diff options
Diffstat (limited to 'tools/flask')
| -rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index 8c77e6b1f6..c714dcb8e9 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -56,7 +56,7 @@ type device_t, resource_type; ################################################################################ allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo - microcode cpupool_op sched_op pm_op }; + microcode cpupool_op sched_op pm_op tmem_control }; allow dom0_t xen_t:mmu { memorymap }; allow dom0_t security_t:security { check_context compute_av compute_create compute_member load_policy compute_relabel compute_user setenforce @@ -74,6 +74,9 @@ domain_comms(dom0_t, dom0_t) auditallow dom0_t security_t:security { load_policy setenforce setbool }; +# Allow all domains to use (unprivileged parts of) the tmem hypercall +allow domain_type xen_t:xen tmem_op; + ############################################################################### # # Domain creation |