flask/policy: allow dom0 to use PHYSDEVOP_pci_mmcfg_reserved

author Daniel De Graaf <dgdegra@tycho.nsa.gov>

Fri, 2 Nov 2018 17:46:11 +0000 (13:46 -0400)

committer Andrew Cooper <andrew.cooper3@citrix.com>

Mon, 12 Nov 2018 18:17:34 +0000 (18:17 +0000)
author Daniel De Graaf <dgdegra@tycho.nsa.gov>
Fri, 2 Nov 2018 17:46:11 +0000 (13:46 -0400)
committer Andrew Cooper <andrew.cooper3@citrix.com>
Mon, 12 Nov 2018 18:17:34 +0000 (18:17 +0000)
diff --git a/tools/flask/policy/modules/dom0.te b/tools/flask/policy/modules/dom0.te

index c7d565d3dc85a1a6a9c67c264622461fad0d2c67..a347d664f81400b1b54d3988626a862b8c539ade 100644 (file)
--- a/tools/flask/policy/modules/dom0.te
+++ b/tools/flask/policy/modules/dom0.te
@@ -66,6 +66,9 @@ allow dom0_t security_t:security { load_policy setenforce setbool };
  # Audit policy change events even when they are allowed
  auditallow dom0_t security_t:security { load_policy setenforce setbool };
  
+# Allow dom0 to report platform configuration changes back to the hypervisor
+allow dom0_t xen_t:resource setup;
+
  admin_device(dom0_t, device_t)
  admin_device(dom0_t, irq_t)
  admin_device(dom0_t, ioport_t)
author	Daniel De Graaf <dgdegra@tycho.nsa.gov>
	Fri, 2 Nov 2018 17:46:11 +0000 (13:46 -0400)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Mon, 12 Nov 2018 18:17:34 +0000 (18:17 +0000)