the domain performing the labeling be trusted to label all the devices in the
system properly.
-To enable static device labeling, a checkpolicy >= 2.0.20 and libsepol >=2.0.39
-are required. The policy Makefile (tools/flask/policy/Makefile) must also be
-changed as follows:
-
-########################################
-#
-# Build a binary policy locally
-#
-$(POLVER): policy.conf
- @echo "Compiling $(NAME) $(POLVER)"
- $(QUIET) $(CHECKPOLICY) $^ -o $@ (Comment out this line)
-# Uncomment line below to enable policies for devices
-# $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@ (Uncomment this line)
-
-########################################
-#
-# Install a binary policy
-#
-$(LOADPATH): policy.conf
- @echo "Compiling and installing $(NAME) $(LOADPATH)"
- $(QUIET) $(CHECKPOLICY) $^ -o $@ (Comment out this line)
-# Uncomment line below to enable policies for devices
-# $(QUIET) $(CHECKPOLICY) -t Xen $^ -o $@ (Uncomment this line)
-
-
-IRQs, PCI devices, I/O memory and ports can all be labeled. There are
-commented out lines in xen.te policy for examples on how to label devices.
+IRQs, PCI devices, I/O memory and x86 IO ports can all have labels defined.
+There are examples commented out in tools/flask/policy/policy/device_contexts.
Device Labeling
---------------
Region 2: I/O ports at ecc0 [size=32]
Kernel modules: e1000e
-The labeling can be done with these commands
+The labeling can be done with these lines in device_contexts:
pirqcon 33 system_u:object_r:nicP_t
iomemcon 0xfebe0-0xfebff system_u:object_r:nicP_t
USERS := $(POLDIR)/users
CONSTRAINTS := $(POLDIR)/constraints
ISID_DEFS := $(POLDIR)/initial_sids
+DEV_OCONS := $(POLDIR)/device_contexts
# config file paths
GLOBALTUN := $(POLDIR)/global_tunables
POLICY_SECTIONS += $(ALL_INTERFACES)
POLICY_SECTIONS += $(GLOBALTUN)
POLICY_SECTIONS += $(ALL_MODULES)
-POLICY_SECTIONS += $(USERS) $(CONSTRAINTS) $(ISID_DEFS)
+POLICY_SECTIONS += $(USERS) $(CONSTRAINTS) $(ISID_DEFS) $(DEV_OCONS)
all: $(POLICY_FILENAME)
--- /dev/null
+###############################################################################
+#
+# Label devices for delegation
+#
+# The PCI, IRQ, memory, and I/O port ranges are hardware-specific.
+#
+###############################################################################
+
+# label e1000e nic
+#pirqcon 33 system_u:object_r:nic_dev_t
+#pirqcon 55 system_u:object_r:nic_dev_t
+#iomemcon 0xfebe0-0xfebff system_u:object_r:nic_dev_t
+#iomemcon 0xfebd9 system_u:object_r:nic_dev_t
+#ioportcon 0xecc0-0xecdf system_u:object_r:nic_dev_t
+#pcidevicecon 0xc800 system_u:object_r:nic_dev_t
+
+# label e100 nic
+#pirqcon 16 system_u:object_r:nic_dev_t
+#iomemcon 0xfe5df system_u:object_r:nic_dev_t
+#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nic_dev_t
+#iomemcon 0xc2000-0xc200f system_u:object_r:nic_dev_t
+#ioportcon 0xccc0-0xcd00 system_u:object_r:nic_dev_t
+
+# label usb 1d.0-2 1d.7
+#pirqcon 23 system_u:object_r:nic_dev_t
+#pirqcon 17 system_u:object_r:nic_dev_t
+#pirqcon 18 system_u:object_r:nic_dev_t
+#ioportcon 0xff80-0xFF9F system_u:object_r:nic_dev_t
+#ioportcon 0xff60-0xff7f system_u:object_r:nic_dev_t
+#ioportcon 0xff40-0xff5f system_u:object_r:nic_dev_t
+#iomemcon 0xff980 system_u:object_r:nic_dev_t
+#ioportcon 0xff00-0xff1f system_u:object_r:nic_dev_t
#
# Device delegation
#
+# This requires that the device be labeled with a type defined here. You can
+# use flask-label-pci to dynamically label devices on each boot or define the
+# labels statically in tools/flask/policy/policy/device_contexts
+#
###############################################################################
type nic_dev_t, resource_type;
delegate_devices(dom0_t, domU_t)
-###############################################################################
-#
-# Label devices for delegation
-#
-# The PCI, IRQ, memory, and I/O port ranges are hardware-specific.
-# You may also use flask-label-pci to dynamically label devices on each boot.
-#
-###############################################################################
-
-# label e1000e nic
-#pirqcon 33 system_u:object_r:nic_dev_t
-#pirqcon 55 system_u:object_r:nic_dev_t
-#iomemcon 0xfebe0-0xfebff system_u:object_r:nic_dev_t
-#iomemcon 0xfebd9 system_u:object_r:nic_dev_t
-#ioportcon 0xecc0-0xecdf system_u:object_r:nic_dev_t
-#pcidevicecon 0xc800 system_u:object_r:nic_dev_t
-
-# label e100 nic
-#pirqcon 16 system_u:object_r:nic_dev_t
-#iomemcon 0xfe5df system_u:object_r:nic_dev_t
-#iomemcon 0xfe5e0-0xfe5ff system_u:object_r:nic_dev_t
-#iomemcon 0xc2000-0xc200f system_u:object_r:nic_dev_t
-#ioportcon 0xccc0-0xcd00 system_u:object_r:nic_dev_t
-
-# label usb 1d.0-2 1d.7
-#pirqcon 23 system_u:object_r:nic_dev_t
-#pirqcon 17 system_u:object_r:nic_dev_t
-#pirqcon 18 system_u:object_r:nic_dev_t
-#ioportcon 0xff80-0xFF9F system_u:object_r:nic_dev_t
-#ioportcon 0xff60-0xff7f system_u:object_r:nic_dev_t
-#ioportcon 0xff40-0xff5f system_u:object_r:nic_dev_t
-#iomemcon 0xff980 system_u:object_r:nic_dev_t
-#ioportcon 0xff00-0xff1f system_u:object_r:nic_dev_t
-
################################################################################
#
# Policy constraints
projects / xen.git / commitdiff