From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 5/6] virt: add virt_tmpfs_t type and permissions
Date: Wed, 25 Mar 2015 13:50:37 +0100 [thread overview]
Message-ID: <20150325125036.GA1326@localhost.localdomain> (raw)
In-Reply-To: <1427250286-27053-5-git-send-email-jason@perfinion.com>
On Wed, Mar 25, 2015 at 10:24:45AM +0800, Jason Zaman wrote:
> virtd_t writes the spice shm file in tmpfs so this allows access.
Cool, so why are you also adding an extra rule allowing it to maintain tmpfs dirs?
>
> type=AVC msg=audit(1427209364.960:10357): avc: granted { add_name }
> for pid=24933 comm="qemu-system-x86" name="spice.24933"
> scontext=system_u:system_r:virtd_t tcontext=system_u:object_r:tmpfs_t
> tclass=dir
> type=AVC msg=audit(1427209364.960:10357): avc: granted { write } for
> pid=24933 comm="qemu-system-x86" path="/dev/shm/spice.24933" dev="tmpfs"
> ino=638614 scontext=system_u:system_r:virtd_t
> tcontext=system_u:object_r:tmpfs_t tclass=file
> ---
> virt.te | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/virt.te b/virt.te
> index cb868d5..b20eb1c 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -127,6 +127,9 @@ mls_trusted_object(virt_log_t)
> type virt_tmp_t;
> files_tmp_file(virt_tmp_t)
>
> +type virt_tmpfs_t;
> +files_tmpfs_file(virt_tmpfs_t)
> +
> type virt_var_run_t;
> files_pid_file(virt_var_run_t)
>
> @@ -480,6 +483,10 @@ manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
> manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
> files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
>
> +manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> +manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
> +fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
> +
> # This needs a file context specification
> manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
> manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
> --
> 2.0.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150325/2dd9d243/attachment.bin
next prev parent reply other threads:[~2015-03-25 12:50 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-25 2:24 [refpolicy] [PATCH 1/6] rpcbind: typo fix Jason Zaman
2015-03-25 2:24 ` [refpolicy] [PATCH 2/6] git: make inetd interface optional Jason Zaman
2015-03-25 2:24 ` [refpolicy] [PATCH 3/6] rpc: introduce allow_gssd_write_tmp boolean Jason Zaman
2015-03-25 2:24 ` [refpolicy] [PATCH 4/6] rpc: allow setgid capability Jason Zaman
2015-03-25 2:24 ` [refpolicy] [PATCH 5/6] virt: add virt_tmpfs_t type and permissions Jason Zaman
2015-03-25 12:50 ` Dominick Grift [this message]
2015-03-25 2:24 ` [refpolicy] [PATCH 6/6] introduce virt_leaseshelper_t Jason Zaman
2015-03-25 12:27 ` [refpolicy] [PATCH 1/6] rpcbind: typo fix Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150325125036.GA1326@localhost.localdomain \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.