xen, selinux, FC5
Stephen Smalley
sds at tycho.nsa.gov
Fri Oct 13 16:20:11 UTC 2006
On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote:
> Stephen Smalley wrote:
> >
> > The assertion is to prevent accidental granting of read access to a
> > raw disk device. Is that truly required here?
>
> Probably - the root disk of the guest O/S instance is an lvm partition,
> e.g. /dev/vg01/lv_guest
>
> > To allow it, you need to use the interface for it, e.g.
> > storage_raw_read_fixed_disk(xm_t) That interface is defined in
> > kernel/storage.if. In addition to allowing the permission, it adds a
> > type attribute to the type that excludes from the assertion.
>
> So, what would that look like in the policy file?
If you build using the devel makefile (e.g. make
-f /usr/share/selinux/devel/Makefile or copy it over to where you are
working on your module), then you can use the interface as I described,
i.e. just put
storage_raw_read_fixed_disk(xm_t)
in your .te file.
That Makefile will pull in the headers and expand it properly.
Should handle the checkmodule and semodule_package side of things,
leaving you with just running semodule -i to install it once built.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list