Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1750178ybh;
        Tue, 14 Jul 2020 06:27:33 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzAvkQmhQETD0+daxU9ODi0CiW/AGAFUvukr0+Ou4zPPvok4kP6eYw7eRBTFV3+tHOC/7Wz
X-Received: by 2002:aa7:d989:: with SMTP id u9mr4514257eds.85.1594733253294;
        Tue, 14 Jul 2020 06:27:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1594733253; cv=none;
        d=google.com; s=arc-20160816;
        b=JVPJvriACcTJnVFCW9nqhYOxLWKXbVUZ3mIiFMO4AdbGmAgkaCEUORQ0ZE+dxu5VQB
         D8dnpoGZppe3Si/X6CuHAEd0p9zAV4KOn0p6p+JcEnHPjnacaDtKuLp+U2V3ZzJjevRo
         tgZ3iCQlBnCuirUstX926zUOYnHl5QrpU8F5rPYUPIWmfZqQkTtINiZW/9J9JMyJlAn1
         cvjoKIm9EHtWDI1Ef09kqgh+ptmN2cxzXBdR6F501Z8XCnbQYifzVDP692x5xE/+HIbm
         7CsHLTgJH2rHN3pOCHswRoSloU86ADLV/YmRv/BfwEhjqgcBTjP3F5PFCUhDVCpQY4NG
         Vdqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:ironport-sdr:dkim-signature;
        bh=KSnuxvCji6ylLxRF+EX2Fd0VOSwq81UIoRP77RKOAXA=;
        b=m0ERbWFNjC2yn54dVNKtIZZxUO15swLFK6sbD6uWqgnwejVSuVf9uP9/nRE2atOWzs
         EBsuxsY6/1eTRTtQuNqV8SqWLJCBEwvQE1f11SZKNjQ6ftqUbqYoYJUAwFxmXDIckuG8
         MNEcL2PDwYzvrCuRNG4/YDTuXtif5KJz31l4ro4Xqqqnunr6JAvKdxveno4UVoq6Nk9n
         6fVWouHRWlLNSwRuOA4jK+uhbU4XroGboiOMeU6iJSz/lZNHV/NlO3xr4zNxYNECIvUJ
         lnouzmXOpgG+Bk5uIrH5iwPo9B30qaSbm4N1lQzMhGpqJrZMawypmz8sjTW7ZHZVORWv
         4ZAw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@citrix.com header.s=securemail header.b=Xdds3g7z;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=citrix.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id o1si10617112edq.365.2020.07.14.06.27.26;
        Tue, 14 Jul 2020 06:27:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@citrix.com header.s=securemail header.b=Xdds3g7z;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=citrix.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727777AbgGNN1T (ORCPT <rfc822;sbsubscribe2014@gmail.com>
        + 15 others); Tue, 14 Jul 2020 09:27:19 -0400
Received: from esa2.hc3370-68.iphmx.com ([216.71.145.153]:37378 "EHLO
        esa2.hc3370-68.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727105AbgGNN1T (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 14 Jul 2020 09:27:19 -0400
X-Greylist: delayed 425 seconds by postgrey-1.27 at vger.kernel.org; Tue, 14 Jul 2020 09:27:19 EDT
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
  d=citrix.com; s=securemail; t=1594733239;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=ss+RiYZD2bf9ZocTwNBJA6SS27dA0e4HRnBPhua7bMw=;
  b=Xdds3g7z7hHCb0wo5LWlfzrrUTtXWqAZC3VG7eFKmitpRmDy2/a/dpX6
   TZ9KXgULZ3bHOUrYvCBkzfZl7yUzY4P27t6rgdN1XoAOr7IndV/nhA43t
   hI+vorkhAMbiC8fnHnz5wJ7XA/0woqmqMdCfERgl6hnqjYRZgvYYmlLW/
   s=;
Authentication-Results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
IronPort-SDR: kyNJnBKWCX+gE8QNI6mSoVPI6BGO+kaCBPMlmwWX/5DR71UNNeYVpSwvMxIYKO2rfFGSSV0QsA
 Xp321Ko4l/fZzBu25ljLnaeIEyh89Rk8DPWkfUvjkSdu9ucwngcZsXVsSPp3VQ3/zBUyb6oa6N
 Ft97pYcNVPvh/VrSJG6rKBBxEKJMy6BQW8OT3FuD4mjg67vh7+ZyxRbl2V71hXFsXxLEGFaA8c
 0hxyP3AU6BnemUdfZSFBQw8EdEiZ0dn5ras9MRgTDE5CxACid9kz83n2567nOIi6qmWOxnZaD+
 cfk=
X-SBRS: 2.7
X-MesageID: 22336445
X-Ironport-Server: esa2.hc3370-68.iphmx.com
X-Remote-IP: 162.221.158.21
X-Policy: $RELAYED
X-IronPort-AV: E=Sophos;i="5.75,350,1589256000"; 
   d="scan'208";a="22336445"
From:   Anthony PERARD <anthony.perard@citrix.com>
To:     <selinux-refpolicy@vger.kernel.org>
CC:     Anthony PERARD <anthony.perard@citrix.com>
Subject: [PATCH] xen: Allow xenstored to map /proc/xen/xsd_kva
Date:   Tue, 14 Jul 2020 14:20:07 +0100
Message-ID: <20200714132007.821541-1-anthony.perard@citrix.com>
X-Mailer: git-send-email 2.27.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux
boolean "domain_can_mmap_files" in CentOS is set to false the mmap()
call fails.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
---
 policy/modules/system/xen.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 1b91b5cbc82a..b3df1f627804 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -459,6 +459,7 @@ files_read_usr_files(xenstored_t)
 
 fs_search_xenfs(xenstored_t)
 fs_manage_xenfs_files(xenstored_t)
+allow xenstored_t xenfs_t:file map;
 
 term_use_generic_ptys(xenstored_t)
 
-- 
Anthony PERARD