From: russell@coker.com.au (Russell Coker) Date: Mon, 5 Jul 2010 17:17:22 +1000 Subject: [refpolicy] virt.te Message-ID: <201007051717.22480.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) ') tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) fs_manage_nfs_files(virtd_t) fs_read_nfs_symlinks(virtd_t) ') >From a casual examination of the above sections of virt.te it appears that the following line needs to be added: fs_read_nfs_symlinks(svirt_t) Note that I haven't done any testing of this or considered whether the design needs any other changes. But the intent of the policy author seems to be that virtd_t and svirt_t get the same access to NFS, and I can't think of any reason why one of them would be denied access to NFS symlinks. I think it would probably be a good idea to try and avoid having multiple tunable sections for the same boolean to reduce the incidence of such things. If they were both in the same tunable section it would make the problem quite obvious. -- russell at coker.com.au http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog