Filesystem patch from Dan Walsh.

2009-11-23 13:16:28 -05:00 · 2009-11-23 13:16:28 -05:00 · f4b9dc3b00
commit f4b9dc3b00
parent d6c3ed8557
3 changed files with 227 additions and 13 deletions
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@ -1 +1 @@
-# This module currently does not have any file contexts.
+/dev/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -308,6 +308,26 @@ interface(`fs_rw_anon_inodefs_files',`
 	rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
 ')

+########################################
+## <summary>
+##	Do not audit attempts to read or write files on
+##	anon_inodefs file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_anon_inodefs_files',`
+	gen_require(`
+		type anon_inodefs_t;
+
+	')
+
+	dontaudit $1 anon_inodefs_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Mount an automount pseudo filesystem.
@ -462,7 +482,7 @@ interface(`fs_manage_autofs_symlinks',`
 ########################################
 ## <summary>
 ##	Get the attributes of directories on
-##	binfmt_misc filesystems. 
+##	binfmt_misc filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -1149,6 +1169,44 @@ interface(`fs_cifs_domtrans',`
 	domain_auto_transition_pattern($1, cifs_t, $2)
 ')

+#######################################
+## <summary>
+##	Create, read, write, and delete dirs
+##	on a configfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_configfs_dirs',`
+	gen_require(`
+		type configfs_t;
+	')
+
+	manage_dirs_pattern($1, configfs_t, configfs_t)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a configfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_configfs_files',`
+	gen_require(`
+		type configfs_t;
+	')
+
+	manage_files_pattern($1, configfs_t, configfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Mount a DOS filesystem, such as
@ -1248,7 +1306,7 @@ interface(`fs_relabelfrom_dos_fs',`

 ########################################
 ## <summary>
-##	Search dosfs filesystem. 
+##	Search dosfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -1537,7 +1595,25 @@ interface(`fs_rw_hugetlbfs_files',`

 ########################################
 ## <summary>
-##	Search inotifyfs filesystem. 
+##	Allow the type to associate to hugetlbfs filesystems.
+## </summary>
+## <param name="type">
+##	<summary>
+##	The type of the object to be associated.
+##	</summary>
+## </param>
+#
+interface(`fs_associate_hugetlbfs',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $1 hugetlbfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Search inotifyfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -1555,7 +1631,7 @@ interface(`fs_search_inotifyfs',`

 ########################################
 ## <summary>
-##	List inotifyfs filesystem. 
+##	List inotifyfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -2540,6 +2616,42 @@ interface(`fs_search_nfsd_fs',`
 	allow $1 nfsd_fs_t:dir search_dir_perms;
 ')

+########################################
+## <summary>
+##	List NFS server directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Getattr files on an nfsd filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_nfsd_files',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write NFS server files.
@ -2687,7 +2799,7 @@ interface(`fs_dontaudit_search_ramfs',`

 ########################################
 ## <summary>
-##	Create, read, write, and delete 
+##	Create, read, write, and delete
 ##	directories on a ramfs.
 ## </summary>
 ## <param name="domain">
@ -2779,7 +2891,7 @@ interface(`fs_write_ramfs_pipes',`

 ########################################
 ## <summary>
-##	Do not audit attempts to write to named 
+##	Do not audit attempts to write to named
 ##	pipes on a ramfs filesystem.
 ## </summary>
 ## <param name="domain">
@ -2816,7 +2928,7 @@ interface(`fs_rw_ramfs_pipes',`

 ########################################
 ## <summary>
-##	Create, read, write, and delete 
+##	Create, read, write, and delete
 ##	named pipes on a ramfs filesystem.
 ## </summary>
 ## <param name="domain">
@ -3570,6 +3682,104 @@ interface(`fs_manage_tmpfs_blk_files',`
 	manage_blk_files_pattern($1, tmpfs_t, tmpfs_t)
 ')

+########################################
+## <summary>
+##	Mount a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_xenfs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	allow $1 xenfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_xenfs_dirs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	allow $1 xenfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete directories
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_xenfs_dirs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	dontaudit $1 xenfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_xenfs_files',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	manage_files_pattern($1, xenfs_t, xenfs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create,
+##	read, write, and delete files
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_xenfs_files',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	dontaudit $1 xenfs_t:file manage_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Mount all filesystems.
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@ -1,5 +1,5 @@

-policy_module(filesystem, 1.12.0)
+policy_module(filesystem, 1.12.1)

 ########################################
 #
@ -38,7 +38,7 @@ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
 # types, and label the filesystem itself with the specified context.
 # This is appropriate for pseudo filesystems that represent objects
 # like pipes and sockets, so that these objects are labeled with the same
-# type as the creating task.  
+# type as the creating task.
 fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
 fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
@ -93,7 +93,7 @@ genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
 type hugetlbfs_t;
 fs_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
-genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
+fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);

 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
@ -174,6 +174,11 @@ fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);

 allow tmpfs_t noxattrfs:filesystem associate;

+type xenfs_t;
+fs_noxattr_type(xenfs_t)
+files_mountpoint(xenfs_t)
+genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
+
 ##############################
 #
 # Filesystems without extended attribute support
@ -250,7 +255,6 @@ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
 genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)

 ########################################
@ -275,7 +279,7 @@ fs_associate_noxattr(noxattrfs)

 allow filesystem_unconfined_type filesystem_type:filesystem *;

-# Create/access other files.  fs_type is to pick up various
+# Create/access other files. fs_type is to pick up various
 # pseudo filesystem types that are applied to both the filesystem
 # and its files.
 allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;