flask/policy: add accesses used by newer dom0s

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

2 files changed, 3 insertions, 3 deletions

diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if
index 87ef1654f5..3f58909b55 100644
--- a/tools/flask/policy/policy/modules/xen/xen.if
+++ b/tools/flask/policy/policy/modules/xen/xen.if
@@ -100,7 +100,7 @@ define(`use_device', `
 # admin_device(domain, device)
 #   Allow a device to be used and delegated by a domain
 define(`admin_device', `
-    allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport };
+    allow $1 $2:resource { setup stat_device add_device add_irq add_iomem add_ioport remove_device remove_irq remove_iomem remove_ioport plug unplug };
     allow $1 $2:hvm bind_irq;
     use_device($1, $2)
 ')
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 29885c4a38..e175d4b358 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -55,8 +55,8 @@ type device_t, resource_type;
 allow xen_t dom0_t:domain { create };
 
 allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del
-	scheduler physinfo heap quirk readconsole writeconsole settime
-	microcode cpupool_op sched_op };
+	scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo
+	microcode cpupool_op sched_op pm_op };
 allow dom0_t xen_t:mmu { memorymap };
 allow dom0_t security_t:security { check_context compute_av compute_create
 	compute_member load_policy compute_relabel compute_user setenforce