Message ID | 1468507572-1670-1-git-send-email-anshul.makkar@citrix.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On 14/07/16 15:46, Anshul Makkar wrote: > Access to setpodtarget and getpodtarget is required by dom0 to set the balloon > targets for domU. The patch gives source domain (dom0) access to set > this target for domU and resolve the following permission denied erro > message during ballooning : > avc: denied { setpodtarget } for domid=0 target=9 > scontext=system_u:system_r:dom0_t > tcontext=system_u:system_r:domU_t tclass=domain > > Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Committed, thanks. ~Andrew
diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index 8c43c28..dbefa1e 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -83,7 +83,8 @@ define(`create_domain_build_label', ` define(`manage_domain', ` allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity getaddrsize pause unpause trigger shutdown destroy - setaffinity setdomainmaxmem getscheduler resume }; + setaffinity setdomainmaxmem getscheduler resume + setpodtarget getpodtarget }; allow $1 $2:domain2 set_vnumainfo; ')