commit: c00545ccf571b026bd76524b6efec2d766ef7f12
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:45 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c00545cc
virt: add virt_tmpfs_t type and permissions
virtd_t writes the spice shm file in tmpfs so this allows access.
type=AVC msg=audit(1427209364.960:10357): avc: granted { add_name }
for pid=24933 comm="qemu-system-x86" name="spice.24933"
scontext=system_u:system_r:virtd_t tcontext=system_u:object_r:tmpfs_t
tclass=dir
type=AVC msg=audit(1427209364.960:10357): avc: granted { write } for
pid=24933 comm="qemu-system-x86" path="/dev/shm/spice.24933" dev="tmpfs"
ino=638614 scontext=system_u:system_r:virtd_t
tcontext=system_u:object_r:tmpfs_t tclass=file
policy/modules/contrib/virt.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 59c0f07..6332b0f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -127,6 +127,9 @@ mls_trusted_object(virt_log_t)
type virt_tmp_t;
files_tmp_file(virt_tmp_t)
+type virt_tmpfs_t;
+files_tmpfs_file(virt_tmpfs_t)
+
type virt_var_run_t;
files_pid_file(virt_var_run_t)
@@ -484,6 +487,10 @@ manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
+manage_dirs_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+manage_files_pattern(virtd_t, virt_tmpfs_t, virt_tmpfs_t)
+fs_tmpfs_filetrans(virtd_t, virt_tmpfs_t, { file dir })
+
# This needs a file context specification
manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
