From: jason@perfinion.com (Jason Zaman)
Date: Thu, 26 May 2016 20:05:06 +0800
Subject: [refpolicy] [PATCH 2/2] virt: virtlockd does not need
	ps_process_pattern
In-Reply-To: <1464264306-26143-1-git-send-email-jason@perfinion.com>
References: <1464264306-26143-1-git-send-email-jason@perfinion.com>
Message-ID: <1464264306-26143-2-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The allow rules on virtd_t are enough, it does not require the :process
class access.
---
 virt.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/virt.te b/virt.te
index c625e12..8f052a7 100644
--- a/virt.te
+++ b/virt.te
@@ -1304,6 +1304,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1322,7 +1326,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
+kernel_getattr_proc(virtlockd_t)
+kernel_search_proc(virtlockd_t)
 
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
-- 
2.7.3