From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 23 Apr 2012 10:41:06 -0400
Subject: [refpolicy] [PATCH 3/4] Calling virsh requires stream_connect
 rights towards virt
In-Reply-To: <20120411183556.GD6229@siphos.be>
References: <20120411183017.GA6229@siphos.be> <20120411183556.GD6229@siphos.be>
Message-ID: <4F956A02.9070905@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/11/12 14:35, Sven Vermeulen wrote:
> When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
> domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
> administrator).

Merged.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/roles/sysadm.te |    4 ++++
>  policy/modules/system/init.te  |    1 +
>  2 files changed, 5 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 7d25414..e08c71f 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -394,6 +394,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	virt_stream_connect(sysadm_t)
> +')
> +
> +optional_policy(`
>  	vmware_role(sysadm_r, sysadm_t)
>  ')
>  
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index b7fcbe3..79a306e 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -822,6 +822,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	virt_stream_connect(initrc_t)
>  	virt_manage_svirt_cache(initrc_t)
>  ')
>  


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com