From patchwork Mon Oct 9 15:53:47 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konrad Rzeszutek Wilk X-Patchwork-Id: 9993753 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3E46D60216 for ; Mon, 9 Oct 2017 15:56:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 30CA028811 for ; Mon, 9 Oct 2017 15:56:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2F9F628813; Mon, 9 Oct 2017 15:56:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RCVD_IN_SORBS_SPAM,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id AA02228811 for ; Mon, 9 Oct 2017 15:56:03 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1aNY-0002kA-Md; Mon, 09 Oct 2017 15:54:04 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1aNX-0002jY-1W for xen-devel@lists.xenproject.org; Mon, 09 Oct 2017 15:54:03 +0000 Received: from [85.158.143.35] by server-6.bemta-6.messagelabs.com id 6A/C4-03409-A9B9BD95; Mon, 09 Oct 2017 15:54:02 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGIsWRWlGSWpSXmKPExsVyMfTOId0Zs29 HGlyYqW/xfctkJgdGj8MfrrAEMEaxZuYl5VcksGY8eTSLreA8W8XeTzPZGhjfs3YxcnEICcxk lOjsfMQO4rAIfGCRaFjTzwLiSAhMY5Xom/2KrYuRE8jJklj05wFjFyMHkJ0mMX+SLUS4SmLCn 9PMILaQgJLElsmPGSGmHmSSOPN8BztIQlhAT2Lyt9uMIDabgL7E07XXmCGaHSW2bj/DCmKLCM hIzJu8CcxmFvCTmHJ8I1RvuMSqhplgvSwCqhK3dm9iAbF5BUwl9sxfDTVHXmJi7zSwGk4BM4m mJ/dZIQ4ylfi/5BPrBEbhBYwMqxg1ilOLylKLdI2M9JKKMtMzSnITM3N0DQ3M9HJTi4sT01Nz EpOK9ZLzczcxAkOUAQh2MK6ZH3iIUZKDSUmUd96M25FCfEn5KZUZicUZ8UWlOanFhxhlODiUJ HgPzALKCRalpqdWpGXmAKMFJi3BwaMkwrsaJM1bXJCYW5yZDpE6xWjPceHOpT9MHDceXgeSB/ bcApIdN+/+YRJiycvPS5US5z0F0iYA0pZRmgc3FBbdlxhlpYR5GYHOFOIpSC3KzSxBlX/FKM7 BqCTMuwVkCk9mXgnc7ldAZzEBncVYfAPkrJJEhJRUA+OU+b+CrmXFFeUeSeuyy5Kaf/G4z9pG hoMfpvn7isx+knk5MmRNzcsF79nPb2aojzrG5TnTUezeQqM3qUfNXYqX78m4ppok+0mN+Xbkn ZtlRx4W/D1ebyt/WXvKMu+am9JJ7wWyjN+t39ue1tViH+Z64xTH92fmXW88K5+6ZwV4ft7GdD 4oe6oSS3FGoqEWc1FxIgCFufsk6QIAAA== X-Env-Sender: ketuzsezr@gmail.com X-Msg-Ref: server-9.tower-21.messagelabs.com!1507564440!76189003!1 X-Originating-IP: [209.85.220.194] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.4.45; banners=-,-,- X-VirusChecked: Checked Received: (qmail 4787 invoked from network); 9 Oct 2017 15:54:00 -0000 Received: from mail-qk0-f194.google.com (HELO mail-qk0-f194.google.com) (209.85.220.194) by server-9.tower-21.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 9 Oct 2017 15:54:00 -0000 Received: by mail-qk0-f194.google.com with SMTP id z14so16613336qkg.3 for ; Mon, 09 Oct 2017 08:54:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=o21fJLhunxvDuxt+ARM+C+X9YxuyR9Sv9O2GjaxCw/U=; b=I6tjqQKCjId2UoEv33zjQWAzK0vMlOIBDjiwzodXPA8tgHq4l+aOM9ybWBIqNOg8x0 aXWIKkz5du/JPoonJ5AEcjGqvH2GvbXzTLQjyICCUu5vOfL5G4pur0C2ch/7BOUDDyRu O61WPsUlOT08l+7NFwIYFSQaNxg0hFpiOu72z+3RhUCwFROd/O40TqBr8YHqijKFE2M1 eItfhenzXpDzamYVxA8OhMwX16nBlfTXYcCL+0xiX5+jxxK9j4tQ62+TGpQ257YtwnjD gXglfTV9j+ZVVy0G6/R6deqshI9X7pO4gEZe9wDcgXGwNh4bbjvT8clkSM5K+sSxUaxg m4Wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=o21fJLhunxvDuxt+ARM+C+X9YxuyR9Sv9O2GjaxCw/U=; b=Nb6MlUOv3TZzcYEfx8aGnxPjCUfGMvhsIxHlQB7/cBtZMqbI7X+/hD2ROF8D8DIUtD d73elV2POGTseQUm9HuJBT1te+JJXDVAyk3gfHLlx4Vpesh6SrU9eC+IhjRr+RRv3sSB CObTOVKjodwRVpkITWh/8tORZvMLmKeco2u2XMBVo0ahfqpdS/yf84J2aXZ796DixcBX EVoWsRyp8cPESyAdEQ5hjHhz9UWisi4dZOdgLeaHMjk1mmgzxLm2YMjDQujKVxSpbL+D LDISHSqk6elE/jhVcFo0HoczyBUImpFq5HVg2ciacLtANY24E+USmfEei4cBMJk3XfxQ 178Q== X-Gm-Message-State: AMCzsaWigvARZ+75neNWumoqPjqlv1rZXk9TkHvgwlSTX64TO5boaE86 t8jayySEYrW7QiFKC7p2SrT8Vg== X-Google-Smtp-Source: AOwi7QB/R6LsCwQfUmdvvOto0MY+wKsXkVafQAT3waWVFBgMeYt3s22waSLyxWX5OswReOO68xxAkg== X-Received: by 10.55.81.135 with SMTP id f129mr10065515qkb.35.1507564439666; Mon, 09 Oct 2017 08:53:59 -0700 (PDT) Received: from localhost.localdomain (209-6-200-48.s4398.c3-0.smr-ubr2.sbo-smr.ma.cable.rcncustomer.com. [209.6.200.48]) by smtp.gmail.com with ESMTPSA id n76sm2961215qkn.85.2017.10.09.08.53.58 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 09 Oct 2017 08:53:58 -0700 (PDT) From: Konrad Rzeszutek Wilk X-Google-Original-From: Konrad Rzeszutek Wilk To: refpolicy@oss.tresys.com Date: Mon, 9 Oct 2017 11:53:47 -0400 Message-Id: <20171009155347.8871-3-konrad@darnok.org> X-Mailer: git-send-email 2.13.3 In-Reply-To: <20171009155347.8871-1-konrad@darnok.org> References: <20171009155347.8871-1-konrad@darnok.org> Cc: xen-devel@lists.xenproject.org, Konrad Rzeszutek Wilk Subject: [Xen-devel] [refpolicy SELinux PATCH 2/2] kernel/xen: Add map permission to the dev_rw_xen X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Konrad Rzeszutek Wilk type=AVC msg=audit(1504637347.487:280): avc: denied { map } for pid=857 comm="xenconsoled" path="/dev/xen/privcmd" dev="devtmpfs" ino=16289 scontext=system_u:system_r:xenconsoled_t:s0 Without this we can't use xenconsole (client) to talk to xenconsoled (server). Signed-off-by: Konrad Rzeszutek Wilk --- policy/modules/kernel/devices.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 4c47709ff..c9071df8f 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4984,6 +4984,7 @@ interface(`dev_rw_xen',` ') rw_chr_files_pattern($1, device_t, xen_device_t) + allow $1 xen_device_t:chr_file map; ') ########################################