From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 04 Sep 2012 21:23:25 +0200 Subject: [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly In-Reply-To: <5046491F.1050505@redhat.com> References: <1346434702-30274-1-git-send-email-dominick.grift@gmail.com> <1346434702-30274-3-git-send-email-dominick.grift@gmail.com> <5045D7D0.9030502@redhat.com> <1346763057.15262.28.camel@d30.localdomain> <5046491F.1050505@redhat.com> Message-ID: <1346786605.15262.33.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2012-09-04 at 20:31 +0200, Miroslav Grepl wrote: > On 09/04/2012 02:50 PM, Dominick Grift wrote: > > > > On Tue, 2012-09-04 at 12:28 +0200, Miroslav Grepl wrote: > >> On 08/31/2012 07:38 PM, Dominick Grift wrote: > >>> Signed-off-by: Dominick Grift > >>> --- > >>> policy/modules/kernel/devices.fc | 1 + > >>> policy/modules/kernel/devices.te | 3 +++ > >>> 2 files changed, 4 insertions(+) > >>> > >>> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc > >>> index 5214c08..94505c4 100644 > >>> --- a/policy/modules/kernel/devices.fc > >>> +++ b/policy/modules/kernel/devices.fc > >>> @@ -124,6 +124,7 @@ ifdef(`distro_suse', ` > >>> /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) > >>> /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) > >>> /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) > >>> +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0) > >>> /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) > >>> /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) > >>> /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) > >>> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te > >>> index 99fe460..52c535d 100644 > >>> --- a/policy/modules/kernel/devices.te > >>> +++ b/policy/modules/kernel/devices.te > >>> @@ -272,6 +272,9 @@ dev_node(v4l_device_t) > >>> type vhost_device_t; > >>> dev_node(vhost_device_t) > >>> > >>> +type virtio_device_t; > >>> +dev_node(virtio_device_t) > >>> + > >>> # Type for vmware devices. > >>> type vmware_device_t; > >>> dev_node(vmware_device_t) > >> We declare it in terminal.* policy files. > > must be new then, last time i tried (a week ago on f18?) it was still > > mislabeled (device_t) > We have > > /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) > > maybe it needs to be fixed. > > And then > > rhev.te:term_use_virtio_console(rhev_agentd_t) > rhev.te: term_use_virtio_console(rhev_agentd_consolehelper_t) > vdagent.te:term_use_virtio_console(vdagent_t) > > > > >> Also I think base access interfaces should be part of this patch? > > i don't see that requirement. i also haven't encountered any process > > trying to access it yet. > > > never mind, this patch was not merged. so just ignore this patch