Move devtmpfs to devices from filesystem

Move devtmpfs to devices module (remove from filesystem module)
Make device_t a filesystem
Add interface for associating types with device_t filesystem (dev_associate)
Call dev_associate from dev_filetrans
Allow all device nodes associate with device_t filesystem
Remove dev_tmpfs_filetrans_dev from kernel_t
Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate
Mounton interface, to allow the kernel to mounton device_t

Signed-off-by: Jeremy Solt <jsolt@tresys.com>

policy/modules/kernel/corecommands.te

@@ -15,6 +15,7 @@ attribute exec_type;
 #
 type bin_t alias { ls_exec_t sbin_t };
 corecmd_executable_file(bin_t)
+dev_associate(bin_t)	#For /dev/MAKEDEV
 
 #
 # shell_exec_t is the type of user shells such as /bin/bash.

policy/modules/kernel/devices.if

@@ -71,6 +71,43 @@ interface(`dev_node',`
 	typeattribute $1 device_node;
 ')
 
+########################################
+## <summary>
+##	Associate the specified file type with device filesystem.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	The type of the file to be associated.
+##	</summary>
+## </param>
+#
+interface(`dev_associate',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:filesystem associate;
+	fs_associate_tmpfs($1)	#For backwards compatibility
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on /dev
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allow access.
+##	</summary>
+## </param>
+#
+interface(`dev_mounton',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir mounton;
+')
+
 ########################################
 ## <summary>
 ##	Allow full relabeling (to and from) of all device nodes.
@@ -759,7 +796,7 @@ interface(`dev_filetrans',`
 
 	filetrans_pattern($1, device_t, $2, $3)
 
-	fs_associate_tmpfs($2)
+	dev_associate($2)
 	files_associate_tmp($2)
 ')
 

policy/modules/kernel/devices.te

@@ -18,6 +18,8 @@ fs_associate_tmpfs(device_t)
 files_type(device_t)
 files_mountpoint(device_t)
 files_associate_tmp(device_t)
+fs_type(device_t)
+fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 
 #
 # Type for /dev/agpgart
@@ -294,6 +296,8 @@ fs_associate_tmpfs(device_node)
 
 files_associate_tmp(device_node)
 
+allow device_node device_t:filesystem associate;
+
 ########################################
 #
 # Unconfined access to this module

policy/modules/kernel/filesystem.te

@@ -174,7 +174,6 @@ files_poly_parent(tmpfs_t)
 # and label the filesystem itself with the specified context.
 # This is appropriate for pseudo filesystems like devpts and tmpfs
 # where we want to label objects with a derived type.
-fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
 fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
 fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
 fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);

policy/modules/kernel/kernel.te

@@ -245,8 +245,7 @@ dev_create_generic_blk_files(kernel_t)
 dev_delete_generic_blk_files(kernel_t)
 dev_create_generic_chr_files(kernel_t)
 dev_delete_generic_chr_files(kernel_t)
-# work around until devtmpfs has device_t type
+dev_mounton(kernel_t)
-dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
 
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem

policy/modules/system/init.te

@@ -108,7 +108,6 @@ files_pid_filetrans(init_t, init_var_run_t, file)
 
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
-fs_associate_tmpfs(initctl_t)
 
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };