| Message ID | 1468507572-1670-1-git-send-email-anshul.makkar@citrix.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 14/07/16 15:46, Anshul Makkar wrote: > Access to setpodtarget and getpodtarget is required by dom0 to set the balloon > targets for domU. The patch gives source domain (dom0) access to set > this target for domU and resolve the following permission denied erro > message during ballooning : > avc: denied { setpodtarget } for domid=0 target=9 > scontext=system_u:system_r:dom0_t > tcontext=system_u:system_r:domU_t tclass=domain > > Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> > Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Committed, thanks. ~Andrew
diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if index 8c43c28..dbefa1e 100644 --- a/tools/flask/policy/modules/xen.if +++ b/tools/flask/policy/modules/xen.if @@ -83,7 +83,8 @@ define(`create_domain_build_label', ` define(`manage_domain', ` allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity getaddrsize pause unpause trigger shutdown destroy - setaffinity setdomainmaxmem getscheduler resume }; + setaffinity setdomainmaxmem getscheduler resume + setpodtarget getpodtarget }; allow $1 $2:domain2 set_vnumainfo; ')
Access to setpodtarget and getpodtarget is required by dom0 to set the balloon targets for domU. The patch gives source domain (dom0) access to set this target for domU and resolve the following permission denied erro message during ballooning : avc: denied { setpodtarget } for domid=0 target=9 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com> Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> --- Changed Since V1: * added getpodtarget. tools/flask/policy/modules/xen.if | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)