[refpolicy] [PATCH 3/4] Calling virsh requires stream_connect rights towards virt
Christopher J. PeBenito
cpebenito at tresys.com
Mon Apr 23 09:41:06 CDT 2012
On 04/11/12 14:35, Sven Vermeulen wrote:
> When virsh is used to manage the virtual guests, the parent domain requires stream_connect rights towards the virtd_t
> domain. This patch adds it in for initrc_t (for init scripts managing the environment) and sysadm_t (system
> administrator).
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> ---
> policy/modules/roles/sysadm.te | 4 ++++
> policy/modules/system/init.te | 1 +
> 2 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 7d25414..e08c71f 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -394,6 +394,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + virt_stream_connect(sysadm_t)
> +')
> +
> +optional_policy(`
> vmware_role(sysadm_r, sysadm_t)
> ')
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index b7fcbe3..79a306e 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -822,6 +822,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + virt_stream_connect(initrc_t)
> virt_manage_svirt_cache(initrc_t)
> ')
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy
mailing list