XSM-Policy: allow source domain access to setpodtarget and getpodtarget for ballooning.

Access to setpodtarget and getpodtarget is required by dom0 to set the balloon
targets for domU. The patch gives source domain (dom0) access to set
this target for domU and resolve the following permission denied erro
message during ballooning :
avc:  denied  { setpodtarget } for domid=0 target=9
scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=domain

Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
index 8c43c282e84f4005947dc395563205be33f79132..dbefa1e24f6350680e950492ed3f76bce5eb70ab 100644 (file)
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -83,7 +83,8 @@ define(`create_domain_build_label', `
 define(`manage_domain', `
        allow $1 $2:domain { getdomaininfo getvcpuinfo getaffinity
                        getaddrsize pause unpause trigger shutdown destroy
-                       setaffinity setdomainmaxmem getscheduler resume };
+                       setaffinity setdomainmaxmem getscheduler resume
+                       setpodtarget getpodtarget };
     allow $1 $2:domain2 set_vnumainfo;
 ')