rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Early devtmpfs access

Browse Source 
dontaudit attempts to read/write device_t chr files occurring before udev relabel
allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined)

Signed-off-by: Jeremy Solt <jsolt@tresys.com>
This commit is contained in:
Jeremy Solt 2010-08-18 11:36:35 -04:00 committed by Chris PeBenito
parent d6e1ef29cd
commit 2fc79f1ef4
5 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
policy/modules/admin/readahead.te
View File

@ -45,6 +45,8 @@ dev_getattr_all_blk_files(readahead_t)
dev_dontaudit_read_all_blk_files(readahead_t) dev_dontaudit_read_all_blk_files(readahead_t)
dev_dontaudit_getattr_memory_dev(readahead_t) dev_dontaudit_getattr_memory_dev(readahead_t)
dev_dontaudit_getattr_nvram_dev(readahead_t) dev_dontaudit_getattr_nvram_dev(readahead_t)
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(readahead_t)
domain_use_interactive_fds(readahead_t) domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t) domain_read_all_domains_state(readahead_t)

18
policy/modules/kernel/devices.if
View File

@ -550,6 +550,24 @@ interface(`dev_rw_generic_chr_files',`
allow $1 device_t:chr_file rw_chr_file_perms; allow $1 device_t:chr_file rw_chr_file_perms;
') ')
########################################
## <summary>
## Dontaudit attempts to read/write generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain to dontaudit access.
## </summary>
## </param>
#
interface(`dev_dontaudit_rw_generic_chr_files',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:chr_file rw_chr_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Create generic character device files. ## Create generic character device files.

2
policy/modules/system/hostname.te
View File

@ -25,6 +25,8 @@ kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t) kernel_read_proc_symlinks(hostname_t)
dev_read_sysfs(hostname_t) dev_read_sysfs(hostname_t)
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(hostname_t)
domain_use_interactive_fds(hostname_t) domain_use_interactive_fds(hostname_t)

4
policy/modules/system/init.te
View File

@ -119,6 +119,8 @@ corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t) corecmd_exec_bin(init_t)
dev_read_sysfs(init_t) dev_read_sysfs(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
domain_getpgid_all_domains(init_t) domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t) domain_kill_all_domains(init_t)
@ -296,6 +298,8 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t) dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t) dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t) dev_getattr_all_chr_files(initrc_t)
# Early devtmpfs
dev_rw_generic_chr_files(initrc_t)
domain_kill_all_domains(initrc_t) domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t) domain_signal_all_domains(initrc_t)

3
policy/modules/system/mount.te
View File

@ -60,6 +60,9 @@ dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t) dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t) dev_getattr_sound_dev(mount_t)
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(mount_t)
domain_use_interactive_fds(mount_t) domain_use_interactive_fds(mount_t)
files_search_all(mount_t) files_search_all(mount_t)