policy patch for tunable "/dev/hdc is removable drive"

policy patch for tunable "/dev/hdc is removable drive"

[Luke Kenneth Casson Leighton]

[-- Attachment #1: Type: text/plain, Size: 646 bytes --]

after russell's excellent suggestion of making /dev/hdc a
removable_device_t because i happened to have an IDE CD-RW,
i decided to add this as a tunable because i sure don't want
to keep on merging / patching stuff and i am sure that not
everyone has an IDE CD-RW on their second primary ide interface.

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


[-- Attachment #2: rmdrive --]
[-- Type: text/plain, Size: 12600 bytes --]

diff -Naur 
--- default.1.14/file_contexts/types.fc	2004-08-02 08:28:37.000000000 +0100
+++ current/file_contexts/types.fc	2004-08-23 10:35:18.000000000 +0100
@@ -112,109 +117,111 @@
 #
 # /dev
 #
-/u?dev(/.*)?			system_u:object_r:device_t
-/u?dev/pts(/.*)?		<<none>>
-/u?dev/cpu/.*		-c	system_u:object_r:cpu_device_t
-/u?dev/microcode	-c	system_u:object_r:cpu_device_t
-/u?dev/MAKEDEV		--	system_u:object_r:sbin_t
-/u?dev/null		-c	system_u:object_r:null_device_t
-/u?dev/full		-c	system_u:object_r:null_device_t
-/u?dev/zero		-c	system_u:object_r:zero_device_t
-/u?dev/console		-c	system_u:object_r:console_device_t
-/u?dev/(kmem|mem|port)	-c	system_u:object_r:memory_device_t
-/u?dev/nvram		-c	system_u:object_r:memory_device_t
-/u?dev/random		-c	system_u:object_r:random_device_t
-/u?dev/urandom		-c	system_u:object_r:urandom_device_t
-/u?dev/.*tty[^/]*	-c	system_u:object_r:tty_device_t
-/u?dev/cu.*		-c	system_u:object_r:tty_device_t
-/u?dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
-/u?dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
-/u?dev/tty		-c	system_u:object_r:devtty_t
-/u?dev/[shmx]d[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/sg[0-9]+		-c	system_u:object_r:scsi_generic_device_t
-/u?dev/rd.*		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/i2o/hd[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/ubd[^/]*		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/cciss/[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/ida/[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/flash[^/]*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/nb[^/]+		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/ataraid/.*	-b	system_u:object_r:fixed_disk_device_t
-/u?dev/loop.*		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/net/.*		-c	system_u:object_r:tun_tap_device_t
-/u?dev/ram.*		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/rawctl		-c	system_u:object_r:fixed_disk_device_t
-/u?dev/raw/raw[0-9]+	-c	system_u:object_r:fixed_disk_device_t
-/u?dev/initrd		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/jsfd		-b	system_u:object_r:fixed_disk_device_t
-/u?dev/s(cd|r)[^/]*	-b	system_u:object_r:removable_device_t
-/u?dev/usb/rio500	-c	system_u:object_r:removable_device_t
-/u?dev/fd[^/]+		-b	system_u:object_r:removable_device_t
+/.?u?dev(/.*)?			system_u:object_r:device_t
+/.?u?dev/pts(/.*)?		<<none>>
+/.?u?dev/cpu/.*		-c	system_u:object_r:cpu_device_t
+/.?u?dev/microcode	-c	system_u:object_r:cpu_device_t
+/.?u?dev/MAKEDEV		--	system_u:object_r:sbin_t
+/.?u?dev/null		-c	system_u:object_r:null_device_t
+/.?u?dev/full		-c	system_u:object_r:null_device_t
+/.?u?dev/zero		-c	system_u:object_r:zero_device_t
+/.?u?dev/console		-c	system_u:object_r:console_device_t
+/.?u?dev/(kmem|mem|port)	-c	system_u:object_r:memory_device_t
+/.?u?dev/nvram		-c	system_u:object_r:memory_device_t
+/.?u?dev/random		-c	system_u:object_r:random_device_t
+/.?u?dev/urandom		-c	system_u:object_r:urandom_device_t
+/.?u?dev/.*tty[^/]*	-c	system_u:object_r:tty_device_t
+/.?u?dev/cu.*		-c	system_u:object_r:tty_device_t
+/.?u?dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
+/.?u?dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
+/.?u?dev/tty		-c	system_u:object_r:devtty_t
+/.?u?dev/hdc		-b	system_u:object_r:tunably_defined_disk_t
+/.?u?dev/[h]d[^/^c]*	-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/[smx]d[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/sg[0-9]+		-c	system_u:object_r:scsi_generic_device_t
+/.?u?dev/rd.*		-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/i2o/hd[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/ubd[^/]*		-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/cciss/[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/ida/[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/flash[^/]*	-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/nb[^/]+		-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/ataraid/.*	-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/loop.*		-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/net/.*		-c	system_u:object_r:tun_tap_device_t
+/.?u?dev/ram.*		-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/rawctl		-c	system_u:object_r:fixed_disk_device_t
+/.?u?dev/raw/raw[0-9]+	-c	system_u:object_r:fixed_disk_device_t
+/.?u?dev/initrd		-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/jsfd		-b	system_u:object_r:fixed_disk_device_t
+/.?u?dev/s(cd|r)[^/]*	-b	system_u:object_r:removable_device_t
+/.?u?dev/usb/rio500	-c	system_u:object_r:removable_device_t
+/.?u?dev/fd[^/]+		-b	system_u:object_r:removable_device_t
 # I think a parallel port disk is a removable device...
-/u?dev/pd[a-d][^/]*	-b	system_u:object_r:removable_device_t
-/u?dev/p[fg][0-3]	-b	system_u:object_r:removable_device_t
-/u?dev/aztcd		-b	system_u:object_r:removable_device_t
-/u?dev/bpcd		-b	system_u:object_r:removable_device_t
-/u?dev/gscd		-b	system_u:object_r:removable_device_t
-/u?dev/hitcd		-b	system_u:object_r:removable_device_t
-/u?dev/pcd[0-3]		-b	system_u:object_r:removable_device_t
-/u?dev/mcdx?		-b	system_u:object_r:removable_device_t
-/u?dev/cdu.*		-b	system_u:object_r:removable_device_t
-/u?dev/cm20.*		-b	system_u:object_r:removable_device_t
-/u?dev/optcd		-b	system_u:object_r:removable_device_t
-/u?dev/sbpcd.*		-b	system_u:object_r:removable_device_t
-/u?dev/sjcd		-b	system_u:object_r:removable_device_t
-/u?dev/sonycd		-b	system_u:object_r:removable_device_t
+/.?u?dev/pd[a-d][^/]*	-b	system_u:object_r:removable_device_t
+/.?u?dev/p[fg][0-3]	-b	system_u:object_r:removable_device_t
+/.?u?dev/aztcd		-b	system_u:object_r:removable_device_t
+/.?u?dev/bpcd		-b	system_u:object_r:removable_device_t
+/.?u?dev/gscd		-b	system_u:object_r:removable_device_t
+/.?u?dev/hitcd		-b	system_u:object_r:removable_device_t
+/.?u?dev/pcd[0-3]		-b	system_u:object_r:removable_device_t
+/.?u?dev/mcdx?		-b	system_u:object_r:removable_device_t
+/.?u?dev/cdu.*		-b	system_u:object_r:removable_device_t
+/.?u?dev/cm20.*		-b	system_u:object_r:removable_device_t
+/.?u?dev/optcd		-b	system_u:object_r:removable_device_t
+/.?u?dev/sbpcd.*		-b	system_u:object_r:removable_device_t
+/.?u?dev/sjcd		-b	system_u:object_r:removable_device_t
+/.?u?dev/sonycd		-b	system_u:object_r:removable_device_t
 # parallel port ATAPI generic device
-/u?dev/pg[0-3]		-c	system_u:object_r:removable_device_t
-/u?dev/rtc		-c	system_u:object_r:clock_device_t
-/u?dev/psaux		-c	system_u:object_r:mouse_device_t
-/u?dev/atibm		-c	system_u:object_r:mouse_device_t
-/u?dev/logibm		-c	system_u:object_r:mouse_device_t
-/u?dev/.*mouse.*	-c	system_u:object_r:mouse_device_t
-/u?dev/input/.*mouse.*	-c	system_u:object_r:mouse_device_t
-/u?dev/input/event.*	-c	system_u:object_r:event_device_t
-/u?dev/input/mice	-c	system_u:object_r:mouse_device_t
-/u?dev/input/js.*	-c	system_u:object_r:mouse_device_t
-/u?dev/js.*		-c	system_u:object_r:mouse_device_t
-/u?dev/jsflash		-c	system_u:object_r:fixed_disk_device_t
-/u?dev/ptmx		-c	system_u:object_r:ptmx_t
-/u?dev/sequencer	-c	system_u:object_r:misc_device_t
-/u?dev/fb[0-9]*		-c	system_u:object_r:framebuf_device_t
-/u?dev/apm_bios		-c	system_u:object_r:apm_bios_t
-/u?dev/cpu/mtrr		-c	system_u:object_r:mtrr_device_t
-/u?dev/(radio|video|vbi|vtx).* -c	system_u:object_r:v4l_device_t
-/u?dev/winradio.	-c	system_u:object_r:v4l_device_t
-/u?dev/vttuner		-c	system_u:object_r:v4l_device_t
-/u?dev/tlk[0-3]		-c	system_u:object_r:v4l_device_t
-/u?dev/mixer.*		-c	system_u:object_r:sound_device_t
-/u?dev/dsp.*		-c	system_u:object_r:sound_device_t
-/u?dev/audio.*		-c	system_u:object_r:sound_device_t
-/u?dev/r?midi.*		-c	system_u:object_r:sound_device_t
-/u?dev/smpte.*		-c	system_u:object_r:sound_device_t
-/u?dev/sndstat		-c	system_u:object_r:sound_device_t
-/u?dev/beep		-c	system_u:object_r:sound_device_t
-/u?dev/patmgr[01]	-c	system_u:object_r:sound_device_t
-/u?dev/mpu401.*		-c	system_u:object_r:sound_device_t
-/u?dev/srnd[0-7]	-c	system_u:object_r:sound_device_t
-/u?dev/aload.*		-c	system_u:object_r:sound_device_t
-/u?dev/amidi.*		-c	system_u:object_r:sound_device_t
-/u?dev/amixer.*		-c	system_u:object_r:sound_device_t
-/u?dev/snd/.*		-c	system_u:object_r:sound_device_t
-/u?dev/n?[hs]t[0-9].*	-c	system_u:object_r:tape_device_t
-/u?dev/(n?raw)?qft[0-3]	-c	system_u:object_r:tape_device_t
-/u?dev/n?z?qft[0-3]	-c	system_u:object_r:tape_device_t
-/u?dev/n?tpqic[12].*	-c	system_u:object_r:tape_device_t
-/u?dev/ht[0-1]		-b	system_u:object_r:tape_device_t
-/u?dev/n?osst[0-3].*	-c	system_u:object_r:tape_device_t
-/u?dev/n?pt[0-9]+	-c	system_u:object_r:tape_device_t
-/u?dev/usb/scanner.*	-c	system_u:object_r:scanner_device_t
-/u?dev/usb/dc2xx.*	-c	system_u:object_r:scanner_device_t
-/u?dev/usb/mdc800.*	-c	system_u:object_r:scanner_device_t
-/u?dev/usb/tty.*	-c	system_u:object_r:usbtty_device_t
-/u?dev/mmetfgrab	-c	system_u:object_r:scanner_device_t
-/u?dev/nvidia.*		-c	system_u:object_r:xserver_misc_device_t
+/.?u?dev/pg[0-3]		-c	system_u:object_r:removable_device_t
+/.?u?dev/rtc		-c	system_u:object_r:clock_device_t
+/.?u?dev/psaux		-c	system_u:object_r:mouse_device_t
+/.?u?dev/atibm		-c	system_u:object_r:mouse_device_t
+/.?u?dev/logibm		-c	system_u:object_r:mouse_device_t
+/.?u?dev/.*mouse.*	-c	system_u:object_r:mouse_device_t
+/.?u?dev/input/.*mouse.*	-c	system_u:object_r:mouse_device_t
+/.?u?dev/input/event.*	-c	system_u:object_r:event_device_t
+/.?u?dev/input/mice	-c	system_u:object_r:mouse_device_t
+/.?u?dev/input/js.*	-c	system_u:object_r:mouse_device_t
+/.?u?dev/js.*		-c	system_u:object_r:mouse_device_t
+/.?u?dev/jsflash		-c	system_u:object_r:fixed_disk_device_t
+/.?u?dev/ptmx		-c	system_u:object_r:ptmx_t
+/.?u?dev/sequencer	-c	system_u:object_r:misc_device_t
+/.?u?dev/fb[0-9]*		-c	system_u:object_r:framebuf_device_t
+/.?u?dev/apm_bios		-c	system_u:object_r:apm_bios_t
+/.?u?dev/cpu/mtrr		-c	system_u:object_r:mtrr_device_t
+/.?u?dev/(radio|video|vbi|vtx).* -c	system_u:object_r:v4l_device_t
+/.?u?dev/winradio.	-c	system_u:object_r:v4l_device_t
+/.?u?dev/vttuner		-c	system_u:object_r:v4l_device_t
+/.?u?dev/tlk[0-3]		-c	system_u:object_r:v4l_device_t
+/.?u?dev/mixer.*		-c	system_u:object_r:sound_device_t
+/.?u?dev/dsp.*		-c	system_u:object_r:sound_device_t
+/.?u?dev/audio.*		-c	system_u:object_r:sound_device_t
+/.?u?dev/r?midi.*		-c	system_u:object_r:sound_device_t
+/.?u?dev/smpte.*		-c	system_u:object_r:sound_device_t
+/.?u?dev/sndstat		-c	system_u:object_r:sound_device_t
+/.?u?dev/beep		-c	system_u:object_r:sound_device_t
+/.?u?dev/patmgr[01]	-c	system_u:object_r:sound_device_t
+/.?u?dev/mpu401.*		-c	system_u:object_r:sound_device_t
+/.?u?dev/srnd[0-7]	-c	system_u:object_r:sound_device_t
+/.?u?dev/aload.*		-c	system_u:object_r:sound_device_t
+/.?u?dev/amidi.*		-c	system_u:object_r:sound_device_t
+/.?u?dev/amixer.*		-c	system_u:object_r:sound_device_t
+/.?u?dev/snd/.*		-c	system_u:object_r:sound_device_t
+/.?u?dev/n?[hs]t[0-9].*	-c	system_u:object_r:tape_device_t
+/.?u?dev/(n?raw)?qft[0-3]	-c	system_u:object_r:tape_device_t
+/.?u?dev/n?z?qft[0-3]	-c	system_u:object_r:tape_device_t
+/.?u?dev/n?tpqic[12].*	-c	system_u:object_r:tape_device_t
+/.?u?dev/ht[0-1]		-b	system_u:object_r:tape_device_t
+/.?u?dev/n?osst[0-3].*	-c	system_u:object_r:tape_device_t
+/.?u?dev/n?pt[0-9]+	-c	system_u:object_r:tape_device_t
+/.?u?dev/usb/scanner.*	-c	system_u:object_r:scanner_device_t
+/.?u?dev/usb/dc2xx.*	-c	system_u:object_r:scanner_device_t
+/.?u?dev/usb/mdc800.*	-c	system_u:object_r:scanner_device_t
+/.?u?dev/usb/tty.*	-c	system_u:object_r:usbtty_device_t
+/.?u?dev/mmetfgrab	-c	system_u:object_r:scanner_device_t
+/.?u?dev/nvidia.*		-c	system_u:object_r:xserver_misc_device_t
 
 /proc(/.*)?			<<none>>
 /sys(/.*)?			<<none>>
diff -Naur 
--- default.1.14/tunables/tunable.te	2004-08-02 08:28:37.000000000 +0100
+++ current/tunables/tunable.te	2004-08-23 10:34:30.000000000 +0100
@@ -101,7 +101,11 @@
 dnl define(`user_net_control')
 
 # Allow user to rw usb devices
-dnl define(`user_rw_usb')
+dnl define(`user_rw_usb')
 
 # Allow user to connect to database server
 define(`user_db_connect')
+
+# Define whether hdc is an IDE CD(RW) DVD(RW)
+define(`hdc_is_cd_dvd')
+
diff -Naur 
--- default.1.14/types/device.te	2004-08-02 08:28:37.000000000 +0100
+++ current/types/device.te	2004-08-23 10:31:13.000000000 +0100
@@ -73,6 +73,14 @@
 #
 type removable_device_t, device_type;
 
+# /dev/hdc could be an IDE CD/RW or DVD/RW. 
+
+ifdef(`hdc_is_cd_dvd', `
+typealias removable_device_t alias tunably_defined_disk_t;
+',`
+typealias fixed_disk_device_t alias tunably_defined_disk_t;
+')
+
 #
 # clock_device_t is the type of
 # /dev/rtc.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Luke Kenneth Casson Leighton]

my apologies for the length of the patch which i had not correctly
observed: the /.?u?dev is there to deal with /.dev which on debian
linux with udev is the "real" /dev remounted (--bind?) to a different
point.

if you then run a make relabel WITHOUT the /[.u]dev, ALL devices in
/.dev get marked as oh, i dunno, default_t or something: consequently,
your next reboot will catastrophically fail as /sbin/init or something
fairly major tries to access the "real" i.e. non-udev /dev.

of course this problem would be avoided if udev was available in initrd's.


in amongst this lot are two lines that say /dev/hdc something here
we go:

> +/.?u?dev/hdc		-b	system_u:object_r:tunably_defined_disk_t
> +/.?u?dev/[h]d[^/^c]*	-b	system_u:object_r:fixed_disk_device_t

i added the ^c in order to exclude /dev/hdc, i must warn you i am CRAP
at regular expressions so please do observe sufficient caution.


anyway, as russell describes, this in combination with the tunable
for users to access non-xattr drives e.g. floppy and cd, you should
be able to run kaffeine, xine etc. and possibly even k3b / cdrecord.

but i decided to go for a separate policy file for k3b + cdrecord,
which i will macro-it-ise like mozilla is and release later.

l.


On Mon, Aug 23, 2004 at 10:42:28PM +0100, Luke Kenneth Casson Leighton wrote:
> after russell's excellent suggestion of making /dev/hdc a
> removable_device_t because i happened to have an IDE CD-RW,
> i decided to add this as a tunable because i sure don't want
> to keep on merging / patching stuff and i am sure that not
> everyone has an IDE CD-RW on their second primary ide interface.
> 
> l.
> 
> -- 
> --
> Truth, honesty and respect are rare commodities that all spring from
> the same well: Love.  If you love yourself and everyone and everything
> around you, funnily and coincidentally enough, life gets a lot better.
> --
> <a href="http://lkcl.net">      lkcl.net      </a> <br />
> <a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
> 

> diff -Naur 
> --- default.1.14/file_contexts/types.fc	2004-08-02 08:28:37.000000000 +0100
> +++ current/file_contexts/types.fc	2004-08-23 10:35:18.000000000 +0100
> @@ -112,109 +117,111 @@
>  #
>  # /dev
>  #
> -/u?dev(/.*)?			system_u:object_r:device_t
> -/u?dev/pts(/.*)?		<<none>>
> -/u?dev/cpu/.*		-c	system_u:object_r:cpu_device_t
> -/u?dev/microcode	-c	system_u:object_r:cpu_device_t
> -/u?dev/MAKEDEV		--	system_u:object_r:sbin_t
> -/u?dev/null		-c	system_u:object_r:null_device_t
> -/u?dev/full		-c	system_u:object_r:null_device_t
> -/u?dev/zero		-c	system_u:object_r:zero_device_t
> -/u?dev/console		-c	system_u:object_r:console_device_t
> -/u?dev/(kmem|mem|port)	-c	system_u:object_r:memory_device_t
> -/u?dev/nvram		-c	system_u:object_r:memory_device_t
> -/u?dev/random		-c	system_u:object_r:random_device_t
> -/u?dev/urandom		-c	system_u:object_r:urandom_device_t
> -/u?dev/.*tty[^/]*	-c	system_u:object_r:tty_device_t
> -/u?dev/cu.*		-c	system_u:object_r:tty_device_t
> -/u?dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
> -/u?dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
> -/u?dev/tty		-c	system_u:object_r:devtty_t
> -/u?dev/[shmx]d[^/]*	-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/sg[0-9]+		-c	system_u:object_r:scsi_generic_device_t
> -/u?dev/rd.*		-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/i2o/hd[^/]*	-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/ubd[^/]*		-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/cciss/[^/]*	-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/ida/[^/]*	-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/flash[^/]*	-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/nb[^/]+		-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/ataraid/.*	-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/loop.*		-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/net/.*		-c	system_u:object_r:tun_tap_device_t
> -/u?dev/ram.*		-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/rawctl		-c	system_u:object_r:fixed_disk_device_t
> -/u?dev/raw/raw[0-9]+	-c	system_u:object_r:fixed_disk_device_t
> -/u?dev/initrd		-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/jsfd		-b	system_u:object_r:fixed_disk_device_t
> -/u?dev/s(cd|r)[^/]*	-b	system_u:object_r:removable_device_t
> -/u?dev/usb/rio500	-c	system_u:object_r:removable_device_t
> -/u?dev/fd[^/]+		-b	system_u:object_r:removable_device_t
> +/.?u?dev(/.*)?			system_u:object_r:device_t
> +/.?u?dev/pts(/.*)?		<<none>>
> +/.?u?dev/cpu/.*		-c	system_u:object_r:cpu_device_t
> +/.?u?dev/microcode	-c	system_u:object_r:cpu_device_t
> +/.?u?dev/MAKEDEV		--	system_u:object_r:sbin_t
> +/.?u?dev/null		-c	system_u:object_r:null_device_t
> +/.?u?dev/full		-c	system_u:object_r:null_device_t
> +/.?u?dev/zero		-c	system_u:object_r:zero_device_t
> +/.?u?dev/console		-c	system_u:object_r:console_device_t
> +/.?u?dev/(kmem|mem|port)	-c	system_u:object_r:memory_device_t
> +/.?u?dev/nvram		-c	system_u:object_r:memory_device_t
> +/.?u?dev/random		-c	system_u:object_r:random_device_t
> +/.?u?dev/urandom		-c	system_u:object_r:urandom_device_t
> +/.?u?dev/.*tty[^/]*	-c	system_u:object_r:tty_device_t
> +/.?u?dev/cu.*		-c	system_u:object_r:tty_device_t
> +/.?u?dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
> +/.?u?dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
> +/.?u?dev/tty		-c	system_u:object_r:devtty_t
> +/.?u?dev/hdc		-b	system_u:object_r:tunably_defined_disk_t
> +/.?u?dev/[h]d[^/^c]*	-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/[smx]d[^/]*	-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/sg[0-9]+		-c	system_u:object_r:scsi_generic_device_t
> +/.?u?dev/rd.*		-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/i2o/hd[^/]*	-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/ubd[^/]*		-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/cciss/[^/]*	-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/ida/[^/]*	-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/flash[^/]*	-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/nb[^/]+		-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/ataraid/.*	-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/loop.*		-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/net/.*		-c	system_u:object_r:tun_tap_device_t
> +/.?u?dev/ram.*		-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/rawctl		-c	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/raw/raw[0-9]+	-c	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/initrd		-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/jsfd		-b	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/s(cd|r)[^/]*	-b	system_u:object_r:removable_device_t
> +/.?u?dev/usb/rio500	-c	system_u:object_r:removable_device_t
> +/.?u?dev/fd[^/]+		-b	system_u:object_r:removable_device_t
>  # I think a parallel port disk is a removable device...
> -/u?dev/pd[a-d][^/]*	-b	system_u:object_r:removable_device_t
> -/u?dev/p[fg][0-3]	-b	system_u:object_r:removable_device_t
> -/u?dev/aztcd		-b	system_u:object_r:removable_device_t
> -/u?dev/bpcd		-b	system_u:object_r:removable_device_t
> -/u?dev/gscd		-b	system_u:object_r:removable_device_t
> -/u?dev/hitcd		-b	system_u:object_r:removable_device_t
> -/u?dev/pcd[0-3]		-b	system_u:object_r:removable_device_t
> -/u?dev/mcdx?		-b	system_u:object_r:removable_device_t
> -/u?dev/cdu.*		-b	system_u:object_r:removable_device_t
> -/u?dev/cm20.*		-b	system_u:object_r:removable_device_t
> -/u?dev/optcd		-b	system_u:object_r:removable_device_t
> -/u?dev/sbpcd.*		-b	system_u:object_r:removable_device_t
> -/u?dev/sjcd		-b	system_u:object_r:removable_device_t
> -/u?dev/sonycd		-b	system_u:object_r:removable_device_t
> +/.?u?dev/pd[a-d][^/]*	-b	system_u:object_r:removable_device_t
> +/.?u?dev/p[fg][0-3]	-b	system_u:object_r:removable_device_t
> +/.?u?dev/aztcd		-b	system_u:object_r:removable_device_t
> +/.?u?dev/bpcd		-b	system_u:object_r:removable_device_t
> +/.?u?dev/gscd		-b	system_u:object_r:removable_device_t
> +/.?u?dev/hitcd		-b	system_u:object_r:removable_device_t
> +/.?u?dev/pcd[0-3]		-b	system_u:object_r:removable_device_t
> +/.?u?dev/mcdx?		-b	system_u:object_r:removable_device_t
> +/.?u?dev/cdu.*		-b	system_u:object_r:removable_device_t
> +/.?u?dev/cm20.*		-b	system_u:object_r:removable_device_t
> +/.?u?dev/optcd		-b	system_u:object_r:removable_device_t
> +/.?u?dev/sbpcd.*		-b	system_u:object_r:removable_device_t
> +/.?u?dev/sjcd		-b	system_u:object_r:removable_device_t
> +/.?u?dev/sonycd		-b	system_u:object_r:removable_device_t
>  # parallel port ATAPI generic device
> -/u?dev/pg[0-3]		-c	system_u:object_r:removable_device_t
> -/u?dev/rtc		-c	system_u:object_r:clock_device_t
> -/u?dev/psaux		-c	system_u:object_r:mouse_device_t
> -/u?dev/atibm		-c	system_u:object_r:mouse_device_t
> -/u?dev/logibm		-c	system_u:object_r:mouse_device_t
> -/u?dev/.*mouse.*	-c	system_u:object_r:mouse_device_t
> -/u?dev/input/.*mouse.*	-c	system_u:object_r:mouse_device_t
> -/u?dev/input/event.*	-c	system_u:object_r:event_device_t
> -/u?dev/input/mice	-c	system_u:object_r:mouse_device_t
> -/u?dev/input/js.*	-c	system_u:object_r:mouse_device_t
> -/u?dev/js.*		-c	system_u:object_r:mouse_device_t
> -/u?dev/jsflash		-c	system_u:object_r:fixed_disk_device_t
> -/u?dev/ptmx		-c	system_u:object_r:ptmx_t
> -/u?dev/sequencer	-c	system_u:object_r:misc_device_t
> -/u?dev/fb[0-9]*		-c	system_u:object_r:framebuf_device_t
> -/u?dev/apm_bios		-c	system_u:object_r:apm_bios_t
> -/u?dev/cpu/mtrr		-c	system_u:object_r:mtrr_device_t
> -/u?dev/(radio|video|vbi|vtx).* -c	system_u:object_r:v4l_device_t
> -/u?dev/winradio.	-c	system_u:object_r:v4l_device_t
> -/u?dev/vttuner		-c	system_u:object_r:v4l_device_t
> -/u?dev/tlk[0-3]		-c	system_u:object_r:v4l_device_t
> -/u?dev/mixer.*		-c	system_u:object_r:sound_device_t
> -/u?dev/dsp.*		-c	system_u:object_r:sound_device_t
> -/u?dev/audio.*		-c	system_u:object_r:sound_device_t
> -/u?dev/r?midi.*		-c	system_u:object_r:sound_device_t
> -/u?dev/smpte.*		-c	system_u:object_r:sound_device_t
> -/u?dev/sndstat		-c	system_u:object_r:sound_device_t
> -/u?dev/beep		-c	system_u:object_r:sound_device_t
> -/u?dev/patmgr[01]	-c	system_u:object_r:sound_device_t
> -/u?dev/mpu401.*		-c	system_u:object_r:sound_device_t
> -/u?dev/srnd[0-7]	-c	system_u:object_r:sound_device_t
> -/u?dev/aload.*		-c	system_u:object_r:sound_device_t
> -/u?dev/amidi.*		-c	system_u:object_r:sound_device_t
> -/u?dev/amixer.*		-c	system_u:object_r:sound_device_t
> -/u?dev/snd/.*		-c	system_u:object_r:sound_device_t
> -/u?dev/n?[hs]t[0-9].*	-c	system_u:object_r:tape_device_t
> -/u?dev/(n?raw)?qft[0-3]	-c	system_u:object_r:tape_device_t
> -/u?dev/n?z?qft[0-3]	-c	system_u:object_r:tape_device_t
> -/u?dev/n?tpqic[12].*	-c	system_u:object_r:tape_device_t
> -/u?dev/ht[0-1]		-b	system_u:object_r:tape_device_t
> -/u?dev/n?osst[0-3].*	-c	system_u:object_r:tape_device_t
> -/u?dev/n?pt[0-9]+	-c	system_u:object_r:tape_device_t
> -/u?dev/usb/scanner.*	-c	system_u:object_r:scanner_device_t
> -/u?dev/usb/dc2xx.*	-c	system_u:object_r:scanner_device_t
> -/u?dev/usb/mdc800.*	-c	system_u:object_r:scanner_device_t
> -/u?dev/usb/tty.*	-c	system_u:object_r:usbtty_device_t
> -/u?dev/mmetfgrab	-c	system_u:object_r:scanner_device_t
> -/u?dev/nvidia.*		-c	system_u:object_r:xserver_misc_device_t
> +/.?u?dev/pg[0-3]		-c	system_u:object_r:removable_device_t
> +/.?u?dev/rtc		-c	system_u:object_r:clock_device_t
> +/.?u?dev/psaux		-c	system_u:object_r:mouse_device_t
> +/.?u?dev/atibm		-c	system_u:object_r:mouse_device_t
> +/.?u?dev/logibm		-c	system_u:object_r:mouse_device_t
> +/.?u?dev/.*mouse.*	-c	system_u:object_r:mouse_device_t
> +/.?u?dev/input/.*mouse.*	-c	system_u:object_r:mouse_device_t
> +/.?u?dev/input/event.*	-c	system_u:object_r:event_device_t
> +/.?u?dev/input/mice	-c	system_u:object_r:mouse_device_t
> +/.?u?dev/input/js.*	-c	system_u:object_r:mouse_device_t
> +/.?u?dev/js.*		-c	system_u:object_r:mouse_device_t
> +/.?u?dev/jsflash		-c	system_u:object_r:fixed_disk_device_t
> +/.?u?dev/ptmx		-c	system_u:object_r:ptmx_t
> +/.?u?dev/sequencer	-c	system_u:object_r:misc_device_t
> +/.?u?dev/fb[0-9]*		-c	system_u:object_r:framebuf_device_t
> +/.?u?dev/apm_bios		-c	system_u:object_r:apm_bios_t
> +/.?u?dev/cpu/mtrr		-c	system_u:object_r:mtrr_device_t
> +/.?u?dev/(radio|video|vbi|vtx).* -c	system_u:object_r:v4l_device_t
> +/.?u?dev/winradio.	-c	system_u:object_r:v4l_device_t
> +/.?u?dev/vttuner		-c	system_u:object_r:v4l_device_t
> +/.?u?dev/tlk[0-3]		-c	system_u:object_r:v4l_device_t
> +/.?u?dev/mixer.*		-c	system_u:object_r:sound_device_t
> +/.?u?dev/dsp.*		-c	system_u:object_r:sound_device_t
> +/.?u?dev/audio.*		-c	system_u:object_r:sound_device_t
> +/.?u?dev/r?midi.*		-c	system_u:object_r:sound_device_t
> +/.?u?dev/smpte.*		-c	system_u:object_r:sound_device_t
> +/.?u?dev/sndstat		-c	system_u:object_r:sound_device_t
> +/.?u?dev/beep		-c	system_u:object_r:sound_device_t
> +/.?u?dev/patmgr[01]	-c	system_u:object_r:sound_device_t
> +/.?u?dev/mpu401.*		-c	system_u:object_r:sound_device_t
> +/.?u?dev/srnd[0-7]	-c	system_u:object_r:sound_device_t
> +/.?u?dev/aload.*		-c	system_u:object_r:sound_device_t
> +/.?u?dev/amidi.*		-c	system_u:object_r:sound_device_t
> +/.?u?dev/amixer.*		-c	system_u:object_r:sound_device_t
> +/.?u?dev/snd/.*		-c	system_u:object_r:sound_device_t
> +/.?u?dev/n?[hs]t[0-9].*	-c	system_u:object_r:tape_device_t
> +/.?u?dev/(n?raw)?qft[0-3]	-c	system_u:object_r:tape_device_t
> +/.?u?dev/n?z?qft[0-3]	-c	system_u:object_r:tape_device_t
> +/.?u?dev/n?tpqic[12].*	-c	system_u:object_r:tape_device_t
> +/.?u?dev/ht[0-1]		-b	system_u:object_r:tape_device_t
> +/.?u?dev/n?osst[0-3].*	-c	system_u:object_r:tape_device_t
> +/.?u?dev/n?pt[0-9]+	-c	system_u:object_r:tape_device_t
> +/.?u?dev/usb/scanner.*	-c	system_u:object_r:scanner_device_t
> +/.?u?dev/usb/dc2xx.*	-c	system_u:object_r:scanner_device_t
> +/.?u?dev/usb/mdc800.*	-c	system_u:object_r:scanner_device_t
> +/.?u?dev/usb/tty.*	-c	system_u:object_r:usbtty_device_t
> +/.?u?dev/mmetfgrab	-c	system_u:object_r:scanner_device_t
> +/.?u?dev/nvidia.*		-c	system_u:object_r:xserver_misc_device_t
>  
>  /proc(/.*)?			<<none>>
>  /sys(/.*)?			<<none>>
> diff -Naur 
> --- default.1.14/tunables/tunable.te	2004-08-02 08:28:37.000000000 +0100
> +++ current/tunables/tunable.te	2004-08-23 10:34:30.000000000 +0100
> @@ -101,7 +101,11 @@
>  dnl define(`user_net_control')
>  
>  # Allow user to rw usb devices
> -dnl define(`user_rw_usb')
> +dnl define(`user_rw_usb')
>  
>  # Allow user to connect to database server
>  define(`user_db_connect')
> +
> +# Define whether hdc is an IDE CD(RW) DVD(RW)
> +define(`hdc_is_cd_dvd')
> +
> diff -Naur 
> --- default.1.14/types/device.te	2004-08-02 08:28:37.000000000 +0100
> +++ current/types/device.te	2004-08-23 10:31:13.000000000 +0100
> @@ -73,6 +73,14 @@
>  #
>  type removable_device_t, device_type;
>  
> +# /dev/hdc could be an IDE CD/RW or DVD/RW. 
> +
> +ifdef(`hdc_is_cd_dvd', `
> +typealias removable_device_t alias tunably_defined_disk_t;
> +',`
> +typealias fixed_disk_device_t alias tunably_defined_disk_t;
> +')
> +
>  #
>  # clock_device_t is the type of
>  # /dev/rtc.


-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Thomas Bleher]

* Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-08-24 03:38]:
> in amongst this lot are two lines that say /dev/hdc something here
> we go:
> 
> > +/.?u?dev/hdc		-b	system_u:object_r:tunably_defined_disk_t
> > +/.?u?dev/[h]d[^/^c]*	-b	system_u:object_r:fixed_disk_device_t

I don't think this is the right approach. Not all users have their
CD-Rom on /dev/hdc.
I've been using a hack to the Makefile which works well on the
hundred-odd machines we have here:

--- orig/Makefile
+++ mod/Makefile
@@ -145,6 +145,7 @@
        @grep -v "^/root" $@.tmp > $@.root
        @/usr/sbin/genhomedircon . $@.root  > $@
        @grep "^/root" $@.tmp >> $@
+       @for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@; done
        @-rm $@.tmp $@.root

 clean:

This inserts a special line into the file_contexts file for every cdrom
found on the system (according to proc).
I am however not sure how a proper solution would look like; do we want
to make policy that system dependant?
Maybe we need a tool like genhomedircon for devices.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Stephen Smalley]

On Mon, 2004-08-23 at 20:22, Luke Kenneth Casson Leighton wrote:
> my apologies for the length of the patch which i had not correctly
> observed: the /.?u?dev is there to deal with /.dev which on debian
> linux with udev is the "real" /dev remounted (--bind?) to a different
> point.

fixfiles and make relabel exclude bind mounts from the relabeling.  So
if it is a bind mount, it shouldn't get relabeled anyway.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 990 bytes --]

On Tue, 24 Aug 2004 11:15:20 +0200, Thomas Bleher said:

> This inserts a special line into the file_contexts file for every cdrom
> found on the system (according to proc).
> I am however not sure how a proper solution would look like; do we want
> to make policy that system dependant?

The concept that "all cdrom devices need a context foo_t" isn't at all system
dependent.  The actual names of the devices are by necessity system dependent -
on my Dell Latitude C840 laptop, the CD is /dev/hdb.  Across the hall, I have a
Dell 2650 rack-mount server - with a CD at /dev/hda.  Obviously, some hinting
will be required to get the hd* labeled right... ;)

> Maybe we need a tool like genhomedircon for devices.

At least under Fedora's version of pam, you can probably extract some
useful hints from /etc/security/console.perms (for more than just cdroms,
in fact).

Somebody not of the RedHat/Fedora persuasion will have to research if that
file has any useful info in other distros....

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: policy patch for tunable "/dev/hdc is removable drive"

[Luke Kenneth Casson Leighton]

On Tue, Aug 24, 2004 at 11:15:20AM +0200, Thomas Bleher wrote:
> * Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-08-24 03:38]:
> > in amongst this lot are two lines that say /dev/hdc something here
> > we go:
> > 
> > > +/.?u?dev/hdc		-b	system_u:object_r:tunably_defined_disk_t
> > > +/.?u?dev/[h]d[^/^c]*	-b	system_u:object_r:fixed_disk_device_t
> 
> I don't think this is the right approach. Not all users have their
> CD-Rom on /dev/hdc.

 no, i know: that's why i set it to a tunable called
 "tunably_defined_disk_t" :)

> I've been using a hack to the Makefile which works well on the
> hundred-odd machines we have here:
> 
> --- orig/Makefile
> +++ mod/Makefile
> @@ -145,6 +145,7 @@
>         @grep -v "^/root" $@.tmp > $@.root
>         @/usr/sbin/genhomedircon . $@.root  > $@
>         @grep "^/root" $@.tmp >> $@
> +       @for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@; done
>         @-rm $@.tmp $@.root

 okay... that's fine on a system that doesn't use udev :) :)

> This inserts a special line into the file_contexts file for every cdrom
> found on the system (according to proc).
> I am however not sure how a proper solution would look like; do we want
> to make policy that system dependant?
> Maybe we need a tool like genhomedircon for devices.
 
  perhaps udev could communicate to run-time tunables to "switch"
  certain device types (like the example tunably_defined_disk_t)
  from their aliases fixed_disk_device_t to removable_disk_device_t?

  of course, it would be necessary to do "prep" things with a
  tunably_defined_hda_t, tunably_defined_hdb_t, tunably_defined you
  get the idea.

  l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Luke Kenneth Casson Leighton]

On Tue, Aug 24, 2004 at 07:06:41AM -0400, Stephen Smalley wrote:
> On Mon, 2004-08-23 at 20:22, Luke Kenneth Casson Leighton wrote:
> > my apologies for the length of the patch which i had not correctly
> > observed: the /.?u?dev is there to deal with /.dev which on debian
> > linux with udev is the "real" /dev remounted (--bind?) to a different
> > point.
> 
> fixfiles and make relabel exclude bind mounts from the relabeling.  So
> if it is a bind mount, it shouldn't get relabeled anyway.
 
 it was.  this is with a 2.6.7 kernel.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Thomas Bleher]

* Valdis.Kletnieks@vt.edu [2004-08-24 16:02]:
> The concept that "all cdrom devices need a context foo_t" isn't at all system
> dependent.  The actual names of the devices are by necessity system dependent -
> > Maybe we need a tool like genhomedircon for devices.
> 
> At least under Fedora's version of pam, you can probably extract some
> useful hints from /etc/security/console.perms (for more than just cdroms,
> in fact).

This file exists neither on SuSE nor on Debian systems, so no luck there.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Russell Coker]

On Tue, 24 Aug 2004 19:15, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
wrote:
> * Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-08-24 03:38]:
> > in amongst this lot are two lines that say /dev/hdc something here
> >
> > we go:
> > > +/.?u?dev/hdc  -b system_u:object_r:tunably_defined_disk_t
> > > +/.?u?dev/[h]d[^/^c]* -b system_u:object_r:fixed_disk_device_t
>
> I don't think this is the right approach. Not all users have their
> CD-Rom on /dev/hdc.
> I've been using a hack to the Makefile which works well on the
> hundred-odd machines we have here:

I agree.  Luke's code makes a tunable for whether /dev/hdc is a cd-rom, not 
whether /dev/hdb, /dev/hdd, etc might be a tunable.

> --- orig/Makefile
> +++ mod/Makefile
> @@ -145,6 +145,7 @@
>         @grep -v "^/root" $@.tmp > $@.root
>         @/usr/sbin/genhomedircon . $@.root  > $@
>         @grep "^/root" $@.tmp >> $@
> +       @for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i |
> awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}'
> >> $@; done @-rm $@.tmp $@.root

Good work, but there's one minor bug.  If a system has no CD-ROM drives (or 
possibly if the last IDE drive is not a CD) then it returns an error and 
aborts the make.

Appending a "|| true" to the command seems to fix this bug without any 
side-affects.

       @for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i | awk 
-F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}' >> $@ 
|| true; done @-rm $@.tmp $@.root

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Luke Kenneth Casson Leighton]

On Wed, Aug 25, 2004 at 09:40:41PM +1000, Russell Coker wrote:
> On Tue, 24 Aug 2004 19:15, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
> wrote:
> > * Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-08-24 03:38]:
> > > in amongst this lot are two lines that say /dev/hdc something here
> > >
> > > we go:
> > > > +/.?u?dev/hdc  -b system_u:object_r:tunably_defined_disk_t
> > > > +/.?u?dev/[h]d[^/^c]* -b system_u:object_r:fixed_disk_device_t
> >
> > I don't think this is the right approach. Not all users have their
> > CD-Rom on /dev/hdc.
> > I've been using a hack to the Makefile which works well on the
> > hundred-odd machines we have here:
> 
> I agree.  Luke's code makes a tunable for whether /dev/hdc is a cd-rom, not 
> whether /dev/hdb, /dev/hdd, etc might be a tunable.
> 
> > --- orig/Makefile
> > +++ mod/Makefile
> > @@ -145,6 +145,7 @@
> >         @grep -v "^/root" $@.tmp > $@.root
> >         @/usr/sbin/genhomedircon . $@.root  > $@
> >         @grep "^/root" $@.tmp >> $@
> > +       @for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i |
> > awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}'
> > >> $@; done @-rm $@.tmp $@.root
> 
> Good work, but there's one minor bug.  

 would it work with udev, too?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Russell Coker]

On Wed, 25 Aug 2004 23:53, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > --- orig/Makefile
> > > +++ mod/Makefile
> > > @@ -145,6 +145,7 @@
> > >         @grep -v "^/root" $@.tmp > $@.root
> > >         @/usr/sbin/genhomedircon . $@.root  > $@
> > >         @grep "^/root" $@.tmp >> $@
> > > +       @for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i
> > > | awk -F / '{ print
> > > "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}'
> > >
> > > >> $@; done @-rm $@.tmp $@.root
> >
> > Good work, but there's one minor bug.
>
>  would it work with udev, too?

udev uses the same file_contexts file, so it should work.  The only possible 
problem I can think of is that if you have a machine which boots without IDE 
disk access and which has no IDE modules loaded at the time that it has the 
file_contexts file generated then this would not work (think of servers that 
have IDE CD-ROM or DVD drives but hardware RAID or SCSI for main storage).

Of course this is not necessarily a problem, Fedora kernels have the IDE 
drivers statically linked into the kernel, and there were some issues last 
time I tried building a Debian kernel with IDE as a module so the number of 
people who might get hit by this is very small.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Luke Kenneth Casson Leighton]

On Wed, Aug 25, 2004 at 11:57:08PM +1000, Russell Coker wrote:
> On Wed, 25 Aug 2004 23:53, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > > --- orig/Makefile
> > > > +++ mod/Makefile
> > > > @@ -145,6 +145,7 @@
> > > >         @grep -v "^/root" $@.tmp > $@.root
> > > >         @/usr/sbin/genhomedircon . $@.root  > $@
> > > >         @grep "^/root" $@.tmp >> $@
> > > > +       @for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i
> > > > | awk -F / '{ print
> > > > "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}'
> > > >
> > > > >> $@; done @-rm $@.tmp $@.root
> > >
> > > Good work, but there's one minor bug.
> >
> >  would it work with udev, too?
> 
> udev uses the same file_contexts file, so it should work.  The only possible 
> problem I can think of is that if you have a machine which boots without IDE 
> disk access and which has no IDE modules loaded at the time that it has the 
> file_contexts file generated then this would not work (think of servers that 
> have IDE CD-ROM or DVD drives but hardware RAID or SCSI for main storage).
> 
> Of course this is not necessarily a problem, Fedora kernels have the IDE 
> drivers statically linked into the kernel, and there were some issues last 
> time I tried building a Debian kernel with IDE as a module so the number of 
> people who might get hit by this is very small.
 
 ... initrd.  initial ramdisk.  contains all ide drivers, 'n'stuff.

 i always always start from herbert's standard debian config files,
 add the selinux configs, then run make-kpkg --initrd kernel-image.

 then do a dpkg -i on the resultant .deb.

 that way i stand a good chance of minimising any potential problems
 with kernel/thingy inconsistencies.

 l.
 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Colin Walters]

On Wed, 2004-08-25 at 21:40 +1000, Russell Coker wrote:
> On Tue, 24 Aug 2004 19:15, Thomas Bleher <bleher@informatik.uni-muenchen.de> 

> > --- orig/Makefile
> > +++ mod/Makefile
> > @@ -145,6 +145,7 @@
> >         @grep -v "^/root" $@.tmp > $@.root
> >         @/usr/sbin/genhomedircon . $@.root  > $@
> >         @grep "^/root" $@.tmp >> $@
> > +       @for i in /proc/ide/hd*/media; do grep -q cdrom $$i && echo $$i |
> > awk -F / '{ print "/dev/"$$4"\t-b\tsystem_u:object_r:removable_device_t"}'
> > >> $@; done @-rm $@.tmp $@.root

I guess genhomedircon is a precendent here, but: I don't think this
makes sense, because then the policy is dependent on the machine where
you build the policy, which may be different from the machine to which
the policy is ultimately installed.

This kind of calculation should probably be done in the policy post-
installation step.

In the larger picture, I don't think we should use one-off hacks like
this.  Instead, we really need a tool to analyze your whole system and
suggest policy changes, or vice versa.  If we start embedding things
like this in policy, system administrators are going to actually expect
it to work, and I don't think it will, reliably.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Russell Coker]

On Thu, 26 Aug 2004 02:20, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > udev uses the same file_contexts file, so it should work.  The only
> > possible problem I can think of is that if you have a machine which boots
> > without IDE disk access and which has no IDE modules loaded at the time
> > that it has the file_contexts file generated then this would not work
> > (think of servers that have IDE CD-ROM or DVD drives but hardware RAID or
> > SCSI for main storage).
> >
> > Of course this is not necessarily a problem, Fedora kernels have the IDE
> > drivers statically linked into the kernel, and there were some issues
> > last time I tried building a Debian kernel with IDE as a module so the
> > number of people who might get hit by this is very small.
>
>  ... initrd.  initial ramdisk.  contains all ide drivers, 'n'stuff.

Last time I was doing this there were some kernel bugs related to IDE drivers.  
One of which was having two drivers which need symbols that the other exports 
(so it was impossible to load them).  At the time almost no testing was being 
done on this and it didn't seem that the problem was going to be fixed in a 
reasonable amount of time.

I gave up using an initrd in Debian at about the same time.  The problem was 
that the Debian mkinitrd program tried to work out too many things about the 
system by itself.  This made it difficult if it's guesses were wrong, or if 
you wanted to prepare an initrd for a different configuration (either for a 
significant configuration change or making an initrd for use on another 
machine).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Luke Kenneth Casson Leighton]

On Thu, Aug 26, 2004 at 09:51:48AM +1000, Russell Coker wrote:
> On Thu, 26 Aug 2004 02:20, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > udev uses the same file_contexts file, so it should work.  The only
> > > possible problem I can think of is that if you have a machine which boots
> > > without IDE disk access and which has no IDE modules loaded at the time
> > > that it has the file_contexts file generated then this would not work
> > > (think of servers that have IDE CD-ROM or DVD drives but hardware RAID or
> > > SCSI for main storage).
> > >
> > > Of course this is not necessarily a problem, Fedora kernels have the IDE
> > > drivers statically linked into the kernel, and there were some issues
> > > last time I tried building a Debian kernel with IDE as a module so the
> > > number of people who might get hit by this is very small.
> >
> >  ... initrd.  initial ramdisk.  contains all ide drivers, 'n'stuff.
> 
> Last time I was doing this there were some kernel bugs related to IDE drivers.  
> One of which was having two drivers which need symbols that the other exports 
> (so it was impossible to load them).  At the time almost no testing was being 
> done on this and it didn't seem that the problem was going to be fixed in a 
> reasonable amount of time.
> 
> I gave up using an initrd in Debian at about the same time.  The problem was 
> that the Debian mkinitrd program tried to work out too many things about the 
> system by itself.  This made it difficult if it's guesses were wrong, or if 
> you wanted to prepare an initrd for a different configuration (either for a 
> significant configuration change or making an initrd for use on another 
> machine).
 
 there was indeed a wobbly period a few months ago where you couldn't
 even _use_ make-kpkg if you had some particular version of
 module-init-tools but didn't back-pedal to some earlier version of
 some package.

 i had to do the make-kpkg with one version the package, wait for the
 error and the exit, install the latest version and then carry on.

 but the dust appears to have settled now.

 i get around the problems you describe by having the same kernel on my
 build machine as on my target.

 i can then add scripts to /etc/mkinitrd/files to do "weird" things like
 mount a cd, mount a tmpfs, unpack a .tgz from the CD into the tmpfs and
 then chroot to the tmpfs, with impunity.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Russell Coker]

On Thu, 26 Aug 2004 03:07, Colin Walters <walters@verbum.org> wrote:
> I guess genhomedircon is a precendent here, but: I don't think this
> makes sense, because then the policy is dependent on the machine where
> you build the policy, which may be different from the machine to which
> the policy is ultimately installed.
>
> This kind of calculation should probably be done in the policy post-
> installation step.

We could do that.

Another possibility may be to have udev do this and create a /dev/cdroms 
directory or something similar.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Colin Walters]

On Sat, 2004-08-28 at 23:54 +1000, Russell Coker wrote: 
> On Thu, 26 Aug 2004 03:07, Colin Walters <walters@verbum.org> wrote:
> > I guess genhomedircon is a precendent here, but: I don't think this
> > makes sense, because then the policy is dependent on the machine where
> > you build the policy, which may be different from the machine to which
> > the policy is ultimately installed.
> >
> > This kind of calculation should probably be done in the policy post-
> > installation step.
> 
> We could do that.
> 
> Another possibility may be to have udev do this and create a /dev/cdroms 
> directory or something similar.

Yes, having this kind of logic in udev makes more sense to me.
Fundamentally the SELinux policy is a static entity, and devices are
dynamic.  I could plug in a USB mass-storage disk one minute, have that
be /dev/sda, then unplug it and plug in a CD-ROM the next.

I think what we need is a mapping in the policy from device *types* to
contexts.  E.g. something like:

disk system_u:object_r:fixed_disk_device_t
cdrom system_u:object_r:removable_device_t

Then udev can read this and do the labeling itself.  I think this will
be sufficient for most people, but I wonder if it's worth implementing a
more specific matching, so I could put e.g. PCI ids or USB manufacturers
on the left side.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy patch for tunable "/dev/hdc is removable drive"

[Russell Coker]

On Sun, 29 Aug 2004 23:17, Colin Walters <walters@verbum.org> wrote:
> On Sat, 2004-08-28 at 23:54 +1000, Russell Coker wrote:
> > On Thu, 26 Aug 2004 03:07, Colin Walters <walters@verbum.org> wrote:
> > > I guess genhomedircon is a precendent here, but: I don't think this
> > > makes sense, because then the policy is dependent on the machine where
> > > you build the policy, which may be different from the machine to which
> > > the policy is ultimately installed.
> > >
> > > This kind of calculation should probably be done in the policy post-
> > > installation step.
> >
> > We could do that.
> >
> > Another possibility may be to have udev do this and create a /dev/cdroms
> > directory or something similar.
>
> Yes, having this kind of logic in udev makes more sense to me.
> Fundamentally the SELinux policy is a static entity, and devices are
> dynamic.  I could plug in a USB mass-storage disk one minute, have that
> be /dev/sda, then unplug it and plug in a CD-ROM the next.
>
> I think what we need is a mapping in the policy from device *types* to
> contexts.  E.g. something like:
>
> disk system_u:object_r:fixed_disk_device_t
> cdrom system_u:object_r:removable_device_t
>
> Then udev can read this and do the labeling itself.  I think this will
> be sufficient for most people, but I wonder if it's worth implementing a
> more specific matching, so I could put e.g. PCI ids or USB manufacturers
> on the left side.

I can't remember whether I already replied to this.  It's a great idea, now 
all we need is someone to contribute the code...  ;)

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.