Add kernel access to devtmpfs. Also add workround while devtmpfs is tmpfs_t instead of device_t.

This commit is contained in:
Chris PeBenito 2010-05-03 11:17:16 -04:00
parent a3108c60c0
commit 03a6e03926
3 changed files with 95 additions and 5 deletions

View File

@ -407,7 +407,7 @@ interface(`dev_dontaudit_setattr_generic_blk_files',`
######################################## ########################################
## <summary> ## <summary>
## Allow read, write, and create for generic character device files. ## Create generic block device files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -415,12 +415,30 @@ interface(`dev_dontaudit_setattr_generic_blk_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`dev_create_generic_chr_files',` interface(`dev_create_generic_blk_files',`
gen_require(` gen_require(`
type device_t; type device_t;
') ')
create_chr_files_pattern($1, device_t, device_t) create_blk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Delete generic block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_generic_blk_files',`
gen_require(`
type device_t;
')
delete_blk_files_pattern($1, device_t, device_t)
') ')
######################################## ########################################
@ -495,6 +513,42 @@ interface(`dev_rw_generic_chr_files',`
allow $1 device_t:chr_file rw_chr_file_perms; allow $1 device_t:chr_file rw_chr_file_perms;
') ')
########################################
## <summary>
## Create generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_generic_chr_files',`
gen_require(`
type device_t;
')
create_chr_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Delete generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_generic_chr_files',`
gen_require(`
type device_t;
')
delete_chr_files_pattern($1, device_t, device_t)
')
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to set the attributes ## Do not audit attempts to set the attributes
@ -709,6 +763,33 @@ interface(`dev_filetrans',`
files_associate_tmp($2) files_associate_tmp($2)
') ')
########################################
## <summary>
## Create, read, and write device nodes. The node
## will be transitioned to the type provided. This is
## a temporary interface until devtmpfs functionality
## fixed.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="objectclass(es)">
## <summary>
## Object class(es) (single or set including {}) for which this
## the transition will occur.
## </summary>
## </param>
#
interface(`dev_tmpfs_filetrans_dev',`
gen_require(`
type device_t;
')
fs_tmpfs_filetrans($1, device_t, $2)
')
######################################## ########################################
## <summary> ## <summary>
## Getattr on all block file device nodes. ## Getattr on all block file device nodes.

View File

@ -1,5 +1,5 @@
policy_module(devices, 1.9.3) policy_module(devices, 1.9.4)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(kernel, 1.11.3) policy_module(kernel, 1.11.4)
######################################## ########################################
# #
@ -248,6 +248,15 @@ corenet_send_all_packets(kernel_t)
dev_read_sysfs(kernel_t) dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t) dev_search_usbfs(kernel_t)
# devtmpfs handling:
dev_create_generic_dirs(kernel_t)
dev_delete_generic_dirs(kernel_t)
dev_create_generic_blk_files(kernel_t)
dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
# work around until devtmpfs has device_t type
dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
# Mount root file system. Used when loading a policy # Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem # from initrd, then mounting the root filesystem