diff options
Diffstat (limited to 'tools/flask')
-rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.if | 6 | ||||
-rw-r--r-- | tools/flask/policy/policy/modules/xen/xen.te | 4 |
2 files changed, 5 insertions, 5 deletions
diff --git a/tools/flask/policy/policy/modules/xen/xen.if b/tools/flask/policy/policy/modules/xen/xen.if index d9d534427b..2ce22125c1 100644 --- a/tools/flask/policy/policy/modules/xen/xen.if +++ b/tools/flask/policy/policy/modules/xen/xen.if @@ -47,9 +47,9 @@ define(`declare_build_label', ` define(`create_domain_common', ` allow $1 $2:domain { create max_vcpus setdomainmaxmem setaddrsize getdomaininfo hypercall setvcpucontext setextvcpucontext - scheduler getvcpuinfo getvcpuextstate getaddrsize + getscheduler getvcpuinfo getvcpuextstate getaddrsize getvcpuaffinity setvcpuaffinity }; - allow $1 $2:domain2 { set_cpuid settsc }; + allow $1 $2:domain2 { set_cpuid settsc setscheduler }; allow $1 $2:security check_context; allow $1 $2:shadow enable; allow $1 $2:mmu { map_read map_write adjust memorymap physmap pinpage mmuext_op }; @@ -79,7 +79,7 @@ define(`create_domain_build_label', ` define(`manage_domain', ` allow $1 $2:domain { getdomaininfo getvcpuinfo getvcpuaffinity getaddrsize pause unpause trigger shutdown destroy - setvcpuaffinity setdomainmaxmem }; + setvcpuaffinity setdomainmaxmem getscheduler }; ') # migrate_domain_out(priv, target) diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index c714dcb8e9..955fd8bee6 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -55,8 +55,8 @@ type device_t, resource_type; # ################################################################################ allow dom0_t xen_t:xen { kexec readapic writeapic mtrr_read mtrr_add mtrr_del - scheduler physinfo heap quirk readconsole writeconsole settime getcpuinfo - microcode cpupool_op sched_op pm_op tmem_control }; + physinfo heap quirk readconsole writeconsole settime getcpuinfo + microcode cpupool_op pm_op tmem_control getscheduler setscheduler }; allow dom0_t xen_t:mmu { memorymap }; allow dom0_t security_t:security { check_context compute_av compute_create compute_member load_policy compute_relabel compute_user setenforce |