add interface to associate to filesystems w/o xattr. allow regular files to

associate to no xattr filesystems

refpolicy/policy/modules/kernel/filesystem.if

@@ -11,6 +11,38 @@ define(`filesystem_make_filesystem_depend',`
 attribute fs_type;
 ')
 
+########################################
+#
+# filesystem_associate(type,[`optional'])
+#
+define(`filesystem_associate',`
+requires_block_template(filesystem_associate_depend,$2)
+allow $1 fs_t:filesystem associate;
+')
+
+define(`filesystem_associate_depend',`
+type fs_t;
+class filesystem associate;
+')
+
+########################################
+#
+# filesystem_associate_noxattr(type,[`optional'])
+#
+define(`filesystem_associate_noxattr',`
+requires_block_template(filesystem_associate_noxattr_depend,$2)
+allow $1 autofs_t:filesystem associate;
+allow $1 cifs_t:filesystem associate;
+allow $1 dosfs_t:filesystem associate;
+allow $1 iso9660_t:filesystem associate;
+allow $1 nfs_t:filesystem associate;
+')
+
+define(`filesystem_associate_noxattr_depend',`
+type fs_t, nfs_t, cifs_t, dosfs_t, iso9660_t, autofs_t;
+class filesystem associate;
+')
+
 ########################################
 #
 # filesystem_mount_persistent_filesystem(domain,[`optional'])
@@ -67,20 +99,6 @@ type fs_t;
 class filesystem getattr;
 ')
 
-########################################
-#
-# filesystem_associate(type,[`optional'])
-#
-define(`filesystem_associate',`
-requires_block_template(filesystem_associate_depend,$2)
-allow $1 fs_t:filesystem associate;
-')
-
-define(`filesystem_associate_depend',`
-type fs_t;
-class filesystem associate;
-')
-
 ########################################
 #
 # filesystem_mount_automount_filesystem(domain,[`optional'])

refpolicy/policy/modules/system/files.if

@@ -6,11 +6,13 @@ define(`files_make_file',`
 requires_block_template(files_make_file_depend,$2)
 typeattribute $1 file_type;
 filesystem_associate($1,optional)
+filesystem_associate_noxattr($1,optional)
 ')
 
 define(`files_make_file_depend',`
 attribute file_type;
 filesystem_associate_depend
+filesystem_associate_noxattr_depend
 ')
 
 ########################################

refpolicy/policy/modules/system/files.te

@@ -8,12 +8,14 @@ attribute tmpfile;
 # other than the generic /.* specification.
 type default_t, file_type;
 filesystem_associate(default_t)
+filesystem_associate_noxattr(default_t)
 
 #
 # etc_t is the type of the system etc directories.
 #
 type etc_t, file_type;
 filesystem_associate(etc_t)
+filesystem_associate_noxattr(etc_t)
 
 #
 # etc_runtime_t is the type of various
@@ -22,6 +24,7 @@ filesystem_associate(etc_t)
 #
 type etc_runtime_t, file_type;
 filesystem_associate(etc_runtime_t)
+filesystem_associate_noxattr(etc_runtime_t)
 
 #
 # file_t is the default type of a file that has not yet been
@@ -30,6 +33,7 @@ filesystem_associate(etc_runtime_t)
 #
 type file_t, file_type;
 filesystem_associate(file_t)
+filesystem_associate_noxattr(file_t)
 kernel_make_root_filesystem_mountpoint(file_t)
 
 #
@@ -37,12 +41,14 @@ kernel_make_root_filesystem_mountpoint(file_t)
 #
 type removable_t, file_type;
 filesystem_associate(removable_t)
+filesystem_associate_noxattr(removable_t)
 
 #
 # root_t is the type for rootfs and the root directory.
 #
 type root_t, file_type;
 filesystem_associate(root_t)
+filesystem_associate_noxattr(root_t)
 kernel_read_directory_from(root_t)
 kernel_make_root_filesystem_mountpoint(root_t)
 genfscon rootfs / system_u:object_r:root_t
@@ -53,54 +59,63 @@ genfscon rootfs / system_u:object_r:root_t
 #
 type home_root_t, file_type;
 filesystem_associate(home_root_t)
+filesystem_associate_noxattr(home_root_t)
 
 #
 # lost_found_t is the type for the lost+found directories.
 #
 type lost_found_t, file_type;
 filesystem_associate(lost_found_t)
+filesystem_associate_noxattr(lost_found_t)
 
 #
 # mnt_t is the type for mount points such as /mnt/cdrom
 #
 type mnt_t, file_type;
 filesystem_associate(mnt_t)
+filesystem_associate_noxattr(mnt_t)
 
 #
 # src_t is the type of files in the system src directories.
 #
 type src_t, file_type;
 filesystem_associate(src_t)
+filesystem_associate_noxattr(src_t)
 
 #
 # tmp_t is the type of the temporary directories
 #
 type tmp_t, file_type, tmpfile;
 filesystem_associate(tmp_t)
+filesystem_associate_noxattr(tmp_t)
 
 #
 # usr_t is the type for /usr.
 #
 type usr_t, file_type;
 filesystem_associate(usr_t)
+filesystem_associate_noxattr(usr_t)
 
 #
 # var_t is the type of /var
 #
 type var_t, file_type;
 filesystem_associate(var_t)
+filesystem_associate_noxattr(var_t)
 
 #
 # var_lib_t is the type of /var/lib
 #
 type var_lib_t, file_type;
 filesystem_associate(var_lib_t)
+filesystem_associate_noxattr(var_lib_t)
 
 #
 # var_lock_t is tye type of /var/lock
 #
 type var_lock_t, file_type, lockfile;
 filesystem_associate(var_lock_t)
+filesystem_associate_noxattr(var_lock_t)
 
 #
 # var_run_t is the type of /var/run, usually
@@ -108,9 +123,11 @@ filesystem_associate(var_lock_t)
 #
 type var_run_t, file_type, pidfile;
 filesystem_associate(var_run_t)
+filesystem_associate_noxattr(var_run_t)
 
 #
 # var_spool_t is the type of /var/spool
 #
 type var_spool_t, file_type;
 filesystem_associate(var_spool_t)
+filesystem_associate_noxattr(var_spool_t)