockd local policy