From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 11 Apr 2012 20:35:57 +0200
Subject: [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect
	rights towards virt
In-Reply-To: <20120411183017.GA6229@siphos.be>
References: <20120411183017.GA6229@siphos.be>
Message-ID: <20120411183556.GD6229@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
administrator).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/roles/sysadm.te |    4 ++++
 policy/modules/system/init.te  |    1 +
 2 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7d25414..e08c71f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -394,6 +394,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	virt_stream_connect(sysadm_t)
+')
+
+optional_policy(`
 	vmware_role(sysadm_r, sysadm_t)
 ')
 
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b7fcbe3..79a306e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -822,6 +822,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	virt_stream_connect(initrc_t)
 	virt_manage_svirt_cache(initrc_t)
 ')
 
-- 
1.7.3.4