[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 2/2] flask/policy: add missing manage_domain rules
The updated example policy did not include rules to allow managing the created domains (pause, unpause, destroy); allow these actions. Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx> --- tools/flask/policy/policy/modules/xen/xen.if | 7 +++++++ tools/flask/policy/policy/modules/xen/xen.te | 2 ++ 2 files changed, 9 insertions(+), 0 deletions(-) diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index cd240d8..3065718 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -29,6 +29,13 @@ define(`create_domain', ` allow $1 $2_$1_channel:event create; ') +# manage_domain(priv, target) +# Allow managing a running domain +define(`manage_domain', ` + allow $1 $2:domain { getdomaininfo getvcpuinfo getvcpuaffinity + getaddrsize pause unpause trigger shutdown destroy + setvcpuaffinity setdomainmaxmem }; +') ################################################################################ # # Inter-domain communication diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 0fc31b5..c5e0883 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -86,10 +86,12 @@ auditallow dom0_t security_t:security { load_policy setenforce }; declare_domain(domU_t) domain_self_comms(domU_t) create_domain(dom0_t, domU_t) +manage_domain(dom0_t, domU_t) domain_comms(dom0_t, domU_t) declare_domain(isolated_domU_t) create_domain(dom0_t, isolated_domU_t) +manage_domain(dom0_t, isolated_domU_t) domain_comms(dom0_t, isolated_domU_t) ############################################################################### -- 1.7.7.5 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |