From: russell@coker.com.au (Russell Coker)
Date: Mon, 5 Jul 2010 17:17:22 +1000
Subject: [refpolicy] virt.te
Message-ID: <201007051717.22480.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

tunable_policy(`virt_use_nfs',`
        fs_manage_nfs_dirs(svirt_t)
        fs_manage_nfs_files(svirt_t)
')

tunable_policy(`virt_use_nfs',`
        fs_manage_nfs_dirs(virtd_t)
        fs_manage_nfs_files(virtd_t)
        fs_read_nfs_symlinks(virtd_t)
')

>From a casual examination of the above sections of virt.te it appears that the 
following line needs to be added:
        fs_read_nfs_symlinks(svirt_t)

Note that I haven't done any testing of this or considered whether the design 
needs any other changes.  But the intent of the policy author seems to be that 
virtd_t and svirt_t get the same access to NFS, and I can't think of any 
reason why one of them would be denied access to NFS symlinks.


I think it would probably be a good idea to try and avoid having multiple 
tunable sections for the same boolean to reduce the incidence of such things.  
If they were both in the same tunable section it would make the problem quite 
obvious.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog