merge latest upstream

This commit is contained in:
Dan Walsh 2010-08-30 13:41:40 -04:00
commit 898c0de0b7
10 changed files with 80 additions and 13 deletions

View File

@ -1,3 +1,4 @@
- Added devtmpfs support.
- Dbadm updates from KaiGai Kohei. - Dbadm updates from KaiGai Kohei.
- Virtio disk file context update from Mika Pfluger. - Virtio disk file context update from Mika Pfluger.
- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh. - Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.

View File

@ -1,4 +1,4 @@
policy_module(readahead, 1.11.0) policy_module(readahead, 1.11.1)
######################################## ########################################
# #
@ -45,6 +45,8 @@ dev_getattr_all_blk_files(readahead_t)
dev_dontaudit_read_all_blk_files(readahead_t) dev_dontaudit_read_all_blk_files(readahead_t)
dev_dontaudit_getattr_memory_dev(readahead_t) dev_dontaudit_getattr_memory_dev(readahead_t)
dev_dontaudit_getattr_nvram_dev(readahead_t) dev_dontaudit_getattr_nvram_dev(readahead_t)
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(readahead_t)
domain_use_interactive_fds(readahead_t) domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t) domain_read_all_domains_state(readahead_t)

View File

@ -1,4 +1,4 @@
policy_module(corecommands, 1.13.1) policy_module(corecommands, 1.13.2)
######################################## ########################################
# #
@ -15,6 +15,7 @@ attribute exec_type;
# #
type bin_t alias { ls_exec_t sbin_t }; type bin_t alias { ls_exec_t sbin_t };
corecmd_executable_file(bin_t) corecmd_executable_file(bin_t)
dev_associate(bin_t) #For /dev/MAKEDEV
# #
# shell_exec_t is the type of user shells such as /bin/bash. # shell_exec_t is the type of user shells such as /bin/bash.

View File

@ -71,6 +71,43 @@ interface(`dev_node',`
typeattribute $1 device_node; typeattribute $1 device_node;
') ')
########################################
## <summary>
## Associate the specified file type with device filesystem.
## </summary>
## <param name="file_type">
## <summary>
## The type of the file to be associated.
## </summary>
## </param>
#
interface(`dev_associate',`
gen_require(`
type device_t;
')
allow $1 device_t:filesystem associate;
fs_associate_tmpfs($1) #For backwards compatibility
')
########################################
## <summary>
## Mount a filesystem on /dev
## </summary>
## <param name="domain">
## <summary>
## Domain allow access.
## </summary>
## </param>
#
interface(`dev_mounton',`
gen_require(`
type device_t;
')
allow $1 device_t:dir mounton;
')
######################################## ########################################
## <summary> ## <summary>
## Allow full relabeling (to and from) of all device nodes. ## Allow full relabeling (to and from) of all device nodes.
@ -567,6 +604,24 @@ interface(`dev_rw_generic_blk_files',`
allow $1 device_t:blk_file rw_chr_file_perms; allow $1 device_t:blk_file rw_chr_file_perms;
') ')
########################################
## <summary>
## Dontaudit attempts to read/write generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain to dontaudit access.
## </summary>
## </param>
#
interface(`dev_dontaudit_rw_generic_chr_files',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:chr_file rw_chr_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Create generic character device files. ## Create generic character device files.
@ -831,7 +886,7 @@ interface(`dev_filetrans',`
filetrans_pattern($1, device_t, $2, $3) filetrans_pattern($1, device_t, $2, $3)
fs_associate_tmpfs($2) dev_associate($2)
files_associate_tmp($2) files_associate_tmp($2)
') ')

View File

@ -1,4 +1,4 @@
policy_module(devices, 1.10.1) policy_module(devices, 1.10.2)
######################################## ########################################
# #
@ -18,6 +18,8 @@ fs_associate_tmpfs(device_t)
files_type(device_t) files_type(device_t)
files_mountpoint(device_t) files_mountpoint(device_t)
files_associate_tmp(device_t) files_associate_tmp(device_t)
fs_type(device_t)
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
# #
# Type for /dev/agpgart # Type for /dev/agpgart
@ -290,6 +292,8 @@ mls_trusted_object(zero_device_t)
# Rules for all device nodes # Rules for all device nodes
# #
allow device_node device_t:filesystem associate;
fs_associate(device_node) fs_associate(device_node)
fs_associate_tmpfs(device_node) fs_associate_tmpfs(device_node)

View File

@ -1,4 +1,4 @@
policy_module(filesystem, 1.13.1) policy_module(filesystem, 1.13.2)
######################################## ########################################
# #
@ -191,7 +191,6 @@ files_poly_parent(tmpfs_t)
# and label the filesystem itself with the specified context. # and label the filesystem itself with the specified context.
# This is appropriate for pseudo filesystems like devpts and tmpfs # This is appropriate for pseudo filesystems like devpts and tmpfs
# where we want to label objects with a derived type. # where we want to label objects with a derived type.
fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);

View File

@ -1,4 +1,4 @@
policy_module(kernel, 1.12.1) policy_module(kernel, 1.12.2)
######################################## ########################################
# #
@ -246,8 +246,7 @@ dev_create_generic_blk_files(kernel_t)
dev_delete_generic_blk_files(kernel_t) dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t) dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t) dev_delete_generic_chr_files(kernel_t)
# work around until devtmpfs has device_t type dev_mounton(kernel_t)
dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
# Mount root file system. Used when loading a policy # Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem # from initrd, then mounting the root filesystem

View File

@ -1,4 +1,4 @@
policy_module(hostname, 1.6.0) policy_module(hostname, 1.6.1)
######################################## ########################################
# #
@ -25,6 +25,8 @@ kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t) kernel_read_proc_symlinks(hostname_t)
dev_read_sysfs(hostname_t) dev_read_sysfs(hostname_t)
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(hostname_t)
domain_dontaudit_leaks(hostname_t) domain_dontaudit_leaks(hostname_t)
domain_use_interactive_fds(hostname_t) domain_use_interactive_fds(hostname_t)

View File

@ -1,4 +1,4 @@
policy_module(init, 1.15.1) policy_module(init, 1.15.2)
gen_require(` gen_require(`
class passwd rootok; class passwd rootok;
@ -133,7 +133,6 @@ files_pid_filetrans(init_t, init_var_run_t, file)
allow init_t initctl_t:fifo_file manage_fifo_file_perms; allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file) dev_filetrans(init_t, initctl_t, fifo_file)
fs_associate_tmpfs(initctl_t)
# Modify utmp. # Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr }; allow init_t initrc_var_run_t:file { rw_file_perms setattr };
@ -146,6 +145,8 @@ corecmd_exec_bin(init_t)
dev_read_sysfs(init_t) dev_read_sysfs(init_t)
dev_read_urand(init_t) dev_read_urand(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)
domain_getpgid_all_domains(init_t) domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t) domain_kill_all_domains(init_t)
@ -402,6 +403,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t) dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t) dev_rw_lvm_control(initrc_t)
dev_rw_generic_chr_files(initrc_t)
dev_delete_lvm_control_dev(initrc_t) dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t) dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t) dev_manage_generic_files(initrc_t)

View File

@ -1,4 +1,4 @@
policy_module(mount, 1.11.0) policy_module(mount, 1.11.1)
######################################## ########################################
# #
@ -102,6 +102,8 @@ dev_getattr_sound_dev(mount_t)
ifdef(`hide_broken_symptoms',` ifdef(`hide_broken_symptoms',`
dev_rw_generic_blk_files(mount_t) dev_rw_generic_blk_files(mount_t)
') ')
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(mount_t)
domain_use_interactive_fds(mount_t) domain_use_interactive_fds(mount_t)
domain_dontaudit_search_all_domains_state(mount_t) domain_dontaudit_search_all_domains_state(mount_t)