2018-07-13 17:05:36

by Jag Raman

[permalink] [raw]
Subject: [refpolicy] [PATCH] vhost: Add /dev/vhost-scsi device of type vhost_device_t.

Signed-off-by: Jagannathan Raman <[email protected]>
---
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.if | 2 +-
policy/modules/kernel/devices.te | 3 ++-
3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index e206720..5ec14ac 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -120,6 +120,7 @@ ifdef(`distro_suse', `
')
/dev/vfio/.+ -c gen_context(system_u:object_r:vfio_device_t,s0)
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vhost-scsi -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 6bbea59..65bfcb6 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4839,7 +4839,7 @@ interface(`dev_relabelfrom_vfio_dev',`

############################
## <summary>
-## Allow read/write the vhost net device
+## Allow read/write the vhost devices
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 4ce5fec..79b9c8d 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -286,7 +286,8 @@ type v4l_device_t;
dev_node(v4l_device_t)

#
-# vhost_device_t is the type for /dev/vhost-net
+# vhost_device_t is the type for vhost devices like
+# /dev/vhost-net and /dev/vhost-scsi
#
type vhost_device_t;
dev_node(vhost_device_t)
--
1.8.3.1


2018-07-15 20:57:15

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] vhost: Add /dev/vhost-scsi device of type vhost_device_t.

On 07/13/2018 01:05 PM, Jagannathan Raman wrote:
> Signed-off-by: Jagannathan Raman <[email protected]>
> ---
> policy/modules/kernel/devices.fc | 1 +
> policy/modules/kernel/devices.if | 2 +-
> policy/modules/kernel/devices.te | 3 ++-
> 3 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index e206720..5ec14ac 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -120,6 +120,7 @@ ifdef(`distro_suse', `
> ')
> /dev/vfio/.+ -c gen_context(system_u:object_r:vfio_device_t,s0)
> /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
> +/dev/vhost-scsi -c gen_context(system_u:object_r:vhost_device_t,s0)
> /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
> /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
> /dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 6bbea59..65bfcb6 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -4839,7 +4839,7 @@ interface(`dev_relabelfrom_vfio_dev',`
>
> ############################
> ## <summary>
> -## Allow read/write the vhost net device
> +## Allow read/write the vhost devices
> ## </summary>
> ## <param name="domain">
> ## <summary>
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 4ce5fec..79b9c8d 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -286,7 +286,8 @@ type v4l_device_t;
> dev_node(v4l_device_t)
>
> #
> -# vhost_device_t is the type for /dev/vhost-net
> +# vhost_device_t is the type for vhost devices like
> +# /dev/vhost-net and /dev/vhost-scsi
> #
> type vhost_device_t;
> dev_node(vhost_device_t)

Merged.

--
Chris PeBenito