Allow virtd to relabel generic usb which is need if USB device

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c2a334ff5efb489dfa58bb9b39f7a099ab09fc76..39b1056d7218248e73a270824c392d56608b0f46 100644 (file)
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4413,6 +4413,24 @@ interface(`dev_setattr_generic_usb_dev',`
        setattr_chr_files_pattern($1, device_t, usb_device_t)
 ')
 
+######################################
+## <summary>
+##  Allow relabeling (to and from) of generic usb device
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to relabel.
+##  </summary>
+## </param>
+#
+interface(`dev_relabel_generic_usb_dev',`
+    gen_require(`
+        type usb_device_t;
+    ')
+
+    relabel_dirs_pattern($1, usb_device_t, usb_device_t)
+')
+
 ########################################
 ## <summary>
 ##     Read generic the USB devices.

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index f9a032da88723ae22c7a5585240940b7de99602f..54e53fb1e25248dedc067b9191dafcdc75e128e4 100644 (file)
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -352,6 +352,8 @@ dev_rw_kvm(virtd_t)
 dev_getattr_all_chr_files(virtd_t)
 dev_rw_mtrr(virtd_t)
 dev_rw_vhost(virtd_t)
+dev_setattr_generic_usb_dev(virtd_t)
+dev_relabel_generic_usb_dev(virtd_t)
 
 # Init script handling
 domain_use_interactive_fds(virtd_t)