From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 04 Sep 2012 14:50:57 +0200 Subject: [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly In-Reply-To: <5045D7D0.9030502@redhat.com> References: <1346434702-30274-1-git-send-email-dominick.grift@gmail.com> <1346434702-30274-3-git-send-email-dominick.grift@gmail.com> <5045D7D0.9030502@redhat.com> Message-ID: <1346763057.15262.28.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2012-09-04 at 12:28 +0200, Miroslav Grepl wrote: > On 08/31/2012 07:38 PM, Dominick Grift wrote: > > Signed-off-by: Dominick Grift > > --- > > policy/modules/kernel/devices.fc | 1 + > > policy/modules/kernel/devices.te | 3 +++ > > 2 files changed, 4 insertions(+) > > > > diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc > > index 5214c08..94505c4 100644 > > --- a/policy/modules/kernel/devices.fc > > +++ b/policy/modules/kernel/devices.fc > > @@ -124,6 +124,7 @@ ifdef(`distro_suse', ` > > /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) > > /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) > > /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) > > +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0) > > /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) > > /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) > > /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) > > diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te > > index 99fe460..52c535d 100644 > > --- a/policy/modules/kernel/devices.te > > +++ b/policy/modules/kernel/devices.te > > @@ -272,6 +272,9 @@ dev_node(v4l_device_t) > > type vhost_device_t; > > dev_node(vhost_device_t) > > > > +type virtio_device_t; > > +dev_node(virtio_device_t) > > + > > # Type for vmware devices. > > type vmware_device_t; > > dev_node(vmware_device_t) > We declare it in terminal.* policy files. must be new then, last time i tried (a week ago on f18?) it was still mislabeled (device_t) > Also I think base access interfaces should be part of this patch? i don't see that requirement. i also haven't encountered any process trying to access it yet.