[selinux-policy: 2552/3172] Xen patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:46:49 UTC 2010 

commit 0d86ea1d7b85a4f5c82ff0c8578880251117ee30
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Mar 19 11:54:50 2010 -0400

    Xen patch from Dan Walsh.

 policy/modules/system/xen.if |   19 +++++++++++++++++++
 policy/modules/system/xen.te |   23 ++++++++++++++++++++++-
 2 files changed, 41 insertions(+), 1 deletions(-)
---
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index 7601079..086e8c6 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
@@ -217,3 +217,22 @@ interface(`xen_domtrans_xm',`
 
 	domtrans_pattern($1, xm_exec_t, xm_t)
 ')
+
+########################################
+## <summary>
+##	Connect to xm over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xen_stream_connect_xm',`
+	gen_require(`
+		type xm_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t)
+')
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 6876cdc..3d5ab7b 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
 
-policy_module(xen, 1.9.1)
+policy_module(xen, 1.9.2)
 
 ########################################
 #
@@ -209,6 +209,7 @@ files_read_kernel_img(xend_t)
 files_manage_etc_runtime_files(xend_t)
 files_etc_filetrans_etc_runtime(xend_t, file)
 files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
 
 storage_raw_read_fixed_disk(xend_t)
 storage_raw_write_fixed_disk(xend_t)
@@ -259,6 +260,7 @@ optional_policy(`
 #
 
 allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+allow xenconsoled_t self:process setrlimit;
 allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
 allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
 
@@ -279,6 +281,7 @@ dev_rw_sysfs(xenconsoled_t)
 
 domain_dontaudit_ptrace_all_domains(xenconsoled_t)
 
+files_read_etc_files(xenconsoled_t)
 files_read_usr_files(xenconsoled_t)
 
 fs_list_tmpfs(xenconsoled_t)
@@ -297,6 +300,10 @@ miscfiles_read_localization(xenconsoled_t)
 xen_manage_log(xenconsoled_t)
 xen_stream_connect_xenstore(xenconsoled_t)
 
+optional_policy(`
+	ptchown_domtrans(xenconsoled_t)
+')
+
 ########################################
 #
 # Xen store local policy
@@ -340,6 +347,8 @@ dev_read_sysfs(xenstored_t)
 
 files_read_usr_files(xenstored_t)
 
+fs_manage_xenfs_files(xenstored_t)
+
 storage_raw_read_fixed_disk(xenstored_t)
 storage_raw_write_fixed_disk(xenstored_t)
 storage_raw_read_removable_device(xenstored_t)
@@ -421,7 +430,17 @@ xen_stream_connect(xm_t)
 xen_stream_connect_xenstore(xm_t)
 
 optional_policy(`
+	dbus_system_bus_client(xm_t)
+
+	optional_policy(`
+		hal_dbus_chat(xm_t)
+	')
+')
+
+optional_policy(`
+	virt_domtrans(xm_t)
 	virt_manage_images(xm_t)
+	virt_manage_config(xm_t)
 	virt_stream_connect(xm_t)
 ')
 
@@ -435,6 +454,8 @@ optional_policy(`
 	kernel_read_xen_state(xm_ssh_t)
 	kernel_write_xen_state(xm_ssh_t)
 
+	files_search_tmp(xm_ssh_t)
+
 	fs_manage_xenfs_dirs(xm_ssh_t)
 	fs_manage_xenfs_files(xm_ssh_t)

More information about the scm-commits mailing list