[selinux-policy: 1761/3172] trunk: xen updates from dan

[Daniel J Walsh]

commit 7f089782aea01899c3692ca873c92bdfee844318
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jun 21 13:36:05 2007 +0000

    trunk: xen updates from dan

 Changelog                    |    1 +
 policy/modules/system/xen.if |   42 +++++++++++++++++++++++++++++++++++++++++-
 policy/modules/system/xen.te |   26 ++++++++++++++++++++++++--
 3 files changed, 66 insertions(+), 3 deletions(-)
---
diff --git a/Changelog b/Changelog
index dc7b54a..87d5be7 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Xen updates from Dan Walsh.
 - Filesystem updates from Dan Walsh.
 - Large samba update from Dan Walsh.
 - Drop snmpd_etc_t.
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index 7ef96e5..4c9ea79 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -57,6 +57,25 @@ interface(`xen_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
+##	Read xend image files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`xen_read_image_files',`
+	gen_require(`
+		type xen_image_t, xend_var_lib_t;
+	')
+
+	files_list_var_lib($1)
+	read_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t)
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to append
 ##	xend log files.
 ## </summary>
@@ -72,12 +91,33 @@ interface(`xen_append_log',`
 	')
 
 	logging_search_logs($1)
-	allow $1 xend_var_log_t:file { getattr append };
+	append_files_pattern($1,xend_var_log_t,xend_var_log_t)
 	dontaudit $1 xend_var_log_t:file write;
 ')
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete the
+##	xend log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`xen_manage_log',`
+	gen_require(`
+		type var_log_t, xend_var_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1,xend_var_log_t,xend_var_log_t)
+	manage_files_pattern($1,xend_var_log_t,xend_var_log_t)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read and write
 ##	Xen unix domain stream sockets.  These
 ##	are leaked file descriptors.
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 7744255..9d1d1ed 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
 
-policy_module(xen,1.3.0)
+policy_module(xen,1.3.1)
 
 ########################################
 #
@@ -25,6 +25,10 @@ type xend_exec_t;
 domain_type(xend_t)
 init_daemon_domain(xend_t, xend_exec_t)
 
+# tmp files
+type xend_tmp_t;
+files_tmp_file(xend_tmp_t)
+
 # var/lib files
 type xend_var_lib_t;
 files_type(xend_var_lib_t)
@@ -88,16 +92,22 @@ allow xend_t self:packet_socket create_socket_perms;
 allow xend_t xen_image_t:dir list_dir_perms;
 manage_dirs_pattern(xend_t,xen_image_t,xen_image_t)
 manage_files_pattern(xend_t,xen_image_t,xen_image_t)
+read_lnk_files_pattern(xend_t,xen_image_t,xen_image_t)
 rw_blk_files_pattern(xend_t,xen_image_t,xen_image_t)
 
 allow xend_t xenctl_t:fifo_file manage_file_perms;
 dev_filetrans(xend_t, xenctl_t, fifo_file)
 
+manage_files_pattern(xend_t,xend_tmp_t,xend_tmp_t)
+manage_dirs_pattern(xend_t,xend_tmp_t,xend_tmp_t)
+files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
+
 # pid file
 allow xend_t xend_var_run_t:dir setattr;
 manage_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
 manage_sock_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
-files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
+manage_fifo_files_pattern(xend_t,xend_var_run_t,xend_var_run_t)
+files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file fifo_file })
 
 # log files
 allow xend_t xend_var_log_t:dir setattr;
@@ -167,6 +177,7 @@ files_etc_filetrans_etc_runtime(xend_t,file)
 files_read_usr_files(xend_t)
 
 storage_raw_read_fixed_disk(xend_t)
+storage_raw_write_fixed_disk(xend_t)
 storage_raw_read_removable_device(xend_t)
 
 term_getattr_all_user_ptys(xend_t)
@@ -181,8 +192,12 @@ locallogin_dontaudit_use_fds(xend_t)
 
 logging_send_syslog_msg(xend_t)
 
+lvm_domtrans(xend_t)
+
 miscfiles_read_localization(xend_t)
 
+mount_domtrans(xend_t)
+
 sysnet_domtrans_dhcpc(xend_t)
 sysnet_signal_dhcpc(xend_t)
 sysnet_domtrans_ifconfig(xend_t)
@@ -284,6 +299,10 @@ dev_read_sysfs(xenstored_t)
 
 files_read_usr_files(xenstored_t)
 
+storage_raw_read_fixed_disk(xenstored_t)
+storage_raw_write_fixed_disk(xenstored_t)
+storage_raw_read_removable_device(xenstored_t)
+
 term_use_generic_ptys(xenstored_t)
 term_use_console(xenconsoled_t)
 
@@ -317,6 +336,7 @@ files_search_var_lib(xm_t)
 
 allow xm_t xen_image_t:dir rw_dir_perms;
 allow xm_t xen_image_t:file read_file_perms;
+allow xm_t xen_image_t:blk_file read_blk_file_perms;
 
 kernel_read_system_state(xm_t)
 kernel_read_kernel_sysctls(xm_t)
@@ -337,6 +357,8 @@ files_list_mnt(xm_t)
 # Some common macros (you might be able to remove some)
 files_read_etc_files(xm_t)
 
+storage_raw_read_fixed_disk(xm_t)
+
 term_use_all_terms(xm_t)
 
 init_rw_script_stream_sockets(xm_t)