Add boolean to remove execmem and execstack from virtual machines

author Dan Walsh <dwalsh@redhat.com>

Tue, 25 Oct 2011 14:42:31 +0000 (10:42 -0400)

committer Dan Walsh <dwalsh@redhat.com>

Tue, 25 Oct 2011 14:42:31 +0000 (10:42 -0400)
author Dan Walsh <dwalsh@redhat.com>
Tue, 25 Oct 2011 14:42:31 +0000 (10:42 -0400)
committer Dan Walsh <dwalsh@redhat.com>
Tue, 25 Oct 2011 14:42:31 +0000 (10:42 -0400)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te

index ea9593cbd30ab92469d75fbf9cf6056a4fb89aae..f0e49aa67227d2358454dff9755f98a26fa970e3 100644 (file)
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -15,6 +15,13 @@ attribute virt_ptynode;
  ## </desc>
  gen_tunable(virt_use_comm, false)
  
+## <desc>
+##     <p>
+##     Allow confined virtual guests to use executable memory and executable stack
+##     </p>
+## </desc>
+gen_tunable(virt_use_execmem, false)
+
  ## <desc>
  ##     <p>
  ##     Allow confined virtual guests to read fuse files
@@ -547,7 +554,7 @@ optional_policy(`
  # virtual domains common policy
  #
  
-allow virt_domain self:process { execmem execstack signal getsched signull };
+allow virt_domain self:process { signal getsched signull };
  allow virt_domain self:fifo_file rw_fifo_file_perms;
  allow virt_domain self:shm create_shm_perms;
  allow virt_domain self:unix_stream_socket create_stream_socket_perms;
@@ -630,6 +637,10 @@ logging_send_syslog_msg(virt_domain)
  
  miscfiles_read_localization(virt_domain)
  
+tunable_policy(`virt_use_execmem',`
+       allow virtd_t virt_domain:process { execmem execstack };
+')
+
  optional_policy(`
         ptchown_domtrans(virt_domain)
  ')
author	Dan Walsh <dwalsh@redhat.com>
	Tue, 25 Oct 2011 14:42:31 +0000 (10:42 -0400)
committer	Dan Walsh <dwalsh@redhat.com>
	Tue, 25 Oct 2011 14:42:31 +0000 (10:42 -0400)