[refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly

[dominick.grift@gmail.com (Dominick Grift)]

On Tue, 2012-09-04 at 12:28 +0200, Miroslav Grepl wrote:
> On 08/31/2012 07:38 PM, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > ---
> >   policy/modules/kernel/devices.fc | 1 +
> >   policy/modules/kernel/devices.te | 3 +++
> >   2 files changed, 4 insertions(+)
> >
> > diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> > index 5214c08..94505c4 100644
> > --- a/policy/modules/kernel/devices.fc
> > +++ b/policy/modules/kernel/devices.fc
> > @@ -124,6 +124,7 @@ ifdef(`distro_suse', `
> >   /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
> >   /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
> >   /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
> > +/dev/vport.*		-c	gen_context(system_u:object_r:virtio_device_t,s0)
> >   /dev/vrtpanel		-c	gen_context(system_u:object_r:mouse_device_t,s0)
> >   /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
> >   /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
> > diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> > index 99fe460..52c535d 100644
> > --- a/policy/modules/kernel/devices.te
> > +++ b/policy/modules/kernel/devices.te
> > @@ -272,6 +272,9 @@ dev_node(v4l_device_t)
> >   type vhost_device_t;
> >   dev_node(vhost_device_t)
> >   
> > +type virtio_device_t;
> > +dev_node(virtio_device_t)
> > +
> >   # Type for vmware devices.
> >   type vmware_device_t;
> >   dev_node(vmware_device_t)
> We declare it in terminal.* policy files.

must be new then, last time i tried (a week ago on f18?) it was still
mislabeled (device_t)

> Also I think base access interfaces should be part of this patch?

i don't see that requirement. i also haven't encountered any process
trying to access it yet.