rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Filesystem patch from Dan Walsh.

Browse Source
This commit is contained in:
Chris PeBenito 2009-11-23 13:16:28 -05:00
parent d6c3ed8557
commit f4b9dc3b00
3 changed files with 227 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
policy/modules/kernel/filesystem.fc
View File

@ -1 +1 @@
# This module currently does not have any file contexts. /dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)

210
policy/modules/kernel/filesystem.if
View File

@ -308,6 +308,26 @@ interface(`fs_rw_anon_inodefs_files',`
rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t) rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
') ')
########################################
## <summary>
## Do not audit attempts to read or write files on
## anon_inodefs file systems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_dontaudit_rw_anon_inodefs_files',`
gen_require(`
type anon_inodefs_t;
')
dontaudit $1 anon_inodefs_t:file rw_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Mount an automount pseudo filesystem. ## Mount an automount pseudo filesystem.
@ -1149,6 +1169,44 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2) domain_auto_transition_pattern($1, cifs_t, $2)
') ')
#######################################
## <summary>
## Create, read, write, and delete dirs
## on a configfs filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_manage_configfs_dirs',`
gen_require(`
type configfs_t;
')
manage_dirs_pattern($1, configfs_t, configfs_t)
')
#######################################
## <summary>
## Create, read, write, and delete files
## on a configfs filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_manage_configfs_files',`
gen_require(`
type configfs_t;
')
manage_files_pattern($1, configfs_t, configfs_t)
')
######################################## ########################################
## <summary> ## <summary>
## Mount a DOS filesystem, such as ## Mount a DOS filesystem, such as
@ -1535,6 +1593,24 @@ interface(`fs_rw_hugetlbfs_files',`
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
') ')
########################################
## <summary>
## Allow the type to associate to hugetlbfs filesystems.
## </summary>
## <param name="type">
## <summary>
## The type of the object to be associated.
## </summary>
## </param>
#
interface(`fs_associate_hugetlbfs',`
gen_require(`
type hugetlbfs_t;
')
allow $1 hugetlbfs_t:filesystem associate;
')
######################################## ########################################
## <summary> ## <summary>
## Search inotifyfs filesystem. ## Search inotifyfs filesystem.
@ -2540,6 +2616,42 @@ interface(`fs_search_nfsd_fs',`
allow $1 nfsd_fs_t:dir search_dir_perms; allow $1 nfsd_fs_t:dir search_dir_perms;
') ')
########################################
## <summary>
## List NFS server directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_list_nfsd_fs',`
gen_require(`
type nfsd_fs_t;
')
allow $1 nfsd_fs_t:dir list_dir_perms;
')
########################################
## <summary>
## Getattr files on an nfsd filesystem
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_getattr_nfsd_files',`
gen_require(`
type nfsd_fs_t;
')
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read and write NFS server files. ## Read and write NFS server files.
@ -3570,6 +3682,104 @@ interface(`fs_manage_tmpfs_blk_files',`
manage_blk_files_pattern($1, tmpfs_t, tmpfs_t) manage_blk_files_pattern($1, tmpfs_t, tmpfs_t)
') ')
########################################
## <summary>
## Mount a XENFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_mount_xenfs',`
gen_require(`
type xenfs_t;
')
allow $1 xenfs_t:filesystem mount;
')
########################################
## <summary>
## Create, read, write, and delete directories
## on a XENFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_manage_xenfs_dirs',`
gen_require(`
type xenfs_t;
')
allow $1 xenfs_t:dir manage_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete directories
## on a XENFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`fs_dontaudit_manage_xenfs_dirs',`
gen_require(`
type xenfs_t;
')
dontaudit $1 xenfs_t:dir manage_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete files
## on a XENFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`fs_manage_xenfs_files',`
gen_require(`
type xenfs_t;
')
manage_files_pattern($1, xenfs_t, xenfs_t)
')
########################################
## <summary>
## Do not audit attempts to create,
## read, write, and delete files
## on a XENFS filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`fs_dontaudit_manage_xenfs_files',`
gen_require(`
type xenfs_t;
')
dontaudit $1 xenfs_t:file manage_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Mount all filesystems. ## Mount all filesystems.

10
policy/modules/kernel/filesystem.te
View File

@ -1,5 +1,5 @@
policy_module(filesystem, 1.12.0) policy_module(filesystem, 1.12.1)
######################################## ########################################
# #
@ -93,7 +93,7 @@ genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
type hugetlbfs_t; type hugetlbfs_t;
fs_type(hugetlbfs_t) fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t) files_mountpoint(hugetlbfs_t)
genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
type ibmasmfs_t; type ibmasmfs_t;
fs_type(ibmasmfs_t) fs_type(ibmasmfs_t)
@ -174,6 +174,11 @@ fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
allow tmpfs_t noxattrfs:filesystem associate; allow tmpfs_t noxattrfs:filesystem associate;
type xenfs_t;
fs_noxattr_type(xenfs_t)
files_mountpoint(xenfs_t)
genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
############################## ##############################
# #
# Filesystems without extended attribute support # Filesystems without extended attribute support
@ -250,7 +255,6 @@ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
######################################## ########################################