[refpolicy] [PATCH 1/1] Mark temporary block device as fixed_disk_device

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 1/1] Mark temporary block device as fixed_disk_device_t
@ 2011-11-15  9:45 Sven Vermeulen
  2012-02-08 20:43 ` Christopher J. PeBenito
  2012-02-22 13:46 ` Christopher J. PeBenito
  0 siblings, 2 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-11-15  9:45 UTC (permalink / raw)
  To: refpolicy

When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they
get by default marked as device_t. However, in case of software raid devices,
the mdadm application (running in mdadm_t) does not hold the proper privileges
to access this for its auto-assembly of the raids.

Other block device applications, like blkid (running in fsadm_t) use these
temporary block devices as well, but already hold the necessary privileges on
device_t to continue their work.

By marking the temporary block device as a fixed_disk_device_t, all these block
device handling applications (such as blkid, but also mdadm) now hold the proper
privileges. Since udev is selinux-aware, the created files are immediately
restorecon'ed before the rules are applied.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/storage.fc |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 57c4a6a..54f1827 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -1,4 +1,4 @@
-
+/dev/\.tmp-block-.*	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/n?(raw)?[qr]ft[0-3] -c	gen_context(system_u:object_r:tape_device_t,s0)
 /dev/n?[hs]t[0-9].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
 /dev/n?z?qft[0-3]	-c	gen_context(system_u:object_r:tape_device_t,s0)
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH 1/1] Mark temporary block device as fixed_disk_device_t
  2011-11-15  9:45 [refpolicy] [PATCH 1/1] Mark temporary block device as fixed_disk_device_t Sven Vermeulen
@ 2012-02-08 20:43 ` Christopher J. PeBenito
  2012-02-09  6:52   ` Sven Vermeulen
  2012-02-22 13:46 ` Christopher J. PeBenito
  1 sibling, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2012-02-08 20:43 UTC (permalink / raw)
  To: refpolicy

On 11/15/11 04:45, Sven Vermeulen wrote:
> When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they
> get by default marked as device_t. However, in case of software raid devices,
> the mdadm application (running in mdadm_t) does not hold the proper privileges
> to access this for its auto-assembly of the raids.
> 
> Other block device applications, like blkid (running in fsadm_t) use these
> temporary block devices as well, but already hold the necessary privileges on
> device_t to continue their work.
> 
> By marking the temporary block device as a fixed_disk_device_t, all these block
> device handling applications (such as blkid, but also mdadm) now hold the proper
> privileges. Since udev is selinux-aware, the created files are immediately
> restorecon'ed before the rules are applied.

I'm conflicted on this.  On one hand, I obviously want udev to apply the correct label, but I also don't want a restorecon/setfiles at a later date to change the label of what is clearly a temp file.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/storage.fc |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
> index 57c4a6a..54f1827 100644
> --- a/policy/modules/kernel/storage.fc
> +++ b/policy/modules/kernel/storage.fc
> @@ -1,4 +1,4 @@
> -
> +/dev/\.tmp-block-.*	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>  /dev/n?(raw)?[qr]ft[0-3] -c	gen_context(system_u:object_r:tape_device_t,s0)
>  /dev/n?[hs]t[0-9].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
>  /dev/n?z?qft[0-3]	-c	gen_context(system_u:object_r:tape_device_t,s0)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH 1/1] Mark temporary block device as fixed_disk_device_t
  2012-02-08 20:43 ` Christopher J. PeBenito
@ 2012-02-09  6:52   ` Sven Vermeulen
  0 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2012-02-09  6:52 UTC (permalink / raw)
  To: refpolicy

On Wed, Feb 8, 2012 at 9:43 PM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> I'm conflicted on this. ?On one hand, I obviously want udev to apply the correct label, but I also don't want a restorecon/setfiles at a later date to change the label of what is clearly a temp file.

It is, but it is also (re)moved quite fast as well. I don't think
there's a restorecon/setfiles needed anywhere on this.

Wkr,
  Sven Vermeulen

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH 1/1] Mark temporary block device as fixed_disk_device_t
  2011-11-15  9:45 [refpolicy] [PATCH 1/1] Mark temporary block device as fixed_disk_device_t Sven Vermeulen
  2012-02-08 20:43 ` Christopher J. PeBenito
@ 2012-02-22 13:46 ` Christopher J. PeBenito
  1 sibling, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2012-02-22 13:46 UTC (permalink / raw)
  To: refpolicy

On 11/15/11 04:45, Sven Vermeulen wrote:
> When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they
> get by default marked as device_t. However, in case of software raid devices,
> the mdadm application (running in mdadm_t) does not hold the proper privileges
> to access this for its auto-assembly of the raids.
> 
> Other block device applications, like blkid (running in fsadm_t) use these
> temporary block devices as well, but already hold the necessary privileges on
> device_t to continue their work.
> 
> By marking the temporary block device as a fixed_disk_device_t, all these block
> device handling applications (such as blkid, but also mdadm) now hold the proper
> privileges. Since udev is selinux-aware, the created files are immediately
> restorecon'ed before the rules are applied.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/storage.fc |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
> index 57c4a6a..54f1827 100644
> --- a/policy/modules/kernel/storage.fc
> +++ b/policy/modules/kernel/storage.fc
> @@ -1,4 +1,4 @@
> -
> +/dev/\.tmp-block-.*	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>  /dev/n?(raw)?[qr]ft[0-3] -c	gen_context(system_u:object_r:tape_device_t,s0)
>  /dev/n?[hs]t[0-9].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
>  /dev/n?z?qft[0-3]	-c	gen_context(system_u:object_r:tape_device_t,s0)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2012-02-22 13:46 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-15  9:45 [refpolicy] [PATCH 1/1] Mark temporary block device as fixed_disk_device_t Sven Vermeulen
2012-02-08 20:43 ` Christopher J. PeBenito
2012-02-09  6:52   ` Sven Vermeulen
2012-02-22 13:46 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.