From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 3 Oct 2012 10:04:39 -0400 Subject: [refpolicy] [PATCH] Declare a virtio device node type In-Reply-To: <1347442034-26084-1-git-send-email-dominick.grift@gmail.com> References: <1347442034-26084-1-git-send-email-dominick.grift@gmail.com> Message-ID: <506C45F7.8000208@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/12/12 05:27, Dominick Grift wrote: > > Label virtio character device nodes accordingly > > Create term_use_virtio_console() for vdagent > > Signed-off-by: Dominick Grift > diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc > index 7d45d15..0ea25b6 100644 > --- a/policy/modules/kernel/terminal.fc > +++ b/policy/modules/kernel/terminal.fc > @@ -19,6 +19,7 @@ > /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) > /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) > /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) > +/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) > /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) > > /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) > diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if > index 01dd2f1..bfaff9f 100644 > --- a/policy/modules/kernel/terminal.if > +++ b/policy/modules/kernel/terminal.if > @@ -1493,3 +1493,22 @@ > refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') > term_dontaudit_use_all_ttys($1) > ') > + > +######################################## > +## > +## Read from and write to virtio console. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`term_use_virtio_console',` > + gen_require(` > + type virtio_device_t; > + ') > + > + dev_list_all_dev_nodes($1) > + allow $1 virtio_device_t:chr_file rw_chr_file_perms; > +') Is this really only a console/serial device? The bits that I can find seem to imply its more than just a console, but I'm not sure. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com