tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
')
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
fs_manage_nfs_files(virtd_t)
fs_read_nfs_symlinks(virtd_t)
')
>From a casual examination of the above sections of virt.te it appears that the
following line needs to be added:
fs_read_nfs_symlinks(svirt_t)
Note that I haven't done any testing of this or considered whether the design
needs any other changes. But the intent of the policy author seems to be that
virtd_t and svirt_t get the same access to NFS, and I can't think of any
reason why one of them would be denied access to NFS symlinks.
I think it would probably be a good idea to try and avoid having multiple
tunable sections for the same boolean to reduce the incidence of such things.
If they were both in the same tunable section it would make the problem quite
obvious.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog