From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 15 Sep 2015 08:56:01 -0400
Subject: [refpolicy] [PATCH 1/1] add vfio support for libvirt
In-Reply-To: <1441438908-1443-2-git-send-email-jason@perfinion.com>
References: <1441438908-1443-1-git-send-email-jason@perfinion.com>
	<1441438908-1443-2-git-send-email-jason@perfinion.com>
Message-ID: <55F81561.30000@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 9/5/2015 3:41 AM, Jason Zaman wrote:
> From: Alexander Wetzel <alexander.wetzel@web.de>

Merged.


> Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de>
> ---
>  virt.te | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
> 
> diff --git a/virt.te b/virt.te
> index f8a59e4..f512ddc 100644
> --- a/virt.te
> +++ b/virt.te
> @@ -70,6 +70,14 @@ gen_tunable(virt_use_usb, false)
>  ## </desc>
>  gen_tunable(virt_use_xserver, false)
>  
> +## <desc>
> +###      <p>
> +###      Determine whether confined virtual guests
> +###      can use vfio for pci device pass through (vt-d).
> +###      </p>
> +### </desc>
> +gen_tunable(virt_use_vfio, false)
> +
>  attribute virt_ptynode;
>  attribute virt_domain;
>  attribute virt_image_type;
> @@ -415,6 +423,10 @@ corenet_tcp_bind_all_ports(svirt_t)
>  corenet_sendrecv_all_client_packets(svirt_t)
>  corenet_tcp_connect_all_ports(svirt_t)
>  
> +tunable_policy(`virt_use_vfio',`
> +	dev_rw_vfio_dev(svirt_t)
> +')
> +
>  ########################################
>  #
>  # virtd local policy
> @@ -658,6 +670,13 @@ tunable_policy(`virt_use_samba',`
>  	fs_read_cifs_symlinks(virtd_t)
>  ')
>  
> +tunable_policy(`virt_use_vfio',`
> +	allow virtd_t self:capability sys_resource;
> +	allow virtd_t self:process setrlimit;
> +	allow virtd_t svirt_t:process rlimitinh;
> +	dev_relabelfrom_vfio_dev(virtd_t)
> +')
> +
>  optional_policy(`
>  	brctl_domtrans(virtd_t)
>  ')
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com