From d6e1ef29cdb5728d37355ad2fc8c158bda846b51 Mon Sep 17 00:00:00 2001
From: Jeremy Solt <jsolt@tresys.com>
Date: Wed, 18 Aug 2010 11:36:34 -0400
Subject: [PATCH 1/4] Move devtmpfs to devices from filesystem

Move devtmpfs to devices module (remove from filesystem module)
Make device_t a filesystem
Add interface for associating types with device_t filesystem (dev_associate)
Call dev_associate from dev_filetrans
Allow all device nodes associate with device_t filesystem
Remove dev_tmpfs_filetrans_dev from kernel_t
Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate
Mounton interface, to allow the kernel to mounton device_t

Signed-off-by: Jeremy Solt <jsolt@tresys.com>
---
 policy/modules/kernel/corecommands.te |  1 +
 policy/modules/kernel/devices.if      | 39 ++++++++++++++++++++++++++-
 policy/modules/kernel/devices.te      |  4 +++
 policy/modules/kernel/filesystem.te   |  1 -
 policy/modules/kernel/kernel.te       |  3 +--
 policy/modules/system/init.te         |  1 -
 6 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 5e99b332..39a4e970 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -15,6 +15,7 @@ attribute exec_type;
 #
 type bin_t alias { ls_exec_t sbin_t };
 corecmd_executable_file(bin_t)
+dev_associate(bin_t)	#For /dev/MAKEDEV
 
 #
 # shell_exec_t is the type of user shells such as /bin/bash.
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index cac0c64e..fec4d405 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -71,6 +71,43 @@ interface(`dev_node',`
 	typeattribute $1 device_node;
 ')
 
+########################################
+## <summary>
+##	Associate the specified file type with device filesystem.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	The type of the file to be associated.
+##	</summary>
+## </param>
+#
+interface(`dev_associate',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:filesystem associate;
+	fs_associate_tmpfs($1)	#For backwards compatibility
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on /dev
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allow access.
+##	</summary>
+## </param>
+#
+interface(`dev_mounton',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Allow full relabeling (to and from) of all device nodes.
@@ -759,7 +796,7 @@ interface(`dev_filetrans',`
 
 	filetrans_pattern($1, device_t, $2, $3)
 
-	fs_associate_tmpfs($2)
+	dev_associate($2)
 	files_associate_tmp($2)
 ')
 
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 102d1302..c4c843bd 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -18,6 +18,8 @@ fs_associate_tmpfs(device_t)
 files_type(device_t)
 files_mountpoint(device_t)
 files_associate_tmp(device_t)
+fs_type(device_t)
+fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 
 #
 # Type for /dev/agpgart
@@ -294,6 +296,8 @@ fs_associate_tmpfs(device_node)
 
 files_associate_tmp(device_node)
 
+allow device_node device_t:filesystem associate;
+
 ########################################
 #
 # Unconfined access to this module
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index fb63c3ad..22dc0f37 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -174,7 +174,6 @@ files_poly_parent(tmpfs_t)
 # and label the filesystem itself with the specified context.
 # This is appropriate for pseudo filesystems like devpts and tmpfs
 # where we want to label objects with a derived type.
-fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
 fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
 fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
 fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 6fa55f26..f87946fb 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -245,8 +245,7 @@ dev_create_generic_blk_files(kernel_t)
 dev_delete_generic_blk_files(kernel_t)
 dev_create_generic_chr_files(kernel_t)
 dev_delete_generic_chr_files(kernel_t)
-# work around until devtmpfs has device_t type
-dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
+dev_mounton(kernel_t)
 
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index bd45076c..74c0c76f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -108,7 +108,6 @@ files_pid_filetrans(init_t, init_var_run_t, file)
 
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
-fs_associate_tmpfs(initctl_t)
 
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };

From 2fc79f1ef4f3928c3d33b20c3274e87ae148b5f6 Mon Sep 17 00:00:00 2001
From: Jeremy Solt <jsolt@tresys.com>
Date: Wed, 18 Aug 2010 11:36:35 -0400
Subject: [PATCH 2/4] Early devtmpfs access

dontaudit attempts to read/write device_t chr files occurring before udev relabel
allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined)

Signed-off-by: Jeremy Solt <jsolt@tresys.com>
---
 policy/modules/admin/readahead.te |  2 ++
 policy/modules/kernel/devices.if  | 18 ++++++++++++++++++
 policy/modules/system/hostname.te |  2 ++
 policy/modules/system/init.te     |  4 ++++
 policy/modules/system/mount.te    |  3 +++
 5 files changed, 29 insertions(+)

diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index c5c78520..f7d3b90c 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -45,6 +45,8 @@ dev_getattr_all_blk_files(readahead_t)
 dev_dontaudit_read_all_blk_files(readahead_t)
 dev_dontaudit_getattr_memory_dev(readahead_t)
 dev_dontaudit_getattr_nvram_dev(readahead_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(readahead_t)
 
 domain_use_interactive_fds(readahead_t)
 domain_read_all_domains_state(readahead_t)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index fec4d405..8b092815 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -550,6 +550,24 @@ interface(`dev_rw_generic_chr_files',`
 	allow $1 device_t:chr_file rw_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##	Dontaudit attempts to read/write generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:chr_file rw_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create generic character device files.
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index b9efd1be..e384dcd7 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -25,6 +25,8 @@ kernel_list_proc(hostname_t)
 kernel_read_proc_symlinks(hostname_t)
 
 dev_read_sysfs(hostname_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(hostname_t)
 
 domain_use_interactive_fds(hostname_t)
 
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 74c0c76f..f8b4badf 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -119,6 +119,8 @@ corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
 dev_read_sysfs(init_t)
+# Early devtmpfs
+dev_rw_generic_chr_files(init_t)
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
@@ -296,6 +298,8 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
+# Early devtmpfs
+dev_rw_generic_chr_files(initrc_t)
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index ee6520c8..280a5341 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -60,6 +60,9 @@ dev_dontaudit_getattr_all_chr_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
 dev_getattr_sound_dev(mount_t)
 
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(mount_t)
+
 domain_use_interactive_fds(mount_t)
 
 files_search_all(mount_t)

From 0d24805fd0f8b89804858c84b8f6b95b480e9cca Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 25 Aug 2010 11:18:25 -0400
Subject: [PATCH 3/4] Trivial tweaks to devtmpfs patches.

---
 policy/modules/kernel/devices.te | 4 ++--
 policy/modules/system/mount.te   | 1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index c4c843bd..757f11ed 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -291,13 +291,13 @@ mls_trusted_object(zero_device_t)
 # Rules for all device nodes
 #
 
+allow device_node device_t:filesystem associate;
+
 fs_associate(device_node)
 fs_associate_tmpfs(device_node)
 
 files_associate_tmp(device_node)
 
-allow device_node device_t:filesystem associate;
-
 ########################################
 #
 # Unconfined access to this module
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 280a5341..b302d6f7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -59,7 +59,6 @@ dev_rw_lvm_control(mount_t)
 dev_dontaudit_getattr_all_chr_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
 dev_getattr_sound_dev(mount_t)
-
 # Early devtmpfs, before udev relabel
 dev_dontaudit_rw_generic_chr_files(mount_t)
 

From 76a9fe96e4374940609310ebd75f13be41eaad49 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 25 Aug 2010 11:19:27 -0400
Subject: [PATCH 4/4] Module version bumps and changelog for devtmpfs patchset.

---
 Changelog                             | 1 +
 policy/modules/admin/readahead.te     | 2 +-
 policy/modules/kernel/corecommands.te | 2 +-
 policy/modules/kernel/devices.te      | 2 +-
 policy/modules/kernel/filesystem.te   | 2 +-
 policy/modules/kernel/kernel.te       | 2 +-
 policy/modules/system/hostname.te     | 2 +-
 policy/modules/system/init.te         | 2 +-
 policy/modules/system/mount.te        | 2 +-
 9 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/Changelog b/Changelog
index cbb71cf9..3c16854c 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Added devtmpfs support.
 - Dbadm updates from KaiGai Kohei.
 - Virtio disk file context update from Mika Pfluger.
 - Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index f7d3b90c..2df2f1d0 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -1,4 +1,4 @@
-policy_module(readahead, 1.11.0)
+policy_module(readahead, 1.11.1)
 
 ########################################
 #
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 39a4e970..e1963ddf 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.13.1)
+policy_module(corecommands, 1.13.2)
 
 ########################################
 #
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 757f11ed..eb9c360e 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.10.1)
+policy_module(devices, 1.10.2)
 
 ########################################
 #
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 22dc0f37..56c34086 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.13.1)
+policy_module(filesystem, 1.13.2)
 
 ########################################
 #
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index f87946fb..e4f98ce9 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.12.1)
+policy_module(kernel, 1.12.2)
 
 ########################################
 #
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index e384dcd7..1fd31c1a 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -1,4 +1,4 @@
-policy_module(hostname, 1.6.0)
+policy_module(hostname, 1.6.1)
 
 ########################################
 #
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f8b4badf..abab4cf9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.15.1)
+policy_module(init, 1.15.2)
 
 gen_require(`
 	class passwd rootok;
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index b302d6f7..fca69473 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.11.0)
+policy_module(mount, 1.11.1)
 
 ########################################
 #