Add kernel access to devtmpfs. Also add workround while devtmpfs is tmpfs_t instead of device_t.
This commit is contained in:
parent
a3108c60c0
commit
03a6e03926
@ -407,7 +407,7 @@ interface(`dev_dontaudit_setattr_generic_blk_files',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow read, write, and create for generic character device files.
|
## Create generic block device files.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -415,12 +415,30 @@ interface(`dev_dontaudit_setattr_generic_blk_files',`
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`dev_create_generic_chr_files',`
|
interface(`dev_create_generic_blk_files',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type device_t;
|
type device_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
create_chr_files_pattern($1, device_t, device_t)
|
create_blk_files_pattern($1, device_t, device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Delete generic block device files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_delete_generic_blk_files',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
delete_blk_files_pattern($1, device_t, device_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -495,6 +513,42 @@ interface(`dev_rw_generic_chr_files',`
|
|||||||
allow $1 device_t:chr_file rw_chr_file_perms;
|
allow $1 device_t:chr_file rw_chr_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create generic character device files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_create_generic_chr_files',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
create_chr_files_pattern($1, device_t, device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Delete generic character device files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_delete_generic_chr_files',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
delete_chr_files_pattern($1, device_t, device_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Do not audit attempts to set the attributes
|
## Do not audit attempts to set the attributes
|
||||||
@ -709,6 +763,33 @@ interface(`dev_filetrans',`
|
|||||||
files_associate_tmp($2)
|
files_associate_tmp($2)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, and write device nodes. The node
|
||||||
|
## will be transitioned to the type provided. This is
|
||||||
|
## a temporary interface until devtmpfs functionality
|
||||||
|
## fixed.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="objectclass(es)">
|
||||||
|
## <summary>
|
||||||
|
## Object class(es) (single or set including {}) for which this
|
||||||
|
## the transition will occur.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_tmpfs_filetrans_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
fs_tmpfs_filetrans($1, device_t, $2)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Getattr on all block file device nodes.
|
## Getattr on all block file device nodes.
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(devices, 1.9.3)
|
policy_module(devices, 1.9.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(kernel, 1.11.3)
|
policy_module(kernel, 1.11.4)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -248,6 +248,15 @@ corenet_send_all_packets(kernel_t)
|
|||||||
|
|
||||||
dev_read_sysfs(kernel_t)
|
dev_read_sysfs(kernel_t)
|
||||||
dev_search_usbfs(kernel_t)
|
dev_search_usbfs(kernel_t)
|
||||||
|
# devtmpfs handling:
|
||||||
|
dev_create_generic_dirs(kernel_t)
|
||||||
|
dev_delete_generic_dirs(kernel_t)
|
||||||
|
dev_create_generic_blk_files(kernel_t)
|
||||||
|
dev_delete_generic_blk_files(kernel_t)
|
||||||
|
dev_create_generic_chr_files(kernel_t)
|
||||||
|
dev_delete_generic_chr_files(kernel_t)
|
||||||
|
# work around until devtmpfs has device_t type
|
||||||
|
dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
|
||||||
|
|
||||||
# Mount root file system. Used when loading a policy
|
# Mount root file system. Used when loading a policy
|
||||||
# from initrd, then mounting the root filesystem
|
# from initrd, then mounting the root filesystem
|
||||||
|
Loading…
Reference in New Issue
Block a user