On Fri, 2006-10-13 at 17:12 +0100, Robin Bowes wrote: > Stephen Smalley wrote: > > > > The assertion is to prevent accidental granting of read access to a > > raw disk device. Is that truly required here? > > Probably - the root disk of the guest O/S instance is an lvm partition, > e.g. /dev/vg01/lv_guest > > > To allow it, you need to use the interface for it, e.g. > > storage_raw_read_fixed_disk(xm_t) That interface is defined in > > kernel/storage.if. In addition to allowing the permission, it adds a > > type attribute to the type that excludes from the assertion. > > So, what would that look like in the policy file? If you build using the devel makefile (e.g. make -f /usr/share/selinux/devel/Makefile or copy it over to where you are working on your module), then you can use the interface as I described, i.e. just put storage_raw_read_fixed_disk(xm_t) in your .te file. That Makefile will pull in the headers and expand it properly. Should handle the checkmodule and semodule_package side of things, leaving you with just running semodule -i to install it once built. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
