aboutsummaryrefslogtreecommitdiffstats
path: root/tools/flask
diff options
context:
space:
mode:
Diffstat (limited to 'tools/flask')
-rw-r--r--tools/flask/policy/policy/flask/access_vectors7
-rw-r--r--tools/flask/policy/policy/flask/security_classes1
-rw-r--r--tools/flask/policy/policy/modules/xen/xen.te2
3 files changed, 9 insertions, 1 deletions
diff --git a/tools/flask/policy/policy/flask/access_vectors b/tools/flask/policy/policy/flask/access_vectors
index a884312b01..c7e29abb32 100644
--- a/tools/flask/policy/policy/flask/access_vectors
+++ b/tools/flask/policy/policy/flask/access_vectors
@@ -73,6 +73,13 @@ class domain
set_virq_handler
}
+class domain2
+{
+ relabelfrom
+ relabelto
+ relabelself
+}
+
class hvm
{
sethvmc
diff --git a/tools/flask/policy/policy/flask/security_classes b/tools/flask/policy/policy/flask/security_classes
index 2ca35d277b..ef134a7457 100644
--- a/tools/flask/policy/policy/flask/security_classes
+++ b/tools/flask/policy/policy/flask/security_classes
@@ -9,6 +9,7 @@
class xen
class domain
+class domain2
class hvm
class mmu
class resource
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index 9cc5240b5c..9550397f8e 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -169,7 +169,7 @@ delegate_devices(dom0_t, domU_t)
################################################################################
# Domains must be declared using domain_type
-neverallow * ~domain_type:domain create;
+neverallow * ~domain_type:domain { create transition };
# Resources must be declared using resource_type
neverallow * ~resource_type:resource use;
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-10 08:25:12 +0000