1################################################################################ 2# 3# Xenstore stubdomain 4# 5################################################################################ 6declare_singleton_domain(xenstore_t) 7create_domain(dom0_t, xenstore_t) 8manage_domain(dom0_t, xenstore_t) 9 10# Xenstore requires the global VIRQ for domain destroy operations 11allow dom0_t xenstore_t:domain set_virq_handler; 12# Current xenstore stubdom uses the hypervisor console, not "xl console" 13allow xenstore_t xen_t:xen writeconsole; 14# Xenstore queries domaininfo on all domains 15allow xenstore_t domain_type:domain getdomaininfo; 16 17# As a shortcut, the following 3 rules are used instead of adding a domain_comms 18# rule between xenstore_t and every domain type that talks to xenstore 19create_channel(xenstore_t, domain_type, xenstore_t_channel) 20allow event_type xenstore_t: event bind; 21allow xenstore_t domain_type:grant { map_read map_write unmap }; 22 23# Xenstore is a utility domain, so it should use the system role 24role system_r types xenstore_t; 25