New domain for qemu

New domain for qemu

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: system_qemu.patch.gz --]
[-- Type: application/x-gzip, Size: 1737 bytes --]

Re: New domain for qemu

[Christopher J. PeBenito]

On Mon, 2008-05-19 at 13:14 -0400, Daniel J Walsh wrote:
> Gzip archive attachment (system_qemu.patch.gz)

Merged.  There are some missing interfaces, so I commented out the
calls.

> +## <desc>
> +## <p>
> +## Allow qemu to connect fully to the network
> +## </p>
> +## </desc>
> +gen_tunable(allow_qemu_full_network,false)

I renamed this to qemu_full_network.  I'd like to make an effort to have
the first word in the boolean name to be the module name, as we do for
interfaces.  At least for booleans local to one module, like this one.

> +	term_use_ptmx($1_t)
> +	term_getattr_pty_fs($1_t)
> +	term_use_generic_ptys($1_t)

This leads me to believe that qemu opens up a pty.  Can you check that?
If it does, then it needs to have its own label.

> +optional_policy(`
> +	xserver_xdm_rw_shm(qemu_unconfined_t)
> +')

Not clear why this is needed, since we have this already:

allow unconfined_domain_type domain:{ sem msgq shm } *;

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.