From mboxrd@z Thu Jan  1 00:00:00 1970
From: jason@perfinion.com (Jason Zaman)
Date: Wed, 25 Mar 2015 10:24:45 +0800
Subject: [refpolicy] [PATCH 5/6] virt: add virt_tmpfs_t type and permissions
In-Reply-To: <1427250286-27053-1-git-send-email-jason@perfinion.com>
References: <1427250286-27053-1-git-send-email-jason@perfinion.com>
Message-ID: <1427250286-27053-5-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

virtd_t writes the spice shm file in tmpfs so this allows access.

type=AVC msg=audit(1427209364.960:10357): avc:  granted  { add_name }
for  pid=24933 comm="qemu-system-x86" name="spice.24933"
scontext=system_u:system_r:virtd_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
type=AVC msg=audit(1427209364.960:10357): avc:  granted  { write } for
pid=24933 comm="qemu-system-x86" path="/dev/shm/spice.24933" dev="tmpfs"
ino=638614 scontext=system_u:system_r:virtd_t
tcontext=system_u:object_r:tmpfs_t tclass=file
---
 virt.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/virt.te b/virt.te
index cb868d5..b20eb1c 100644
--- a/virt.te
+++ b/virt.te
@@ -127,6 +127,9 @@ mls_trusted_object(virt_log_t)
 type virt_tmp_t;
 files_tmp_file(virt_tmp_t)
 
+type virt_tmpfs_t;
+files_tmpfs_file(virt_tmpfs_t)
+
 type virt_var_run_t;
 files_pid_file(virt_var_run_t)
 
@@ -480,6 +483,10 @@ manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
 manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
 files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
 
+manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
+
 # This needs a file context specification
 manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
 manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
-- 
2.0.5