| Message ID | 1468414777-27129-1-git-send-email-anshul.makkar@citrix.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 07/13/2016 08:59 AM, Anshul Makkar wrote: > Access to setpodtarget is required by dom0 to set the balloon targets for > domU. The patch gives source domain (dom0) access to set this target for > domU and resolve the following permission denied error message during > ballooning : > avc: denied { setpodtarget } for domid=0 target=9 > scontext=system_u:system_r:dom0_t > tcontext=system_u:system_r:domU_t tclass=domain > > Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> This seems to indicate that getpodtarget should also be added to the list. Either as-is or with getpodtarget also added, Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index 8c43c28..8ae3c2e 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -83,7 +83,8 @@ define(`create_domain_build_label', ` define(`manage_domain', ` allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity getaddrsize pause unpause trigger shutdown destroy - setaffinity setdomainmaxmem getscheduler resume }; + setaffinity setdomainmaxmem getscheduler resume + setpodtarget }; allow $1 $2:domain2 set_vnumainfo; ')
Access to setpodtarget is required by dom0 to set the balloon targets for domU. The patch gives source domain (dom0) access to set this target for domU and resolve the following permission denied error message during ballooning : avc: denied { setpodtarget } for domid=0 target=9 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> --- --- tools/flask/policy/modules/xen.if | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)