diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index 7be4ddf7..b029773a 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -1 +1 @@ -# This module currently does not have any file contexts. +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index b2c058a4..eb723b42 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -308,6 +308,26 @@ interface(`fs_rw_anon_inodefs_files',` rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t) ') +######################################## +## +## Do not audit attempts to read or write files on +## anon_inodefs file systems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_rw_anon_inodefs_files',` + gen_require(` + type anon_inodefs_t; + + ') + + dontaudit $1 anon_inodefs_t:file rw_file_perms; +') + ######################################## ## ## Mount an automount pseudo filesystem. @@ -462,7 +482,7 @@ interface(`fs_manage_autofs_symlinks',` ######################################## ## ## Get the attributes of directories on -## binfmt_misc filesystems. +## binfmt_misc filesystems. ## ## ## @@ -1149,6 +1169,44 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') +####################################### +## +## Create, read, write, and delete dirs +## on a configfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_manage_configfs_dirs',` + gen_require(` + type configfs_t; + ') + + manage_dirs_pattern($1, configfs_t, configfs_t) +') + +####################################### +## +## Create, read, write, and delete files +## on a configfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_manage_configfs_files',` + gen_require(` + type configfs_t; + ') + + manage_files_pattern($1, configfs_t, configfs_t) +') + ######################################## ## ## Mount a DOS filesystem, such as @@ -1248,7 +1306,7 @@ interface(`fs_relabelfrom_dos_fs',` ######################################## ## -## Search dosfs filesystem. +## Search dosfs filesystem. ## ## ## @@ -1537,7 +1595,25 @@ interface(`fs_rw_hugetlbfs_files',` ######################################## ## -## Search inotifyfs filesystem. +## Allow the type to associate to hugetlbfs filesystems. +## +## +## +## The type of the object to be associated. +## +## +# +interface(`fs_associate_hugetlbfs',` + gen_require(` + type hugetlbfs_t; + ') + + allow $1 hugetlbfs_t:filesystem associate; +') + +######################################## +## +## Search inotifyfs filesystem. ## ## ## @@ -1555,7 +1631,7 @@ interface(`fs_search_inotifyfs',` ######################################## ## -## List inotifyfs filesystem. +## List inotifyfs filesystem. ## ## ## @@ -2540,6 +2616,42 @@ interface(`fs_search_nfsd_fs',` allow $1 nfsd_fs_t:dir search_dir_perms; ') +######################################## +## +## List NFS server directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_list_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + ') + + allow $1 nfsd_fs_t:dir list_dir_perms; +') + +######################################## +## +## Getattr files on an nfsd filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_nfsd_files',` + gen_require(` + type nfsd_fs_t; + ') + + getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +') + ######################################## ## ## Read and write NFS server files. @@ -2687,7 +2799,7 @@ interface(`fs_dontaudit_search_ramfs',` ######################################## ## -## Create, read, write, and delete +## Create, read, write, and delete ## directories on a ramfs. ## ## @@ -2779,7 +2891,7 @@ interface(`fs_write_ramfs_pipes',` ######################################## ## -## Do not audit attempts to write to named +## Do not audit attempts to write to named ## pipes on a ramfs filesystem. ## ## @@ -2816,7 +2928,7 @@ interface(`fs_rw_ramfs_pipes',` ######################################## ## -## Create, read, write, and delete +## Create, read, write, and delete ## named pipes on a ramfs filesystem. ## ## @@ -3570,6 +3682,104 @@ interface(`fs_manage_tmpfs_blk_files',` manage_blk_files_pattern($1, tmpfs_t, tmpfs_t) ') +######################################## +## +## Mount a XENFS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mount_xenfs',` + gen_require(` + type xenfs_t; + ') + + allow $1 xenfs_t:filesystem mount; +') + +######################################## +## +## Create, read, write, and delete directories +## on a XENFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_manage_xenfs_dirs',` + gen_require(` + type xenfs_t; + ') + + allow $1 xenfs_t:dir manage_dir_perms; +') + +######################################## +## +## Do not audit attempts to create, read, +## write, and delete directories +## on a XENFS filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_manage_xenfs_dirs',` + gen_require(` + type xenfs_t; + ') + + dontaudit $1 xenfs_t:dir manage_dir_perms; +') + +######################################## +## +## Create, read, write, and delete files +## on a XENFS filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_manage_xenfs_files',` + gen_require(` + type xenfs_t; + ') + + manage_files_pattern($1, xenfs_t, xenfs_t) +') + +######################################## +## +## Do not audit attempts to create, +## read, write, and delete files +## on a XENFS filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_manage_xenfs_files',` + gen_require(` + type xenfs_t; + ') + + dontaudit $1 xenfs_t:file manage_file_perms; +') + ######################################## ## ## Mount all filesystems. diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 98214102..12272e55 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem, 1.12.0) +policy_module(filesystem, 1.12.1) ######################################## # @@ -38,7 +38,7 @@ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); # types, and label the filesystem itself with the specified context. # This is appropriate for pseudo filesystems that represent objects # like pipes and sockets, so that these objects are labeled with the same -# type as the creating task. +# type as the creating task. fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0); fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0); fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0); @@ -93,7 +93,7 @@ genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) -genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0) +fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); type ibmasmfs_t; fs_type(ibmasmfs_t) @@ -174,6 +174,11 @@ fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); allow tmpfs_t noxattrfs:filesystem associate; +type xenfs_t; +fs_noxattr_type(xenfs_t) +files_mountpoint(xenfs_t) +genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0) + ############################## # # Filesystems without extended attribute support @@ -250,7 +255,6 @@ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0) genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) -genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) ######################################## @@ -275,7 +279,7 @@ fs_associate_noxattr(noxattrfs) allow filesystem_unconfined_type filesystem_type:filesystem *; -# Create/access other files. fs_type is to pick up various +# Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem # and its files. allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;