* [PATCH] XSM-Policy: allow source domain access to setpodtarget for ballooning.
@ 2016-07-13 12:59 Anshul Makkar
2016-07-13 17:28 ` Daniel De Graaf
0 siblings, 1 reply; 2+ messages in thread
From: Anshul Makkar @ 2016-07-13 12:59 UTC (permalink / raw)
To: xen-devel; +Cc: dgdegra, ian.jackson, Anshul Makkar
Access to setpodtarget is required by dom0 to set the balloon targets for
domU. The patch gives source domain (dom0) access to set this target for
domU and resolve the following permission denied error message during
ballooning :
avc: denied { setpodtarget } for domid=0 target=9
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=domain
Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com>
---
---
tools/flask/policy/modules/xen.if | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
index 8c43c28..8ae3c2e 100644
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -83,7 +83,8 @@ define(`create_domain_build_label', `
define(`manage_domain', `
allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
getaddrsize pause unpause trigger shutdown destroy
- setaffinity setdomainmaxmem getscheduler resume };
+ setaffinity setdomainmaxmem getscheduler resume
+ setpodtarget };
allow $1 $2:domain2 set_vnumainfo;
')
--
1.9.1
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] XSM-Policy: allow source domain access to setpodtarget for ballooning.
2016-07-13 12:59 [PATCH] XSM-Policy: allow source domain access to setpodtarget for ballooning Anshul Makkar
@ 2016-07-13 17:28 ` Daniel De Graaf
0 siblings, 0 replies; 2+ messages in thread
From: Daniel De Graaf @ 2016-07-13 17:28 UTC (permalink / raw)
To: Anshul Makkar, xen-devel; +Cc: ian.jackson
On 07/13/2016 08:59 AM, Anshul Makkar wrote:
> Access to setpodtarget is required by dom0 to set the balloon targets for
> domU. The patch gives source domain (dom0) access to set this target for
> domU and resolve the following permission denied error message during
> ballooning :
> avc: denied { setpodtarget } for domid=0 target=9
> scontext=system_u:system_r:dom0_t
> tcontext=system_u:system_r:domU_t tclass=domain
>
> Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com>
This seems to indicate that getpodtarget should also be added to the list.
Either as-is or with getpodtarget also added,
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-07-13 17:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-13 12:59 [PATCH] XSM-Policy: allow source domain access to setpodtarget for ballooning Anshul Makkar
2016-07-13 17:28 ` Daniel De Graaf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.