XSM/policy: Allow the source domain access to settime and setdomainhandle domctls...

This patch resolves the following permission denied scenarios while creating
new domU :
avc:  denied  { setdomainhandle } for domid=0 target=1
scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t tclass=domain

avc:  denied  { settime } for domid=0 target=1 scontext=system_u:system_r:dom0_t
tcontext=system_u:system_r:domU_t tclass=domain

Signed-off-by: Anshul Makkar <anshul.makkar@citrix.com>
Acked-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>

diff --git a/tools/flask/policy/modules/xen.if b/tools/flask/policy/modules/xen.if
index fd96303be8a18bdb19a7727801e67e5c454cd809..8c43c282e84f4005947dc395563205be33f79132 100644 (file)
--- a/tools/flask/policy/modules/xen.if
+++ b/tools/flask/policy/modules/xen.if
@@ -48,7 +48,8 @@ define(`declare_build_label', `
 define(`create_domain_common', `
        allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize
                        getdomaininfo hypercall setvcpucontext getscheduler
-                       getvcpuinfo getaddrsize getaffinity setaffinity };
+                       getvcpuinfo getaddrsize getaffinity setaffinity
+                       settime setdomainhandle };
        allow $1 $2:domain2 { set_cpuid settsc setscheduler setclaim
                        set_max_evtchn set_vnumainfo get_vnumainfo cacheflush
                        psr_cmt_op psr_cat_op soft_reset };