From c3cf6693c76fe0cfd8b18caf15b336a2f4d99d41 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 25 Oct 2005 20:06:27 +0000 Subject: [PATCH] try to fix associations --- refpolicy/policy/modules/kernel/bootloader.te | 2 +- refpolicy/policy/modules/kernel/filesystem.if | 2 + refpolicy/policy/modules/kernel/filesystem.te | 72 ++++++++++--------- refpolicy/policy/modules/system/files.te | 10 ++- refpolicy/policy/modules/system/locallogin.te | 2 +- refpolicy/policy/modules/system/logging.te | 2 +- refpolicy/policy/modules/system/userdomain.te | 4 ++ 7 files changed, 51 insertions(+), 43 deletions(-) diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index cf4337d8..ee399f98 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -62,7 +62,7 @@ files_type(system_map_t) # cjp: this probably can be removed, I do not # think it is used on 2.6 kernels type var_log_ksyms_t; -files_type(var_log_ksyms_t) +logging_log_file(var_log_ksyms_t) ######################################## # diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 3ce30ebb..e038296c 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -17,6 +17,8 @@ interface(`fs_type',` ') typeattribute $1 filesystem_type; + + allow $1 self:filesystem associate; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 622d5559..85492d8f 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -14,7 +14,8 @@ attribute noxattrfs; # fs_t is the default type for persistent # filesystems with extended attributes # -type fs_t, filesystem_type; +type fs_t; +fs_type(fs_t) sid fs gen_context(system_u:object_r:fs_t,s0) # Use xattrs for the following filesystem types. @@ -37,59 +38,62 @@ fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0); # # Non-persistent/pseudo filesystems # -type bdev_t, filesystem_type; +type bdev_t; +fs_type(bdev_t) genfscon bdev / gen_context(system_u:object_r:bdev_t,s0) -type binfmt_misc_fs_t, filesystem_type; +type binfmt_misc_fs_t; +fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) -type capifs_t, filesystem_type; -allow capifs_t self:filesystem associate; +type capifs_t; +fs_type(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) -type configfs_t, filesystem_type; -allow configfs_t self:filesystem associate; +type configfs_t; +fs_type(configfs_t) genfscon configfs / gen_context(system_u:object_r:configfs_t,s0) -type eventpollfs_t, filesystem_type; -allow eventpollfs_t self:filesystem associate; +type eventpollfs_t; +fs_type(eventpollfs_t) genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0) -type futexfs_t, filesystem_type; -allow futexfs_t self:filesystem associate; +type futexfs_t; +fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -type hugetlbfs_t, filesystem_type; +type hugetlbfs_t; +fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) -allow hugetlbfs_t self:filesystem associate; genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0) -type inotifyfs_t, filesystem_type; -allow inotifyfs_t self:filesystem associate; +type inotifyfs_t; +fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) -type nfsd_fs_t, filesystem_type; -allow nfsd_fs_t self:filesystem associate; +type nfsd_fs_t; +fs_type(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) -type ramfs_t, filesystem_type; -allow ramfs_t self:filesystem associate; +type ramfs_t; +fs_type(ramfs_t) genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0) -type romfs_t, filesystem_type; -allow romfs_t self:filesystem associate; +type romfs_t; +fs_type(romfs_t) genfscon romfs / gen_context(system_u:object_r:romfs_t,s0) genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0) -type rpc_pipefs_t, filesystem_type; -allow rpc_pipefs_t self:filesystem associate; +type rpc_pipefs_t; +fs_type(rpc_pipefs_t) genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0) # # tmpfs_t is the type for tmpfs filesystems # -type tmpfs_t, filesystem_type; +type tmpfs_t; +fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) @@ -102,15 +106,14 @@ fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); -allow tmpfs_t self:filesystem associate; allow tmpfs_t noxattrfs:filesystem associate; ############################## # # Filesystems without extended attribute support # -type autofs_t, filesystem_type, noxattrfs; -allow autofs_t self:filesystem associate; +type autofs_t, noxattrfs; +fs_type(autofs_t) genfscon autofs / gen_context(system_u:object_r:autofs_t,s0) genfscon automount / gen_context(system_u:object_r:autofs_t,s0) @@ -118,8 +121,8 @@ genfscon automount / gen_context(system_u:object_r:autofs_t,s0) # cifs_t is the type for filesystems and their # files shared from Windows servers # -type cifs_t alias sambafs_t, filesystem_type, noxattrfs; -allow cifs_t self:filesystem associate; +type cifs_t alias sambafs_t, noxattrfs; +fs_type(cifs_t) genfscon cifs / gen_context(system_u:object_r:cifs_t,s0) genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0) @@ -127,8 +130,8 @@ genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0) # dosfs_t is the type for fat and vfat # filesystems and their files. # -type dosfs_t, filesystem_type, noxattrfs; -allow dosfs_t self:filesystem associate; +type dosfs_t, noxattrfs; +fs_type(dosfs_t) genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0) genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) @@ -139,15 +142,16 @@ genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) # and their files. # type iso9660_t, filesystem_type, noxattrfs; -allow iso9660_t self:filesystem associate; +fs_type(iso9660_t) genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0) genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) # # removable_t is the default type of all removable media # -type removable_t, filesystem_type, noxattrfs; +type removable_t, noxattrfs; allow removable_t noxattrfs:filesystem associate; +fs_type(removable_t) files_config_file(removable_t) # @@ -155,8 +159,8 @@ files_config_file(removable_t) # and their files. # type nfs_t, filesystem_type, noxattrfs; +fs_type(nfs_t) files_mountpoint(nfs_t) -allow nfs_t self:filesystem associate; genfscon nfs / gen_context(system_u:object_r:nfs_t,s0) genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0) genfscon afs / gen_context(system_u:object_r:nfs_t,s0) diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te index acd0117e..46260ebf 100644 --- a/refpolicy/policy/modules/system/files.te +++ b/refpolicy/policy/modules/system/files.te @@ -123,9 +123,8 @@ fs_associate_noxattr(src_t) # # tmp_t is the type of the temporary directories # -type tmp_t, file_type, tmpfile, mountpoint; #, polydir -fs_associate(tmp_t) -fs_associate_noxattr(tmp_t) +type tmp_t, mountpoint; #, polydir +files_tmp_file(tmp_t) # # usr_t is the type for /usr. @@ -166,6 +165,5 @@ fs_associate_noxattr(var_run_t) # # var_spool_t is the type of /var/spool # -type var_spool_t, file_type; -fs_associate(var_spool_t) -fs_associate_noxattr(var_spool_t) +type var_spool_t; +files_tmp_file(var_spool_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 78267cd4..750f9b54 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -19,7 +19,7 @@ type local_login_lock_t; files_lock_file(local_login_lock_t) type local_login_tmp_t; -files_type(local_login_tmp_t) +files_tmp_file(local_login_tmp_t) type sulogin_t; type sulogin_exec_t; diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 57313e1d..5a20ef31 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -8,7 +8,7 @@ policy_module(logging,1.0) attribute logfile; -type auditctl_t; #, privlog; +type auditctl_t; type auditctl_exec_t; init_system_domain(auditctl_t,auditctl_exec_t) role system_r types auditctl_t; diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index dca39b73..a8ac48a4 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -56,9 +56,13 @@ ifdef(`targeted_policy',` # User home directory type. type user_home_t alias { staff_home_t sysadm_home_t }, home_type; files_type(user_home_t) + files_associate_tmp(user_home_t) + fs_associate_tmpfs(user_home_t) type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type; files_type(user_home_dir_t) + files_associate_tmp(user_home_dir_t) + fs_associate_tmpfs(user_home_dir_t) unconfined_role(user_r) unconfined_role(sysadm_r)