harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Allow containers to access /dev/kvm

Browse source
This commit is contained in:
Harald Hoyer 2020-02-27 10:31:20 +01:00
parent 17bbec88f8
commit b9093fd208
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
VerityBook.te
View file

@ -34,6 +34,8 @@ require {
type user_home_dir_t; type user_home_dir_t;
type chkpwd_t; type chkpwd_t;
type xdm_var_lib_t; type xdm_var_lib_t;
type container_t;
type kvm_device_t;
class sock_file { create write }; class sock_file { create write };
class file { create getattr map open read relabelfrom relabelto rename setattr unlink write }; class file { create getattr map open read relabelfrom relabelto rename setattr unlink write };
class process { dyntransition setcurrent }; class process { dyntransition setcurrent };
@ -43,8 +45,13 @@ require {
class dbus send_msg; class dbus send_msg;
class sock_file { read write }; class sock_file { read write };
class lnk_file { getattr read }; class lnk_file { getattr read };
class chr_file { getattr ioctl open read write };
} }
#============= container_t ==============
allow container_t kvm_device_t:chr_file getattr;
allow container_t kvm_device_t:chr_file { ioctl open read write };
#============= NetworkManager_t ============== #============= NetworkManager_t ==============
allow NetworkManager_t iscsi_unit_file_t:service { reload status }; allow NetworkManager_t iscsi_unit_file_t:service { reload status };