diff options
author | Keir Fraser <keir@xen.org> | 2011-02-06 17:10:31 +0000 |
---|---|---|
committer | Keir Fraser <keir@xen.org> | 2011-02-06 17:10:31 +0000 |
commit | 95eddf1e8725a52b319a6d53ced93c30315fe1ff (patch) | |
tree | 5ccd94d74905b5e30b0a93d42876f755010c41c1 /tools/flask | |
parent | 75f04e45d08c5c5f8088f72782b0c3dec823721b (diff) | |
download | xen-95eddf1e8725a52b319a6d53ced93c30315fe1ff.tar.gz xen-95eddf1e8725a52b319a6d53ced93c30315fe1ff.tar.bz2 xen-95eddf1e8725a52b319a6d53ced93c30315fe1ff.zip |
xsm/flask: Fix permission tables
At some point, it seems that someone manually added Flask permission
definitions to one header file without updating the corresponding
policy configuration or the other related table. The end result is
that we can get uninterpretable AVC messages like this:
# xl dmesg | grep avc
(XEN) avc: denied { 0x4000000 } for domid=0
scontext=system_u:system_r:dom0_t tcontext=system_u:system_r:domU_t
tclass=domain
Fix this by updating the flask config and regenerating the headers
from it. In the future, this can be further improved by integrating
the automatic generation of the headers into the build process as is
presently done in SELinux.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'tools/flask')
-rw-r--r-- | tools/flask/policy/policy/flask/access_vectors | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors index f835eb5a32..27fb9d7913 100644 --- a/tools/flask/policy/policy/flask/access_vectors +++ b/tools/flask/policy/policy/flask/access_vectors @@ -75,6 +75,8 @@ class domain trigger getextvcpucontext setextvcpucontext + getvcpuextstate + setvcpuextstate } class hvm |