From: dac.override@gmail.com (Dominick Grift) Date: Thu, 26 May 2016 16:22:36 +0200 Subject: [refpolicy] [PATCH 2/2] virt: virtlockd does not need ps_process_pattern In-Reply-To: <1464264306-26143-2-git-send-email-jason@perfinion.com> References: <1464264306-26143-1-git-send-email-jason@perfinion.com> <1464264306-26143-2-git-send-email-jason@perfinion.com> Message-ID: <9ffbcc7e-7a59-b90a-ec6a-c7eba9e85f3c@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/26/2016 02:05 PM, Jason Zaman wrote: > The allow rules on virtd_t are enough, it does not require the > :process class access. --- virt.te | 7 ++++++- 1 file changed, 6 > insertions(+), 1 deletion(-) > > diff --git a/virt.te b/virt.te index c625e12..8f052a7 100644 --- > a/virt.te +++ b/virt.te @@ -1304,6 +1304,10 @@ > kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow > virtlockd_t self:capability dac_override; allow virtlockd_t > self:fifo_file rw_fifo_file_perms; > > +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t > virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file > read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir > list_dir_perms; allow virtlockd_t virt_image_type:file > rw_file_perms; > > @@ -1322,7 +1326,8 @@ files_pid_filetrans(virtlockd_t, > virtlockd_run_t, file) > > can_exec(virtlockd_t, virtlockd_exec_t) > > -ps_process_pattern(virtlockd_t, virtd_t) > +kernel_getattr_proc(virtlockd_t) +kernel_search_proc(virtlockd_t) The kernel_search_proc() is redundant. Are you sure that it wants to get attributes of the proc filesystem? > > files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) > - -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCAAGBQJXRwamAAoJECV0jlU3+UdpVMIMAJE9naB/1QfwXKKbJyke2Nxz UW6SR9Uy3aLjrtY0WQFJ+5AHyHXb/96k7vkkTgQU3eofuZGuu+TpaNHoMk8cFj8J 71k+X0Qn60cQWNyvHoXIcXk/02O5NsEPgpXth1vjhx5y5ItNHoKm6tZhzkp5Qx/8 PWdiGdmB7C124x0YayS76KgyFv34eIuJAwEGUQvSwxQJNf/IGydFhhEWt2kOYcmZ O/Od6IjMkFP9ApSwd+js5YwNv7CQEcB8TW89bG0V/TRwv9qkoCBcqIE9P1oVs48w ZkmdDs1L0Ql16Be+G2qzQRPI45pl3+e183JTs+R5MLvoGBBp7p5Tt64F1fcUwUiS y4tkT96HARBs9mdyZpRp9OBxaOHqQHt5OuamdbN9e/mFt+8oBWPyZ0CFNDBPBJq7 rh7qk8PVY3ubxCu3Mft9anmb+h3PCusXAKEtrOnXUJSnElpDKz3oxWAUg8xVdIce 8nMCWDNeHO5NBwvr+EnvPqrmTtckWCzzKi/KoM/g2Q== =bEAC -----END PGP SIGNATURE-----