Stephen Smalley wrote:
The assertion is to prevent accidental granting of read access to a
raw disk device. Is that truly required here?
Probably - the root disk of the guest O/S instance is an lvm partition,
e.g. /dev/vg01/lv_guest
To allow it, you need to use the interface for it, e.g.
storage_raw_read_fixed_disk(xm_t) That interface is defined in
kernel/storage.if. In addition to allowing the permission, it adds a
type attribute to the type that excludes from the assertion.
So, what would that look like in the policy file?
Thanks,
R.