xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux boolean "domain_can_mmap_files" in CentOS is set to false the mmap() call fails. Signed-off-by: Anthony PERARD <anthony.perard@xxxxxxxxxx> --- v2: Declare an interface instead of using allow in xen.te directly. --- policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ policy/modules/system/xen.te | 1 + 2 files changed, 19 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index b52fc769236b..b85ae2f6e851 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -5310,6 +5310,24 @@ interface(`fs_manage_xenfs_files',` manage_files_pattern($1, xenfs_t, xenfs_t) ') +######################################## +## <summary> +## Map files a XENFS filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_mmap_xenfs_files',` + gen_require(` + type xenfs_t; + ') + + allow $1 xenfs_t:file map; +') + ######################################## ## <summary> ## Do not audit attempts to create, diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 2c95d0ca3bbd..82328cbbbaa3 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -459,6 +459,7 @@ files_read_usr_files(xenstored_t) fs_search_xenfs(xenstored_t) fs_manage_xenfs_files(xenstored_t) +fs_mmap_xenfs_files(xenstored_t) term_use_generic_ptys(xenstored_t) -- Anthony PERARD
