Move devtmpfs to devices from filesystem
Move devtmpfs to devices module (remove from filesystem module) Make device_t a filesystem Add interface for associating types with device_t filesystem (dev_associate) Call dev_associate from dev_filetrans Allow all device nodes associate with device_t filesystem Remove dev_tmpfs_filetrans_dev from kernel_t Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate Mounton interface, to allow the kernel to mounton device_t Signed-off-by: Jeremy Solt <jsolt@tresys.com>
This commit is contained in:
parent
c62f1bef77
commit
d6e1ef29cd
@ -15,6 +15,7 @@ attribute exec_type;
|
|||||||
#
|
#
|
||||||
type bin_t alias { ls_exec_t sbin_t };
|
type bin_t alias { ls_exec_t sbin_t };
|
||||||
corecmd_executable_file(bin_t)
|
corecmd_executable_file(bin_t)
|
||||||
|
dev_associate(bin_t) #For /dev/MAKEDEV
|
||||||
|
|
||||||
#
|
#
|
||||||
# shell_exec_t is the type of user shells such as /bin/bash.
|
# shell_exec_t is the type of user shells such as /bin/bash.
|
||||||
|
@ -71,6 +71,43 @@ interface(`dev_node',`
|
|||||||
typeattribute $1 device_node;
|
typeattribute $1 device_node;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Associate the specified file type with device filesystem.
|
||||||
|
## </summary>
|
||||||
|
## <param name="file_type">
|
||||||
|
## <summary>
|
||||||
|
## The type of the file to be associated.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_associate',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 device_t:filesystem associate;
|
||||||
|
fs_associate_tmpfs($1) #For backwards compatibility
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Mount a filesystem on /dev
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allow access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_mounton',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 device_t:dir mounton;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow full relabeling (to and from) of all device nodes.
|
## Allow full relabeling (to and from) of all device nodes.
|
||||||
@ -759,7 +796,7 @@ interface(`dev_filetrans',`
|
|||||||
|
|
||||||
filetrans_pattern($1, device_t, $2, $3)
|
filetrans_pattern($1, device_t, $2, $3)
|
||||||
|
|
||||||
fs_associate_tmpfs($2)
|
dev_associate($2)
|
||||||
files_associate_tmp($2)
|
files_associate_tmp($2)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -18,6 +18,8 @@ fs_associate_tmpfs(device_t)
|
|||||||
files_type(device_t)
|
files_type(device_t)
|
||||||
files_mountpoint(device_t)
|
files_mountpoint(device_t)
|
||||||
files_associate_tmp(device_t)
|
files_associate_tmp(device_t)
|
||||||
|
fs_type(device_t)
|
||||||
|
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
|
||||||
|
|
||||||
#
|
#
|
||||||
# Type for /dev/agpgart
|
# Type for /dev/agpgart
|
||||||
@ -294,6 +296,8 @@ fs_associate_tmpfs(device_node)
|
|||||||
|
|
||||||
files_associate_tmp(device_node)
|
files_associate_tmp(device_node)
|
||||||
|
|
||||||
|
allow device_node device_t:filesystem associate;
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Unconfined access to this module
|
# Unconfined access to this module
|
||||||
|
@ -174,7 +174,6 @@ files_poly_parent(tmpfs_t)
|
|||||||
# and label the filesystem itself with the specified context.
|
# and label the filesystem itself with the specified context.
|
||||||
# This is appropriate for pseudo filesystems like devpts and tmpfs
|
# This is appropriate for pseudo filesystems like devpts and tmpfs
|
||||||
# where we want to label objects with a derived type.
|
# where we want to label objects with a derived type.
|
||||||
fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
|
|
||||||
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
|
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
|
||||||
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
|
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
|
||||||
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
|
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
|
||||||
|
@ -245,8 +245,7 @@ dev_create_generic_blk_files(kernel_t)
|
|||||||
dev_delete_generic_blk_files(kernel_t)
|
dev_delete_generic_blk_files(kernel_t)
|
||||||
dev_create_generic_chr_files(kernel_t)
|
dev_create_generic_chr_files(kernel_t)
|
||||||
dev_delete_generic_chr_files(kernel_t)
|
dev_delete_generic_chr_files(kernel_t)
|
||||||
# work around until devtmpfs has device_t type
|
dev_mounton(kernel_t)
|
||||||
dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
|
|
||||||
|
|
||||||
# Mount root file system. Used when loading a policy
|
# Mount root file system. Used when loading a policy
|
||||||
# from initrd, then mounting the root filesystem
|
# from initrd, then mounting the root filesystem
|
||||||
|
@ -108,7 +108,6 @@ files_pid_filetrans(init_t, init_var_run_t, file)
|
|||||||
|
|
||||||
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
|
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
|
||||||
dev_filetrans(init_t, initctl_t, fifo_file)
|
dev_filetrans(init_t, initctl_t, fifo_file)
|
||||||
fs_associate_tmpfs(initctl_t)
|
|
||||||
|
|
||||||
# Modify utmp.
|
# Modify utmp.
|
||||||
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
||||||
|
Loading…
Reference in New Issue
Block a user