[selinux-policy/master_contrib: 28/47] Dan Berrange asked that we allow compromize_kernel for all virt domains, and says virt_use_sysfs is
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 16 13:32:51 UTC 2013
commit c02f1786d5176b0367494d27280d036996c77cdc
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Jan 14 13:09:19 2013 -0500
Dan Berrange asked that we allow compromize_kernel for all virt domains, and says virt_use_sysfs is no longer needed. Needs back port to F18.
virt.te | 13 +------------
1 files changed, 1 insertions(+), 12 deletions(-)
---
diff --git a/virt.te b/virt.te
index eaf5bf9..c566b8b 100644
--- a/virt.te
+++ b/virt.te
@@ -58,13 +58,6 @@ gen_tunable(virt_use_nfs, false)
gen_tunable(virt_use_samba, false)
## <desc>
-## <p>
-## Allow confined virtual guests to manage device configuration, (pci)
-## </p>
-## </desc>
-gen_tunable(virt_use_sysfs, false)
-
-## <desc>
## <p>
## Allow confined virtual guests to interact with the sanlock
## </p>
@@ -580,6 +573,7 @@ optional_policy(`
#
# virtual domains common policy
#
+allow virt_domain self:capability2 compromise_kernel;
allow virt_domain self:process { signal getsched signull };
allow virt_domain self:fifo_file rw_fifo_file_perms;
allow virt_domain self:shm create_shm_perms;
@@ -750,11 +744,6 @@ tunable_policy(`virt_use_samba',`
fs_getattr_cifs(virt_domain)
')
-tunable_policy(`virt_use_sysfs',`
- allow svirt_t self:capability2 compromise_kernel;
- dev_rw_sysfs(virt_domain)
-')
-
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(virt_domain)
dev_read_sysfs(virt_domain)
More information about the scm-commits
mailing list