From mboxrd@z Thu Jan 1 00:00:00 1970 From: mgrepl@redhat.com (Miroslav Grepl) Date: Tue, 04 Sep 2012 20:31:59 +0200 Subject: [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly In-Reply-To: <1346763057.15262.28.camel@d30.localdomain> References: <1346434702-30274-1-git-send-email-dominick.grift@gmail.com> <1346434702-30274-3-git-send-email-dominick.grift@gmail.com> <5045D7D0.9030502@redhat.com> <1346763057.15262.28.camel@d30.localdomain> Message-ID: <5046491F.1050505@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/04/2012 02:50 PM, Dominick Grift wrote: > > On Tue, 2012-09-04 at 12:28 +0200, Miroslav Grepl wrote: >> On 08/31/2012 07:38 PM, Dominick Grift wrote: >>> Signed-off-by: Dominick Grift >>> --- >>> policy/modules/kernel/devices.fc | 1 + >>> policy/modules/kernel/devices.te | 3 +++ >>> 2 files changed, 4 insertions(+) >>> >>> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc >>> index 5214c08..94505c4 100644 >>> --- a/policy/modules/kernel/devices.fc >>> +++ b/policy/modules/kernel/devices.fc >>> @@ -124,6 +124,7 @@ ifdef(`distro_suse', ` >>> /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) >>> /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) >>> /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) >>> +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0) >>> /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) >>> /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) >>> /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) >>> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te >>> index 99fe460..52c535d 100644 >>> --- a/policy/modules/kernel/devices.te >>> +++ b/policy/modules/kernel/devices.te >>> @@ -272,6 +272,9 @@ dev_node(v4l_device_t) >>> type vhost_device_t; >>> dev_node(vhost_device_t) >>> >>> +type virtio_device_t; >>> +dev_node(virtio_device_t) >>> + >>> # Type for vmware devices. >>> type vmware_device_t; >>> dev_node(vmware_device_t) >> We declare it in terminal.* policy files. > must be new then, last time i tried (a week ago on f18?) it was still > mislabeled (device_t) We have /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) maybe it needs to be fixed. And then rhev.te:term_use_virtio_console(rhev_agentd_t) rhev.te: term_use_virtio_console(rhev_agentd_consolehelper_t) vdagent.te:term_use_virtio_console(vdagent_t) > >> Also I think base access interfaces should be part of this patch? > i don't see that requirement. i also haven't encountered any process > trying to access it yet. >