From: dac.override@gmail.com (Dominick Grift) Date: Wed, 25 Mar 2015 13:50:37 +0100 Subject: [refpolicy] [PATCH 5/6] virt: add virt_tmpfs_t type and permissions In-Reply-To: <1427250286-27053-5-git-send-email-jason@perfinion.com> References: <1427250286-27053-1-git-send-email-jason@perfinion.com> <1427250286-27053-5-git-send-email-jason@perfinion.com> Message-ID: <20150325125036.GA1326@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Mar 25, 2015 at 10:24:45AM +0800, Jason Zaman wrote: > virtd_t writes the spice shm file in tmpfs so this allows access. Cool, so why are you also adding an extra rule allowing it to maintain tmpfs dirs? > > type=AVC msg=audit(1427209364.960:10357): avc: granted { add_name } > for pid=24933 comm="qemu-system-x86" name="spice.24933" > scontext=system_u:system_r:virtd_t tcontext=system_u:object_r:tmpfs_t > tclass=dir > type=AVC msg=audit(1427209364.960:10357): avc: granted { write } for > pid=24933 comm="qemu-system-x86" path="/dev/shm/spice.24933" dev="tmpfs" > ino=638614 scontext=system_u:system_r:virtd_t > tcontext=system_u:object_r:tmpfs_t tclass=file > --- > virt.te | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/virt.te b/virt.te > index cb868d5..b20eb1c 100644 > --- a/virt.te > +++ b/virt.te > @@ -127,6 +127,9 @@ mls_trusted_object(virt_log_t) > type virt_tmp_t; > files_tmp_file(virt_tmp_t) > > +type virt_tmpfs_t; > +files_tmpfs_file(virt_tmpfs_t) > + > type virt_var_run_t; > files_pid_file(virt_var_run_t) > > @@ -480,6 +483,10 @@ manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t) > manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t) > files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir }) > > +manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) > +manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t) > +fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir }) > + > # This needs a file context specification > manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t) > manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t) > -- > 2.0.5 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150325/2dd9d243/attachment.bin