[refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly

Miroslav Grepl mgrepl at redhat.com
Tue Sep 4 13:31:59 CDT 2012


On 09/04/2012 02:50 PM, Dominick Grift wrote:
>
> On Tue, 2012-09-04 at 12:28 +0200, Miroslav Grepl wrote:
>> On 08/31/2012 07:38 PM, Dominick Grift wrote:
>>> Signed-off-by: Dominick Grift <dominick.grift at gmail.com>
>>> ---
>>>    policy/modules/kernel/devices.fc | 1 +
>>>    policy/modules/kernel/devices.te | 3 +++
>>>    2 files changed, 4 insertions(+)
>>>
>>> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
>>> index 5214c08..94505c4 100644
>>> --- a/policy/modules/kernel/devices.fc
>>> +++ b/policy/modules/kernel/devices.fc
>>> @@ -124,6 +124,7 @@ ifdef(`distro_suse', `
>>>    /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
>>>    /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
>>>    /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
>>> +/dev/vport.*		-c	gen_context(system_u:object_r:virtio_device_t,s0)
>>>    /dev/vrtpanel		-c	gen_context(system_u:object_r:mouse_device_t,s0)
>>>    /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
>>>    /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
>>> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
>>> index 99fe460..52c535d 100644
>>> --- a/policy/modules/kernel/devices.te
>>> +++ b/policy/modules/kernel/devices.te
>>> @@ -272,6 +272,9 @@ dev_node(v4l_device_t)
>>>    type vhost_device_t;
>>>    dev_node(vhost_device_t)
>>>    
>>> +type virtio_device_t;
>>> +dev_node(virtio_device_t)
>>> +
>>>    # Type for vmware devices.
>>>    type vmware_device_t;
>>>    dev_node(vmware_device_t)
>> We declare it in terminal.* policy files.
> must be new then, last time i tried (a week ago on f18?) it was still
> mislabeled (device_t)
We have

/dev/vport[0-9]p[0-9]+  -c gen_context(system_u:object_r:virtio_device_t,s0)

maybe it needs to be fixed.

And then

rhev.te:term_use_virtio_console(rhev_agentd_t)
rhev.te:    term_use_virtio_console(rhev_agentd_consolehelper_t)
vdagent.te:term_use_virtio_console(vdagent_t)

>
>> Also I think base access interfaces should be part of this patch?
> i don't see that requirement. i also haven't encountered any process
> trying to access it yet.
>



More information about the refpolicy mailing list