[refpolicy] [PATCH] Declare a virtio device node type

Dominick Grift dominick.grift at gmail.com
Wed Sep 12 04:27:14 CDT 2012


Label virtio character device nodes accordingly

Create term_use_virtio_console() for vdagent

Signed-off-by: Dominick Grift <dominick.grift at gmail.com>
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 7d45d15..0ea25b6 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -19,6 +19,7 @@
 /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
 /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
 /dev/ttySG.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
+/dev/vport[0-9]p[0-9]+	-c	gen_context(system_u:object_r:virtio_device_t,s0)
 /dev/xvc[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 
 /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 01dd2f1..bfaff9f 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1493,3 +1493,22 @@
 	refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
 	term_dontaudit_use_all_ttys($1)
 ')
+
+########################################
+## <summary>
+##	Read from and write to virtio console.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`term_use_virtio_console',`
+	gen_require(`
+		type virtio_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 virtio_device_t:chr_file rw_chr_file_perms;
+')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 9d64659..bc57297 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -56,3 +56,6 @@
 #
 type usbtty_device_t, serial_device;
 dev_node(usbtty_device_t)
+
+type virtio_device_t, serial_device;
+dev_node(virtio_device_t)


More information about the refpolicy mailing list