Xen project Mailing List

[Xen-changelog] [xen-unstable] xsm/flask: Fix permission tables

From: Xen patchbot-unstable <patchbot@xxxxxxx>

Date: Wed, 09 Feb 2011 06:50:30 -0800

Delivery-date: Wed, 09 Feb 2011 06:52:03 -0800

List-id: BK change log <xen-changelog.lists.xensource.com>

# HG changeset patch # User Keir Fraser <keir@xxxxxxx> # Date 1297012231 0 # Node ID 1f588baf12424bf59c9fdf62c84ede45943693a2 # Parent 24a4487c9bef65a5ee57aede9446845c95f25f8c xsm/flask: Fix permission tables At some point, it seems that someone manually added Flask permission definitions to one header file without updating the corresponding policy configuration or the other related table. The end result is that we can get uninterpretable AVC messages like this: # xl dmesg | grep avc (XEN) avc: denied { 0x4000000 } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain Fix this by updating the flask config and regenerating the headers from it. In the future, this can be further improved by integrating the automatic generation of the headers into the build process as is presently done in SELinux. Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> --- tools/flask/policy/policy/flask/access_vectors | 2 ++ xen/xsm/flask/include/av_perm_to_string.h | 2 ++ 2 files changed, 4 insertions(+) diff -r 24a4487c9bef -r 1f588baf1242 tools/flask/policy/policy/flask/access_vectors --- a/tools/flask/policy/policy/flask/access_vectors Sun Feb 06 17:09:32 2011 +0000 +++ b/tools/flask/policy/policy/flask/access_vectors Sun Feb 06 17:10:31 2011 +0000 @@ -75,6 +75,8 @@ class domain trigger getextvcpucontext setextvcpucontext + getvcpuextstate + setvcpuextstate } class hvm diff -r 24a4487c9bef -r 1f588baf1242 xen/xsm/flask/include/av_perm_to_string.h --- a/xen/xsm/flask/include/av_perm_to_string.h Sun Feb 06 17:09:32 2011 +0000 +++ b/xen/xsm/flask/include/av_perm_to_string.h Sun Feb 06 17:10:31 2011 +0000 @@ -50,6 +50,8 @@ S_(SECCLASS_DOMAIN, DOMAIN__TRIGGER, "trigger") S_(SECCLASS_DOMAIN, DOMAIN__GETEXTVCPUCONTEXT, "getextvcpucontext") S_(SECCLASS_DOMAIN, DOMAIN__SETEXTVCPUCONTEXT, "setextvcpucontext") + S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUEXTSTATE, "getvcpuextstate") + S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUEXTSTATE, "setvcpuextstate") S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc") S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc") S_(SECCLASS_HVM, HVM__SETPARAM, "setparam") _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-changelog

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.