[refpolicy] [PATCH 1/7] Properly label all the ssh host keys

[refpolicy] [PATCH 1/7] Properly label all the ssh host keys

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

Be sure that we are labeling properly all ssh host keys even if new
algorithms are added in the future.
---
 policy/modules/services/ssh.fc |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 7df96c5..76d9f66 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,9 +1,7 @@
 HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 
 /etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_key 		--	gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_dsa_key	--	gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_rsa_key	--	gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host.*_key		--	gen_context(system_u:object_r:sshd_key_t,s0)
 
 /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
-- 
1.7.10.4

[refpolicy] [PATCH 2/7] Allow udev_t domain to read files labeled as consolekit_var_run_t

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

When the active session is changed, the udev-acl executable is called
by ConsoleKit. It will then read the ConsoleKit database to figure out
which is the active one.
---
 policy/modules/system/udev.te |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a2a4167..630d3e9 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -221,6 +221,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	consolekit_read_pid_files(udev_t)
+')
+
+optional_policy(`
 	cups_domtrans_config(udev_t)
 ')
 
-- 
1.7.10.4

[refpolicy] [PATCH 3/7] Label /var/run/shm as tmpfs_t

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

In Debian, /dev/shm is a symlink to /var/run/shm. Label that mountpoint
the same way.
---
 policy/modules/kernel/filesystem.fc |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index cda5588..4da589c 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -14,3 +14,6 @@
 # for systemd systems:
 /sys/fs/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
 /sys/fs/cgroup/.*		<<none>>
+
+/var/run/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
+/var/run/shm/.*			<<none>>
-- 
1.7.10.4

[refpolicy] [PATCH 4/7] authlogin.if: Add auth_create_pam_console_data_dirs and auth_pid_filetrans_pam_var_console interfaces

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

On Debian /var/run/console directory might be created by consolekit, we
need these new interfaces to achieve this.
---
 policy/modules/system/authlogin.if |   50 ++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 8cdaa26..3efd5b6 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1102,6 +1102,25 @@ interface(`auth_list_pam_console_data',`
 
 ########################################
 ## <summary>
+##	Create pam var console pid directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_create_pam_console_data_dirs',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pam_var_console_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Relabel pam_console data directories.
 ## </summary>
 ## <param name="domain">
@@ -1181,6 +1200,37 @@ interface(`auth_delete_pam_console_data',`
 
 ########################################
 ## <summary>
+##	Create specified objects in
+##	pid directories with the pam var
+##      console pid file type using a
+##      file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`auth_pid_filetrans_pam_var_console',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_pid_filetrans($1, pam_var_console_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Read all directories on the filesystem, except
 ##	login files and listed exceptions.
 ## </summary>
-- 
1.7.10.4

[refpolicy] [PATCH 5/7] init.if: Add init_daemon_run_file interface

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

This is allowing initscripts to create pidfile and to let them
transition to their context
---
 policy/modules/system/init.if |   27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3f0c2d3..cb26dda 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -444,6 +444,33 @@ interface(`init_daemon_run_dir',`
 
 ########################################
 ## <summary>
+##	Mark the file type as a pid file, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a pid file
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_run_file',`
+	gen_require(`
+		attribute pidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 pidfile;
+
+	files_pid_filetrans(initrc_t, $1, file, $2)
+')
+
+########################################
+## <summary>
 ##	Execute init (/sbin/init) with a domain transition.
 ## </summary>
 ## <param name="domain">
-- 
1.7.10.4

[refpolicy] [PATCH 6/7] Label /etc/rc.d/init.d/x11-common as xdm_exec_t

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

In Debian, this initscript is creating both /tmp/.X11-unix and
/tmp/.ICE-unix. This allows the directory to transition to the context
defined in the filecontext.
---
 policy/modules/services/xserver.fc |    1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 9393f65..7e96559 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -27,6 +27,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /etc/kde[34]?/kdm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
+/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
 /etc/rc\.d/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
 
 /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
-- 
1.7.10.4

[refpolicy] [PATCH 7/7] Drop /etc/rc.d/init.d/xfree86-common filecontext definition

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

This only seems to be used in Debian and the file is gone since 2006
---
 policy/modules/services/xserver.fc |    1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 7e96559..d1f64a0 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -28,7 +28,6 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
 /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/etc/rc\.d/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
 
 /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
-- 
1.7.10.4

[refpolicy] [PATCH 5/7] init.if: Add init_daemon_run_file interface

[grift]

On Wed, 2012-12-05 at 21:39 +0100, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> This is allowing initscripts to create pidfile and to let them
> transition to their context
> ---
>  policy/modules/system/init.if |   27 +++++++++++++++++++++++++++
>  1 file changed, 27 insertions(+)
> 
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 3f0c2d3..cb26dda 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -444,6 +444,33 @@ interface(`init_daemon_run_dir',`
>  
>  ########################################
>  ## <summary>
> +##	Mark the file type as a pid file, allowing initrc_t
> +##	to create it
> +## </summary>
> +## <param name="filetype">
> +##	<summary>
> +##	Type to mark as a pid file
> +##	</summary>
> +## </param>
> +## <param name="filename">
> +##	<summary>
> +##	Filename of the file that the init script creates
> +##	</summary>
> +## </param>
> +#
> +interface(`init_daemon_run_file',`
> +	gen_require(`
> +		attribute pidfile;
> +		type initrc_t;
> +	')
> +
> +	typeattribute $1 pidfile;
> +
> +	files_pid_filetrans(initrc_t, $1, file, $2)
> +')

Better use:

## <param name="name" optional="true">
##	<summary>
##	The name of the object being created.
##	</summary>
## </param>
#

instead of:

## <param name="filename">
##	<summary>
##	Filename of the file that the init script creates
##	</summary>
## </param>

For consistency

> +########################################
> +## <summary>
>  ##	Execute init (/sbin/init) with a domain transition.
>  ## </summary>
>  ## <param name="domain">

[refpolicy] [PATCH 5/7 v2] init.if: Add init_daemon_run_file interface

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

This is allowing initscripts to create pidfile and to let them
transition to their context
---
 policy/modules/system/init.if |   27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3f0c2d3..66a4869 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -444,6 +444,33 @@ interface(`init_daemon_run_dir',`
 
 ########################################
 ## <summary>
+##	Mark the file type as a pid file, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a pid file
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_daemon_run_file',`
+	gen_require(`
+		attribute pidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 pidfile;
+
+	files_pid_filetrans(initrc_t, $1, file, $2)
+')
+
+########################################
+## <summary>
 ##	Execute init (/sbin/init) with a domain transition.
 ## </summary>
 ## <param name="domain">
-- 
1.7.10.4

[refpolicy] [PATCH 3/7] Label /var/run/shm as tmpfs_t

[Christopher J. PeBenito]

On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> In Debian, /dev/shm is a symlink to /var/run/shm. Label that mountpoint
> the same way.
> ---
>   policy/modules/kernel/filesystem.fc |    3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
> index cda5588..4da589c 100644
> --- a/policy/modules/kernel/filesystem.fc
> +++ b/policy/modules/kernel/filesystem.fc
> @@ -14,3 +14,6 @@
>   # for systemd systems:
>   /sys/fs/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
>   /sys/fs/cgroup/.*		<<none>>
> +
> +/var/run/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
> +/var/run/shm/.*			<<none>>

Wouldn't it make more sense to just have a file context substitution in the Debian policy?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 5/7 v2] init.if: Add init_daemon_run_file interface

[Christopher J. PeBenito]

On 12/5/2012 5:15 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> This is allowing initscripts to create pidfile and to let them
> transition to their context
> ---
>   policy/modules/system/init.if |   27 +++++++++++++++++++++++++++
>   1 file changed, 27 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 3f0c2d3..66a4869 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -444,6 +444,33 @@ interface(`init_daemon_run_dir',`
>
>   ########################################
>   ## <summary>
> +##	Mark the file type as a pid file, allowing initrc_t
> +##	to create it
> +## </summary>
> +## <param name="filetype">
> +##	<summary>
> +##	Type to mark as a pid file
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_daemon_run_file',`
> +	gen_require(`
> +		attribute pidfile;
> +		type initrc_t;
> +	')
> +
> +	typeattribute $1 pidfile;
> +
> +	files_pid_filetrans(initrc_t, $1, file, $2)
> +')

pidfile isn't owned by this module.  Additionally, I'm thinking that it would probably be better to generalize init_daemon_run_dir to take object classes as a parameter.... but I don't know what to call it.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 1/7] Properly label all the ssh host keys

[Christopher J. PeBenito]

On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> Be sure that we are labeling properly all ssh host keys even if new
> algorithms are added in the future.
> ---
>   policy/modules/services/ssh.fc |    4 +---
>   1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
> index 7df96c5..76d9f66 100644
> --- a/policy/modules/services/ssh.fc
> +++ b/policy/modules/services/ssh.fc
> @@ -1,9 +1,7 @@
>   HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
>
>   /etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
> -/etc/ssh/ssh_host_key 		--	gen_context(system_u:object_r:sshd_key_t,s0)
> -/etc/ssh/ssh_host_dsa_key	--	gen_context(system_u:object_r:sshd_key_t,s0)
> -/etc/ssh/ssh_host_rsa_key	--	gen_context(system_u:object_r:sshd_key_t,s0)
> +/etc/ssh/ssh_host.*_key		--	gen_context(system_u:object_r:sshd_key_t,s0)
>
>   /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
>   /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)

Merged.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 2/7] Allow udev_t domain to read files labeled as consolekit_var_run_t

[Christopher J. PeBenito]

On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> When the active session is changed, the udev-acl executable is called
> by ConsoleKit. It will then read the ConsoleKit database to figure out
> which is the active one.
> ---
>   policy/modules/system/udev.te |    4 ++++
>   1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index a2a4167..630d3e9 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -221,6 +221,10 @@ optional_policy(`
>   ')
>
>   optional_policy(`
> +	consolekit_read_pid_files(udev_t)
> +')
> +
> +optional_policy(`
>   	cups_domtrans_config(udev_t)
>   ')

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 4/7] authlogin.if: Add auth_create_pam_console_data_dirs and auth_pid_filetrans_pam_var_console interfaces

[Christopher J. PeBenito]

On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> On Debian /var/run/console directory might be created by consolekit, we
> need these new interfaces to achieve this.
> ---
>   policy/modules/system/authlogin.if |   50 ++++++++++++++++++++++++++++++++++++
>   1 file changed, 50 insertions(+)
>
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 8cdaa26..3efd5b6 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1102,6 +1102,25 @@ interface(`auth_list_pam_console_data',`
>
>   ########################################
>   ## <summary>
> +##	Create pam var console pid directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`auth_create_pam_console_data_dirs',`
> +	gen_require(`
> +		type pam_var_console_t;
> +	')
> +
> +	files_search_pids($1)
> +	allow $1 pam_var_console_t:dir create_dir_perms;
> +')
> +
> +########################################
> +## <summary>
>   ##	Relabel pam_console data directories.
>   ## </summary>
>   ## <param name="domain">
> @@ -1181,6 +1200,37 @@ interface(`auth_delete_pam_console_data',`
>
>   ########################################
>   ## <summary>
> +##	Create specified objects in
> +##	pid directories with the pam var
> +##      console pid file type using a
> +##      file type transition.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="object_class">
> +##	<summary>
> +##	Class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`auth_pid_filetrans_pam_var_console',`
> +	gen_require(`
> +		type pam_var_console_t;
> +	')
> +
> +	files_pid_filetrans($1, pam_var_console_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
>   ##	Read all directories on the filesystem, except
>   ##	login files and listed exceptions.
>   ## </summary>>

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 6/7] Label /etc/rc.d/init.d/x11-common as xdm_exec_t

[Christopher J. PeBenito]

On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> In Debian, this initscript is creating both /tmp/.X11-unix and
> /tmp/.ICE-unix. This allows the directory to transition to the context
> defined in the filecontext.
> ---
>   policy/modules/services/xserver.fc |    1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index 9393f65..7e96559 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -27,6 +27,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>   /etc/kde[34]?/kdm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
>   /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
>
> +/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
>   /etc/rc\.d/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
>
>   /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 7/7] Drop /etc/rc.d/init.d/xfree86-common filecontext definition

[Christopher J. PeBenito]

On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> This only seems to be used in Debian and the file is gone since 2006
> ---
>   policy/modules/services/xserver.fc |    1 -
>   1 file changed, 1 deletion(-)
>
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index 7e96559..d1f64a0 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -28,7 +28,6 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
>   /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
>
>   /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
> -/etc/rc\.d/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
>
>   /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
>   /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 3/7] Label /var/run/shm as tmpfs_t

[Laurent Bigonville]

Le Fri, 07 Dec 2012 00:13:03 -0500,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :

> On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> > From: Laurent Bigonville <bigon@bigon.be>
> >
> > In Debian, /dev/shm is a symlink to /var/run/shm. Label that
> > mountpoint the same way.
> > ---
> >   policy/modules/kernel/filesystem.fc |    3 +++
> >   1 file changed, 3 insertions(+)
> >
> > diff --git a/policy/modules/kernel/filesystem.fc
> > b/policy/modules/kernel/filesystem.fc index cda5588..4da589c 100644
> > --- a/policy/modules/kernel/filesystem.fc
> > +++ b/policy/modules/kernel/filesystem.fc
> > @@ -14,3 +14,6 @@
> >   # for systemd systems:
> >   /sys/fs/cgroup		-d
> > gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup/.*
> > <<none>> +
> > +/var/run/shm		-d
> > gen_context(system_u:object_r:tmpfs_t,s0)
> > +/var/run/shm/.*			<<none>>
> 
> Wouldn't it make more sense to just have a file context substitution
> in the Debian policy?

For some reason it's not working. Maybe because /var/run is already a
tmpfs? If you want I can give a patch that define this only for debian.

Laurent Bigonville

[refpolicy] [PATCH 3/7] Label /var/run/shm as tmpfs_t

[grift]

On Sat, 2012-12-15 at 23:29 +0100, Laurent Bigonville wrote:
> Le Fri, 07 Dec 2012 00:13:03 -0500,
> "Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
> 
> > On 12/5/2012 3:39 PM, Laurent Bigonville wrote:
> > > From: Laurent Bigonville <bigon@bigon.be>
> > >
> > > In Debian, /dev/shm is a symlink to /var/run/shm. Label that
> > > mountpoint the same way.
> > > ---
> > >   policy/modules/kernel/filesystem.fc |    3 +++
> > >   1 file changed, 3 insertions(+)
> > >
> > > diff --git a/policy/modules/kernel/filesystem.fc
> > > b/policy/modules/kernel/filesystem.fc index cda5588..4da589c 100644
> > > --- a/policy/modules/kernel/filesystem.fc
> > > +++ b/policy/modules/kernel/filesystem.fc
> > > @@ -14,3 +14,6 @@
> > >   # for systemd systems:
> > >   /sys/fs/cgroup		-d
> > > gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup/.*
> > > <<none>> +
> > > +/var/run/shm		-d
> > > gen_context(system_u:object_r:tmpfs_t,s0)
> > > +/var/run/shm/.*			<<none>>
> > 
> > Wouldn't it make more sense to just have a file context substitution
> > in the Debian policy?
> 
> For some reason it's not working. Maybe because /var/run is already a
> tmpfs? If you want I can give a patch that define this only for debian.
> 

I think it may be related to the fact that this tmpfs here is mounted
with the rootcontext= option in debian

> Laurent Bigonville
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy