From 95eddf1e8725a52b319a6d53ced93c30315fe1ff Mon Sep 17 00:00:00 2001 From: Keir Fraser Date: Sun, 6 Feb 2011 17:10:31 +0000 Subject: [PATCH] xsm/flask: Fix permission tables At some point, it seems that someone manually added Flask permission definitions to one header file without updating the corresponding policy configuration or the other related table. The end result is that we can get uninterpretable AVC messages like this: # xl dmesg | grep avc (XEN) avc: denied { 0x4000000 } for domid=0 scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain Fix this by updating the flask config and regenerating the headers from it. In the future, this can be further improved by integrating the automatic generation of the headers into the build process as is presently done in SELinux. Signed-off-by: Stephen Smalley --- tools/flask/policy/policy/flask/access_vectors | 2 ++ xen/xsm/flask/include/av_perm_to_string.h | 2 ++ 2 files changed, 4 insertions(+) diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors index f835eb5a32..27fb9d7913 100644 --- a/tools/flask/policy/policy/flask/access_vectors +++ b/tools/flask/policy/policy/flask/access_vectors @@ -75,6 +75,8 @@ class domain trigger getextvcpucontext setextvcpucontext + getvcpuextstate + setvcpuextstate } class hvm diff --git a/xen/xsm/flask/include/av_perm_to_string.h b/xen/xsm/flask/include/av_perm_to_string.h index da56d563c9..b10a252589 100644 --- a/xen/xsm/flask/include/av_perm_to_string.h +++ b/xen/xsm/flask/include/av_perm_to_string.h @@ -50,6 +50,8 @@ S_(SECCLASS_DOMAIN, DOMAIN__TRIGGER, "trigger") S_(SECCLASS_DOMAIN, DOMAIN__GETEXTVCPUCONTEXT, "getextvcpucontext") S_(SECCLASS_DOMAIN, DOMAIN__SETEXTVCPUCONTEXT, "setextvcpucontext") + S_(SECCLASS_DOMAIN, DOMAIN__GETVCPUEXTSTATE, "getvcpuextstate") + S_(SECCLASS_DOMAIN, DOMAIN__SETVCPUEXTSTATE, "setvcpuextstate") S_(SECCLASS_HVM, HVM__SETHVMC, "sethvmc") S_(SECCLASS_HVM, HVM__GETHVMC, "gethvmc") S_(SECCLASS_HVM, HVM__SETPARAM, "setparam") -- 2.30.2