From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5DB8A1381F3 for ; Sat, 17 Nov 2012 20:39:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EA80CE0453; Sat, 17 Nov 2012 20:39:44 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6E1E6E0453 for ; Sat, 17 Nov 2012 20:39:44 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7236C33D84F for ; Sat, 17 Nov 2012 20:39:43 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id ECDABE5436 for ; Sat, 17 Nov 2012 20:39:41 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1353184436.560bc5f5539b66c4199f4ebd29cd49ccec3d7d15.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/qemu.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 560bc5f5539b66c4199f4ebd29cd49ccec3d7d15 X-VCS-Branch: master Date: Sat, 17 Nov 2012 20:39:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 779ce396-e3a2-423f-8f75-ec2c51840186 X-Archives-Hash: b57f68a67630465e7ce53fda571f9bdd commit: 560bc5f5539b66c4199f4ebd29cd49ccec3d7d15 Author: Sven Vermeulen siphos be> AuthorDate: Sat Nov 17 20:33:56 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sat Nov 17 20:33:56 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=560bc5f5 Running qemu with SDL support requires more xserver-related privileges When trying to start qemu with SDL, the qemu application just fails with the following denial in the logs: Nov 11 18:06:44 lain kernel: [20076.499347] type=1400 audit(1352653604.042:3987): avc: denied { read } for pid=28245 comm="qemu-system-x86" name=".Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file Although the application seems to run with just xserver_read_user_xauth(qemu_t) set, it does still provide denials like the following: Nov 14 20:58:51 lain kernel: [39885.690744] type=1400 audit(1352923131.430:154): avc: denied { unix_read unix_write } for pid=1973 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm As qemu is acting as an X11 application (when build with SDL support), it makes sense to use xserver_user_x_domain_template. --- policy/modules/contrib/qemu.te | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/policy/modules/contrib/qemu.te b/policy/modules/contrib/qemu.te index fd12d58..78af6ab 100644 --- a/policy/modules/contrib/qemu.te +++ b/policy/modules/contrib/qemu.te @@ -31,6 +31,11 @@ ifdef(`distro_gentoo',` optional_policy(` vde_connect(qemu_t) ') + + optional_policy(` + # When qemu is built with SDL support + xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) + ') ') tunable_policy(`qemu_full_network',`