Patch to make udev/tmpfs work and changes from colin walters for dbus.

Patch to make udev/tmpfs work and changes from colin walters for dbus.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 141 bytes --]

Adding

restorecon /dev /dev/null
restorecon /dev/*

and the attached policy patch seems to clear up the problems with udev 
and tmpfs.

Dan

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 18218 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.17.10/attrib.te
--- nsapolicy/attrib.te	2004-09-01 14:00:01.000000000 -0400
+++ policy-1.17.10/attrib.te	2004-09-07 15:55:15.049943838 -0400
@@ -347,9 +347,6 @@
 # For web clients such as netscape and squid
 attribute web_client_domain;
 
-# For a dbus client
-attribute dbus_client_domain;
-
 # For X Window System server domains
 attribute xserver;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.17.10/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.10/domains/program/hostname.te	2004-09-07 15:56:44.609170450 -0400
@@ -22,3 +22,4 @@
 
 # for when /usr is not mounted
 dontaudit hostname_t file_t:dir search;
+dontaudit hostname_t tmpfs_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.17.10/domains/program/init.te
--- nsapolicy/domains/program/init.te	2004-09-02 08:03:26.000000000 -0400
+++ policy-1.17.10/domains/program/init.te	2004-09-07 15:56:26.230974473 -0400
@@ -49,7 +49,7 @@
 ')
 
 # Create /dev/initctl.
-file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
+file_type_auto_trans(init_t, { device_t tmpfs_t }, initctl_t, fifo_file)
 
 # Create ioctl.save.
 file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
@@ -114,8 +114,7 @@
 can_setbool(init_t)
 
 # Read and write the console and ttys.
-allow init_t console_device_t:chr_file rw_file_perms;
-allow init_t tty_device_t:chr_file rw_file_perms;
+allow init_t { tmpfs_t tty_device_t console_device_t } :chr_file rw_file_perms;
 allow init_t ttyfile:chr_file rw_file_perms;
 allow init_t ptyfile:chr_file rw_file_perms;
 
@@ -140,3 +139,5 @@
 
 # file descriptors inherited from the rootfs.
 dontaudit init_t root_t:{ file chr_file } { read write }; 
+
+rw_dir_file(init_t, tmpfs_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.17.10/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.10/domains/program/restorecon.te	2004-09-07 15:57:33.287384531 -0400
@@ -41,7 +41,9 @@
 allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom };
 allow restorecon_t unlabeled_t:dir read;
 allow restorecon_t device_type:{ chr_file blk_file } { getattr relabelfrom relabelto };
-allow restorecon_t device_t:{ chr_file blk_file } { getattr relabelfrom };
+allow restorecon_t { tmpfs_t device_t device_type }:{chr_file blk_file} { getattr relabelfrom relabelto };
+allow restorecon_t tmpfs_t:{chr_file blk_file} { read write };
+
 allow restorecon_t ptyfile:chr_file getattr;
 
 allow restorecon_t fs_t:filesystem getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.17.10/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.10/domains/program/unused/bluetooth.te	2004-09-07 15:55:15.094939442 -0400
@@ -8,7 +8,7 @@
 #
 # Rules for the bluetooth_t domain.
 #
-daemon_domain(bluetooth, `, dbus_client_domain')
+daemon_domain(bluetooth)
 
 file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
 
@@ -22,6 +22,7 @@
 # Use the network.
 can_network(bluetooth_t)
 can_ypbind(bluetooth_t)
+dbusd_client(system, bluetooth_t)
 allow bluetooth_t self:socket { create setopt ioctl bind listen };
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
 allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.10/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2004-08-30 09:49:15.000000000 -0400
+++ policy-1.17.10/domains/program/unused/cups.te	2004-09-07 15:55:15.138935145 -0400
@@ -12,7 +12,7 @@
 # cupsd_exec_t is the type of the cupsd executable.
 #
 type ipp_port_t, port_type;
-daemon_domain(cupsd, `, auth_chkpwd, dbus_client_domain')
+daemon_domain(cupsd, `, auth_chkpwd')
 etcdir_domain(cupsd)
 typealias cupsd_etc_t alias etc_cupsd_t;
 type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
@@ -20,6 +20,7 @@
 
 can_network(cupsd_t)
 can_ypbind(cupsd_t)
+dbusd_client(system, cupsd_t)
 logdir_domain(cupsd)
 
 tmp_domain(cupsd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.17.10/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te	2004-09-01 14:00:02.000000000 -0400
+++ policy-1.17.10/domains/program/unused/dbusd.te	2004-09-07 15:55:15.028945889 -0400
@@ -2,34 +2,17 @@
 #
 # Author:  Russell Coker <russell@coker.com.au>
 
-daemon_domain(dbusd, `, userspace_objmgr')
-type etc_dbusd_t, file_type, sysadmfile;
+dbusd_domain(system)
 
-allow dbusd_t dbusd_var_run_t:sock_file create_file_perms;
+allow system_dbusd_t dbusd_var_run_t:sock_file create_file_perms;
 
 ifdef(`pamconsole.te', `
-r_dir_file(dbusd_t, pam_var_console_t)
+r_dir_file(system_dbusd_t, pam_var_console_t)
 ')
 
-r_dir_file(dbusd_t, etc_dbusd_t)
-allow dbusd_t self:unix_stream_socket create_stream_socket_perms;
-allow dbusd_t self:unix_dgram_socket create_socket_perms;
-
-allow dbusd_t etc_t:file { getattr read };
 # dac_override: /var/run/dbus is owned by messagebus on Debian
-allow dbusd_t self:capability { dac_override setgid setuid };
-allow dbusd_t self:file { getattr read };
-allow dbusd_t proc_t:file { read };
-can_ypbind(dbusd_t)
+allow system_dbusd_t self:capability { dac_override setgid setuid };
+can_ypbind(system_dbusd_t)
 
 # I expect we need more than this
-allow { dbus_client_domain userdomain } { var_run_t dbusd_var_run_t }:dir search;
-allow { dbus_client_domain userdomain } dbusd_var_run_t:sock_file { write };
-allow { dbus_client_domain userdomain } dbusd_t:unix_stream_socket { connectto };
-
-# Permissions for SE-DBus operation
-r_dir_file(dbusd_t,selinux_config_t)
-
-# SE-DBus specific permissions
-allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg };
-domain_auto_trans(userdomain, dbusd_exec_t, dbusd_t)
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.10/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2004-09-02 08:03:26.000000000 -0400
+++ policy-1.17.10/domains/program/unused/hald.te	2004-09-07 15:55:15.183930749 -0400
@@ -10,7 +10,7 @@
 #
 # hald_exec_t is the type of the hald executable.
 #
-daemon_domain(hald, `, dbus_client_domain, fs_domain')
+daemon_domain(hald, `, fs_domain')
 
 can_exec(hald_t, hald_exec_t)
 
@@ -18,7 +18,7 @@
 allow hald_t self:unix_stream_socket create_stream_socket_perms;
 allow hald_t self:unix_dgram_socket create_socket_perms;
 
-allow hald_t dbusd_t:dbus { acquire_svc };
+allow hald_t system_dbusd_t:dbus { acquire_svc };
 
 allow hald_t { self proc_t }:file { getattr read };
 
@@ -31,6 +31,7 @@
 allow hald_t self:capability { net_admin sys_admin };
 can_network(hald_t)
 can_ypbind(hald_t)
+dbusd_client(system, hald_t)
 
 allow hald_t device_t:lnk_file read;
 allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
@@ -47,3 +48,5 @@
 
 allow hald_t usbdevfs_t:dir search;
 allow hald_t usbdevfs_t:file { getattr read };
+allow hald_t usbfs_t:dir search;
+allow hald_t usbfs_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.17.10/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2004-09-01 14:00:02.000000000 -0400
+++ policy-1.17.10/domains/program/unused/hotplug.te	2004-09-07 15:55:15.128936121 -0400
@@ -11,7 +11,7 @@
 # hotplug_exec_t is the type of the hotplug executable.
 #
 ifdef(`unlimitedUtils', `
-daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, dbus_client_domain, unrestricted')
+daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, unrestricted')
 ', `
 daemon_domain(hotplug, `, privmodule, dbus_client_domain')
 ')
@@ -143,6 +143,7 @@
 
 can_network(hotplug_t)
 can_ypbind(hotplug_t)
+dbusd_client(system, hotplug_t)
 
 # Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
 domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.17.10/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.10/domains/program/unused/kudzu.te	2004-09-07 15:54:49.325454423 -0400
@@ -29,6 +29,8 @@
 allow kudzu_t sysctl_kernel_t:file { getattr read write };
 allow kudzu_t usbdevfs_t:dir search;
 allow kudzu_t usbdevfs_t:file { getattr read };
+allow kudzu_t usbfs_t:dir search;
+allow kudzu_t usbfs_t:file { getattr read };
 allow kudzu_t var_t:dir search;
 allow kudzu_t kernel_t:system { syslog_console };
 allow kudzu_t self:udp_socket { create ioctl };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.10/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2004-09-01 14:00:02.000000000 -0400
+++ policy-1.17.10/domains/program/unused/udev.te	2004-09-07 16:00:22.809653212 -0400
@@ -9,7 +9,7 @@
 #
 # udev_exec_t is the type of the udev executable.
 #
-daemon_domain(udev, `, privmodule, privmem, fs_domain, privfd, dbus_client_domain')
+daemon_domain(udev, `, privmodule, privmem, fs_domain, privfd')
 
 general_domain_access(udev_t)
 
@@ -28,10 +28,10 @@
 allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
 allow udev_t self:unix_dgram_socket create_socket_perms;
 allow udev_t self:fifo_file rw_file_perms;
-allow udev_t device_t:blk_file create_file_perms;
-allow udev_t device_t:chr_file create_file_perms;
-allow udev_t device_t:sock_file create_file_perms;
-allow udev_t device_t:lnk_file create_lnk_perms;
+allow udev_t { tmpfs_t device_t }:blk_file create_file_perms;
+allow udev_t { tmpfs_t device_t }:chr_file create_file_perms;
+allow udev_t { tmpfs_t device_t }:sock_file create_file_perms;
+allow udev_t { tmpfs_t device_t }:lnk_file create_lnk_perms;
 allow udev_t etc_t:file { getattr read };
 allow udev_t { bin_t sbin_t }:dir r_dir_perms;
 allow udev_t { sbin_t bin_t }:lnk_file read;
@@ -40,7 +40,7 @@
 can_exec(udev_t, udev_exec_t)
 r_dir_file(udev_t, sysfs_t)
 allow udev_t sysadm_tty_device_t:chr_file { read write };
-allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
+allow udev_t { tmpfs_t device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
 	
 # to read the file_contexts file
 r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
@@ -96,3 +96,10 @@
 ifdef(`dhcpc.te', `
 domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
 ')
+
+allow udev_t tmpfs_t:dir { search };
+rw_dir_create_file(udev_t, { device_t tmpfs_t })
+allow udev_t udev_helper_exec_t:dir r_dir_perms;
+
+dbusd_client(system, udev_t)
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.10/domains/program/unused/updfstab.te
--- nsapolicy/domains/program/unused/updfstab.te	2004-09-02 08:03:26.000000000 -0400
+++ policy-1.17.10/domains/program/unused/updfstab.te	2004-09-07 15:55:15.115937391 -0400
@@ -3,7 +3,7 @@
 # Author:  Russell Coker <russell@coker.com.au>
 #
 
-daemon_base_domain(updfstab, `, fs_domain, etc_writer, dbus_client_domain')
+daemon_base_domain(updfstab, `, fs_domain, etc_writer')
 
 rw_dir_create_file(updfstab_t, etc_t)
 create_dir_file(updfstab_t, mnt_t)
@@ -28,6 +28,8 @@
 
 read_locale(updfstab_t)
 
+dbusd_client(system, updfstab_t)
+
 # not sure what the sysctl_kernel_t file is, or why it wants to write it, so
 # I will not allow it
 dontaudit updfstab_t { sysctl_t sysctl_kernel_t }:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.17.10/file_contexts/program/named.fc
--- nsapolicy/file_contexts/program/named.fc	2004-08-31 10:55:37.000000000 -0400
+++ policy-1.17.10/file_contexts/program/named.fc	2004-09-07 15:54:49.325454423 -0400
@@ -14,7 +14,7 @@
 ') dnl distro_debian
 
 /etc/rndc.*		--	system_u:object_r:named_conf_t
-/usr/sbin/named.*      	--	system_u:object_r:named_exec_t
+/usr/sbin/named      	--	system_u:object_r:named_exec_t
 /usr/sbin/r?ndc		--	system_u:object_r:ndc_exec_t
 /var/run/ndc		-s	system_u:object_r:named_var_run_t
 /var/run/bind(/.*)?		system_u:object_r:named_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.10/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2004-09-04 07:28:25.000000000 -0400
+++ policy-1.17.10/macros/base_user_macros.te	2004-09-07 15:55:15.195929577 -0400
@@ -185,6 +185,10 @@
 can_network($1_t)
 can_ypbind($1_t)
 
+# Grant permissions to access the system DBus
+dbusd_client(system, $1_t)
+dbusd_domain($1)
+
 # allow port_t name binding for UDP because it is not very usable otherwise
 allow $1_t port_t:udp_socket name_bind;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.17.10/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.10/macros/program/dbusd_macros.te	2004-09-07 15:55:15.038944913 -0400
@@ -0,0 +1,62 @@
+#
+# Macros for Dbus
+#
+# Author: Colin Walters <walters@redhat.com>
+
+# dbusd_domain(domain_prefix)
+#
+# Define a derived domain for the DBus daemon.
+
+define(`dbusd_domain', `
+ifelse(`system', `$1',`
+daemon_domain(system_dbusd, `, userspace_objmgr')
+# For backwards compatibility
+typealias system_dbusd_t alias dbusd_t;
+typealias system_dbusd_exec_t alias dbusd_exec_t;
+typealias system_dbusd_var_run_t alias dbusd_var_run_t;
+type etc_dbusd_t, file_type, sysadmfile;
+',`
+ifdef(`single_userdomain', `
+typealias $1_t alias $1_dbusd_t;
+', `
+type $1_dbusd_t, domain, privlog, userspace_objmgr;
+role $1_r types $1_dbusd_t;
+domain_auto_trans($1_t, dbusd_exec_t, $1_dbusd_t)
+
+')dnl end ifdef single_userdomain
+')dnl end ifelse system
+
+base_file_read_access($1_dbusd_t)
+uses_shlib($1_dbusd_t)
+allow $1_dbusd_t etc_t:file { getattr read };
+r_dir_file($1_dbusd_t, etc_dbusd_t)
+
+allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+
+allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
+allow $1_dbusd_t self:file { getattr read };
+allow $1_dbusd_t proc_t:file { read };
+
+')dnl end dbusd_domain definition
+
+# dbusd_client(dbus_type, domain)
+# Example: dbusd_client_domain(system, user_t)
+#
+# Grant permissions for connecting to the specified DBus type
+# from domain.
+define(`dbusd_client',`')
+ifdef(`dbusd.te',`
+undefine(`dbusd_client')
+define(`dbusd_client',`
+# For connecting to the bus
+allow $2 $1_dbusd_t:unix_stream_socket { connectto };
+ifelse(`system', `$1', `
+allow { $2 } { var_run_t system_dbusd_var_run_t }:dir search;
+allow { $2 } system_dbusd_var_run_t:sock_file { write };
+',`
+') dnl endif system
+# SE-DBus specific permissions
+allow $2 { $1_dbusd_t self }:dbus { send_msg };
+') dnl endif dbusd.te
+')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.10/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.10/tunables/distro.tun	2004-09-07 15:54:49.326454326 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.10/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2004-08-27 14:44:11.000000000 -0400
+++ policy-1.17.10/tunables/tunable.tun	2004-09-07 15:54:49.327454228 -0400
@@ -5,50 +5,47 @@
 dnl define(`user_net_control')
 
 # Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
 
 # Support NFS home directories
-dnl define(`nfs_home_dirs')
+define(`nfs_home_dirs')
 
 # Allow users to run games
-dnl define(`use_games')
+define(`use_games')
 
 # Allow ypbind to run with NIS
-dnl define(`allow_ypbind')
+define(`allow_ypbind')
 
 # Allow rc scripts to run unconfined, including any daemon
 # started by an rc script that does not have a domain transition
 # explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
 
 # Allow sysadm_t to directly start daemons
 define(`direct_sysadm_daemon')
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow sysadm_t to do almost everything
 dnl define(`unrestricted_admin')
 
 # Allow the read/write/create on any NFS file system
-dnl define(`nfs_export_all_rw')
-
-# Allow users to unrestricted access
-dnl define(`unlimitedUsers')
+define(`nfs_export_all_rw')
 
 # Allow the reading on any NFS file system
 dnl define(`nfs_export_all_ro')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
 
 # Allow xinetd to run unconfined, including any services it starts
 # that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.17.10/types/file.te
--- nsapolicy/types/file.te	2004-08-30 09:49:16.000000000 -0400
+++ policy-1.17.10/types/file.te	2004-09-07 15:54:49.327454228 -0400
@@ -258,6 +258,7 @@
 # the default file system type.
 #
 allow { file_type device_type } fs_t:filesystem associate;
+allow { file_type device_type } tmpfs_t:filesystem associate;
 
 # Allow the pty to be associated with the file system.
 allow devpts_t devpts_t:filesystem associate;

Re: Patch to make udev/tmpfs work and changes from colin walters for dbus.

[Luke Kenneth Casson Leighton]

On Tue, Sep 07, 2004 at 04:45:20PM -0400, Daniel J Walsh wrote:
> Adding
> 
> restorecon /dev /dev/null
> restorecon /dev/*

 yes, it does, doesn't it!

 that's why i wrote a little script called /sbin/restoredevicefiles
 and call it from at least two places in /etc/init.d scripts!!

 if you find that you don't need also to do restorecon /dev/*/*
 please let me know.

 also i notice from the policy patch that you haven't gotten
 around to using any of the tools listed in fsadm.te.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make udev/tmpfs work and changes from colin walters for dbus.

[Stephen Smalley]

On Tue, 2004-09-07 at 16:45, Daniel J Walsh wrote:
> Adding
> 
> restorecon /dev /dev/null
> restorecon /dev/*

Adding them where?  If you do this from /sbin/init immediately after the
initial policy load, then I would have expected that you wouldn't need
to insert tmpfs_t in as many places, as only init and restorecon would
then need to temporarily access /dev while it was still labeled tmpfs_t.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make udev/tmpfs work and changes from colin walters for dbus.

[Daniel J Walsh]

Stephen Smalley wrote:

>On Tue, 2004-09-07 at 16:45, Daniel J Walsh wrote:
>  
>
>>Adding
>>
>>restorecon /dev /dev/null
>>restorecon /dev/*
>>    
>>
>
>Adding them where?  If you do this from /sbin/init immediately after the
>initial policy load, then I would have expected that you wouldn't need
>to insert tmpfs_t in as many places, as only init and restorecon would
>then need to temporarily access /dev while it was still labeled tmpfs_t.
>
>  
>
It is the fealing here to keep the init program as simple as possible 
for maintainability, bugs in it are very difficult to debug, so the
restorecon will remain in the rc.sysinit scripts.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make udev/tmpfs work and changes from colin walters for dbus.

[Stephen Smalley]

On Wed, 2004-09-08 at 10:57, Daniel J Walsh wrote:
> It is the feeling here to keep the init program as simple as possible 
> for maintainability, bugs in it are very difficult to debug, so the
> restorecon will remain in the rc.sysinit scripts.

Is the patch for rc.sysinit available somewhere we can look at it?  You
want to apply restorecon as early as possible in it to minimize the set
of programs that access /dev before it has been restored.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make udev/tmpfs work and changes from colin walters for dbus.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 609 bytes --]

Stephen Smalley wrote:

>On Wed, 2004-09-08 at 10:57, Daniel J Walsh wrote:
>  
>
>>It is the feeling here to keep the init program as simple as possible 
>>for maintainability, bugs in it are very difficult to debug, so the
>>restorecon will remain in the rc.sysinit scripts.
>>    
>>
>
>Is the patch for rc.sysinit available somewhere we can look at it?  You
>want to apply restorecon as early as possible in it to minimize the set
>of programs that access /dev before it has been restored.
>
>  
>
The new initscripts package is out on my people page.
mount, hostname and init will need the privs.

Dan



[-- Attachment #2: rc.sysinit --]
[-- Type: text/plain, Size: 25985 bytes --]

#!/bin/bash
#
# /etc/rc.d/rc.sysinit - run once at boot time
#
# Taken in part from Miquel van Smoorenburg's bcheckrc.
#

# Rerun ourselves through initlog
if [ -z "$IN_INITLOG" -a -x /sbin/initlog ]; then
    exec /sbin/initlog -r /etc/rc.d/rc.sysinit
fi

HOSTNAME=`/bin/hostname`
HOSTTYPE=`uname -m`
unamer=`uname -r`
eval version=`echo $unamer | awk -F '.' '{ print "(" $1 " " $2 ")" }'`

if [ -f /etc/sysconfig/network ]; then
    . /etc/sysconfig/network
fi
if [ -z "$HOSTNAME" -o "$HOSTNAME" = "(none)" ]; then
    HOSTNAME=localhost
fi

# Mount /proc and /sys (done here so volume labels can work with fsck)
mount -n -t proc /proc /proc
mount -n -t usbfs /proc/bus/usb /proc/bus/usb
mount -n -t sysfs /sys /sys >/dev/null 2>&1

. /etc/init.d/functions

# Check SELinux status
selinuxfs=`awk '/ selinuxfs / { print $2 }' /proc/mounts`
SELINUX=
if [ -n "$selinuxfs" ] && [ "`cat /proc/self/attr/current`" != "kernel" ]; then
	if [ -r $selinuxfs/enforce ] ; then
		SELINUX=`cat $selinuxfs/enforce`
	else
		# assume enforcing if you can't read it
		SELINUX=1
	fi
fi

if [ "$SELINUX" = "1" -a -x /sbin/restorecon ] && fgrep -q " /dev " /proc/mounts ; then
	restorecon  /dev /dev/null
	restorecon  /dev/* 2> /dev/null
fi

disable_selinux() {
	echo "*** Warning -- SELinux is active"
	echo "*** Disabling security enforcement for system recovery."
	echo "*** Run 'setenforce 1' to reenable."
	echo "0" > $selinuxfs/enforce
}

relabel_selinux() {
    if [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --ping ; then
	chvt 1
    fi
    echo "
         *** Warning -- SELinux relabel is required. ***
	 *** Disabling security enforcement.         ***
	 *** Relabeling could take a very long time, ***
	 *** depending on file system size.          ***
	 "
    echo "0" > $selinuxfs/enforce
    mount -n -o remount,rw /
    mount -a
    /sbin/fixfiles -F relabel > /dev/null 2>&1 
    rm -f  /.autorelabel 
    mount -n -o remount,ro /
    umount -a
    echo "*** Enabling security enforcement.         ***"
    echo $SELINUX > $selinuxfs/enforce
}



if [ "$HOSTTYPE" != "s390" -a "$HOSTTYPE" != "s390x" ]; then
  last=0
  for i in `LC_ALL=C grep '^[0-9].*respawn:/sbin/mingetty' /etc/inittab | sed 's/^.* tty\([0-9][0-9]*\).*/\1/g'`; do
        > /dev/tty$i
        last=$i
  done
  if [ $last -gt 0 ]; then
       > /dev/tty$((last+1))
       > /dev/tty$((last+2))
  fi
fi

if [ "$CONSOLETYPE" = "vt" -a -x /sbin/setsysfont ]; then
   echo -n "Setting default font ($SYSFONT): "
   /sbin/setsysfont
   if [ $? -eq 0 ]; then
      success
   else
      failure
   fi
   echo ; echo
fi

# Print a text banner.
echo -en $"\t\tWelcome to "
if LC_ALL=C fgrep -q "Red Hat" /etc/redhat-release ; then 
 [ "$BOOTUP" = "color" ] && echo -en "\\033[0;31m"
 echo -en "Red Hat"
 [ "$BOOTUP" = "color" ] && echo -en "\\033[0;39m"
 PRODUCT=`sed "s/Red Hat \(.*\) release.*/\1/" /etc/redhat-release`
 echo " $PRODUCT"
elif LC_ALL=C fgrep -q "Fedora" /etc/redhat-release ; then 
 [ "$BOOTUP" = "color" ] && echo -en "\\033[0;31m"
 echo -en "Fedora"
 [ "$BOOTUP" = "color" ] && echo -en "\\033[0;39m"
 PRODUCT=`sed "s/Fedora \(.*\) release.*/\1/" /etc/redhat-release`
 echo " $PRODUCT"
else
 PRODUCT=`sed "s/ release.*//g" /etc/redhat-release`
 echo "$PRODUCT"
fi
if [ "$PROMPT" != "no" ]; then
 echo -en $"\t\tPress 'I' to enter interactive startup."
 echo
fi

# Fix console loglevel
if [ -n "$LOGLEVEL" ]; then
	/bin/dmesg -n $LOGLEVEL
fi

if [ -f /etc/udev/udev.conf ];then
	. /etc/udev/udev.conf
fi

if [ "$USE_UDEV" = "yes" -a "$UDEV_TMPFS" = "yes" ]; then
	[ -x /sbin/start_udev ] && /sbin/start_udev
fi

# Initialize hardware
if [ -f /proc/sys/kernel/modprobe ]; then
   if ! strstr cmdline nomodules && [ -f /proc/modules ] ; then
       sysctl -w kernel.modprobe="/sbin/modprobe" >/dev/null 2>&1
       sysctl -w kernel.hotplug="/sbin/hotplug" >/dev/null 2>&1
   else
       # We used to set this to NULL, but that causes 'failed to exec' messages"
       sysctl -w kernel.modprobe="/bin/true" >/dev/null 2>&1
       sysctl -w kernel.hotplug="/bin/true" >/dev/null 2>&1
   fi
fi

echo -n $"Initializing hardware... "

ide=""
scsi=""
network=""
audio=""
other=""
eval `kmodule | while read devtype mod ; do
	case "$devtype" in
		"IDE")	ide="$ide $mod"
		   echo "ide=\"$ide"\";;
		"SCSI") scsi="$scsi $mod"
		   echo "scsi=\"$scsi"\";;
		"NETWORK") network="$network $mod"
		   echo "network=\"$network"\";;
		"AUDIO") audio="$audio $mod"
		   echo "audio=\"$audio"\";;
		*) other="$other $mod"
		   echo "other=\"$other"\";;
	esac
done`

# IDE
for module in $ide ; do
	modprobe $module >/dev/null 2>&1
done

# SCSI
for module in `/sbin/modprobe -c | awk '/^alias[[:space:]]+scsi_hostadapter[[:space:]]/ { print $3 }'` $scsi; do
	modprobe $module >/dev/null 2>&1
done
modprobe floppy >/dev/null 2>&1

echo -n $" storage"

# Network
pushd /etc/sysconfig/network-scripts >/dev/null 2>&1
interfaces=`ls ifcfg* | LANG=C egrep -v '(ifcfg-lo|:|rpmsave|rpmorig|rpmnew)' | \
            LANG=C egrep -v '(~|\.bak)$' | \
            LANG=C egrep 'ifcfg-[A-Za-z0-9\._-]+$' | \
	    sed 's/^ifcfg-//g' |
	    sed 's/[0-9]/ &/' | LANG=C sort -k 1,1 -k 2n | sed 's/ //'`

for i in $interfaces ; do
	eval $(LANG=C fgrep "DEVICE=" ifcfg-$i)
	modprobe $DEVICE >/dev/null 2>&1
done
popd >/dev/null 2>&1

for module in $network ; do
	modprobe $module >/dev/null 2>&1
done

echo -n $" network"

# Sound
for module in `/sbin/modprobe -c | awk '/^alias[[:space:]]+snd-card-[[:digit:]]+[[:space:]]/ { print $3 }'` $audio; do
	modprobe $module >/dev/null 2>&1
done

echo -n $" audio"

# Everything else (duck and cover)
for module in $other ; do
	modprobe $module >/dev/null 2>&1
done

echo -n $" done"
success
echo

echo "raidautorun /dev/md0" | nash --quiet

# Start the graphical boot, if necessary; /usr may not be mounted yet, so we
# may have to do this again after mounting
RHGB_STARTED=0
mount -n /dev/pts

if fgrep rhgb /proc/cmdline > /dev/null 2>&1 && [ "$BOOTUP" = "color" -a "$GRAPHICAL" = "yes" -a -x /usr/bin/rhgb ]; then
   LC_MESSAGES= /usr/bin/rhgb
   RHGB_STARTED=1
fi

# Configure kernel parameters
update_boot_stage RCkernelparam
action $"Configuring kernel parameters: " sysctl -e -p /etc/sysctl.conf

# Set the system clock.
update_boot_stage RCclock
ARC=0
SRM=0
UTC=0

if [ -f /etc/sysconfig/clock ]; then
   . /etc/sysconfig/clock

   # convert old style clock config to new values
   if [ "${CLOCKMODE}" = "GMT" ]; then
      UTC=true
   elif [ "${CLOCKMODE}" = "ARC" ]; then
      ARC=true
   fi
fi

CLOCKDEF=""
CLOCKFLAGS="$CLOCKFLAGS --hctosys"

case "$UTC" in
    yes|true)	CLOCKFLAGS="$CLOCKFLAGS --utc"
		CLOCKDEF="$CLOCKDEF (utc)" ;;
    no|false)	CLOCKFLAGS="$CLOCKFLAGS --localtime"
		CLOCKDEF="$CLOCKDEF (localtime)" ;;
esac
case "$ARC" in
    yes|true)	CLOCKFLAGS="$CLOCKFLAGS --arc"
		CLOCKDEF="$CLOCKDEF (arc)" ;;
esac
case "$SRM" in
    yes|true)	CLOCKFLAGS="$CLOCKFLAGS --srm"
		CLOCKDEF="$CLOCKDEF (srm)" ;;
esac

/sbin/hwclock $CLOCKFLAGS

action $"Setting clock $CLOCKDEF: `date`" date

if [ "$CONSOLETYPE" = "vt" -a -x /bin/loadkeys ]; then
 KEYTABLE=
 KEYMAP=
 if [ -f /etc/sysconfig/console/default.kmap ]; then
  KEYMAP=/etc/sysconfig/console/default.kmap
 else
  if [ -f /etc/sysconfig/keyboard ]; then
    . /etc/sysconfig/keyboard
  fi
  if [ -n "$KEYTABLE" -a -d "/lib/kbd/keymaps" ]; then
     KEYMAP="$KEYTABLE.map"
  fi
 fi
 if [ -n "$KEYMAP" ]; then 
  # Since this takes in/output from stdin/out, we can't use initlog
  if [ -n "$KEYTABLE" ]; then
    echo -n $"Loading default keymap ($KEYTABLE): "
  else
    echo -n $"Loading default keymap: "
  fi
  loadkeys $KEYMAP < /dev/tty0 > /dev/tty0 2>/dev/null && \
     success $"Loading default keymap" || failure $"Loading default keymap"
  echo
 fi
fi

# Set the hostname.
update_boot_stage RChostname
action $"Setting hostname ${HOSTNAME}: " hostname ${HOSTNAME}

# Only read this once.
cmdline=$(cat /proc/cmdline)

# Initialiaze ACPI bits
if [ -d /proc/acpi ]; then
   for module in /lib/modules/$unamer/kernel/drivers/acpi/* ; do
      insmod $module >/dev/null 2>&1
   done
fi

if [ -f /fastboot ] || strstr "$cmdline" fastboot ; then
	fastboot=yes
fi

if [ -f /fsckoptions ]; then
	fsckoptions=`cat /fsckoptions`
fi

if [ -f /forcefsck ] || strstr "$cmdline" forcefsck ; then
	fsckoptions="-f $fsckoptions"
elif [ -f /.autofsck ]; then
        if [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --ping ; then
	     chvt 1
	fi
	echo $"Your system appears to have shut down uncleanly"
	AUTOFSCK_TIMEOUT=5
	[ -f /etc/sysconfig/autofsck ] && . /etc/sysconfig/autofsck
	if [ "$AUTOFSCK_DEF_CHECK" = "yes" ]; then
		AUTOFSCK_OPT=-f
	fi

	if [ "$PROMPT" != "no" ]; then
		if [ "$AUTOFSCK_DEF_CHECK" = "yes" ]; then
			if /sbin/getkey -c $AUTOFSCK_TIMEOUT -m $"Press N within %d seconds to not force file system integrity check..." n ; then
				AUTOFSCK_OPT=
			fi
		else
			if /sbin/getkey -c $AUTOFSCK_TIMEOUT -m $"Press Y within %d seconds to force file system integrity check..." y ; then
				AUTOFSCK_OPT=-f
			fi
		fi
		echo
	else
		# PROMPT not allowed
		if [ "$AUTOFSCK_DEF_CHECK" = "yes" ]; then
			echo $"Forcing file system integrity check due to default setting"
		else
			echo $"Not forcing file system integrity check due to default setting"
		fi
	fi
	fsckoptions="$AUTOFSCK_OPT $fsckoptions"
fi

if [ "$BOOTUP" = "color" ]; then
	fsckoptions="-C $fsckoptions"
else
	fsckoptions="-V $fsckoptions"
fi

if [ -f /etc/sysconfig/readonly-root ]; then
    . /etc/sysconfig/readonly-root

    if [ "$READONLY" = "yes" ]; then
        # Call rc.readonly to set up magic stuff needed for readonly root
        . /etc/rc.readonly
    fi
fi
 
_RUN_QUOTACHECK=0
ROOTFSTYPE=`awk '/ \/ / && ($3 !~ /rootfs/) { print $3 }' /proc/mounts`
if [ -z "$fastboot" -a "$READONLY" != "yes" -a "X$ROOTFSTYPE" != "Xnfs" -a "X$ROOTFSTYPE" != "Xnfs4" ]; then 

        STRING=$"Checking root filesystem"
	echo $STRING
	rootdev=`awk '/ \/ / && ($3 !~ /rootfs/) {print $1}' /proc/mounts`
	if [ -b /initrd/"$rootdev" ] ; then
		rootdev=/initrd/"$rootdev"
	else
		rootdev=/
	fi
	initlog -c "fsck -T -a $rootdev $fsckoptions"
	rc=$?
	
	if [ "$rc" -eq "0" ]; then
		success "$STRING"
		echo
	elif [ "$rc" -eq "1" ]; then
	        passed "$STRING"
		echo
        fi
	
        # A return of 2 or higher means there were serious problems.
	if [ $rc -gt 1 ]; then
	        if [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --ping ; then
		    chvt 1
		fi

		failure "$STRING"
		echo
		echo
		echo $"*** An error occurred during the file system check."
		echo $"*** Dropping you to a shell; the system will reboot"
		echo $"*** when you leave the shell."

                str=$"(Repair filesystem)"
		PS1="$str \# # "; export PS1
		[ "$SELINUX" = "1" ] && disable_selinux
		sulogin

		echo $"Unmounting file systems"
		umount -a
		mount -n -o remount,ro /
		echo $"Automatic reboot in progress."
		reboot -f
	elif [ "$rc" -eq "1" ]; then
		_RUN_QUOTACHECK=1
	fi
fi
#
# Check to see if SELinux requires a relabel
#
[ -n "$SELINUX" ] && [ -f /.autorelabel ] && relabel_selinux

# Unmount the initrd, if necessary
if LC_ALL=C fgrep -q /initrd /proc/mounts && ! LC_ALL=C fgrep -q /initrd/loopfs /proc/mounts ; then
   if [ -e /initrd/dev/.devfsd ]; then
      umount /initrd/dev
   fi
   umount /initrd
   /sbin/blockdev --flushbufs /dev/ram0 >/dev/null 2>&1
fi
                                                                                
# Possibly update quotas if fsck was run on /.
LC_ALL=C grep -E '[[:space:]]+/[[:space:]]+' /etc/fstab | \
    awk '{ print $4 }' | \
    LC_ALL=C fgrep -q quota
_ROOT_HAS_QUOTA=$?
if [ "X$_RUN_QUOTACHECK" = "X1" -a \
    "X$_ROOT_HAS_QUOTA" = "X0" -a \
    -x /sbin/quotacheck ]; then
	if [ -x /sbin/convertquota ]; then
	    if [ -f /quota.user ]; then
		action $"Converting old user quota files: " \
		    /sbin/convertquota -u / && rm -f /quota.user
	    fi
	    if [ -f /quota.group ]; then
		action $"Converting old group quota files: " \
		    /sbin/convertquota -g / && rm -f /quota.group
	    fi
	fi
	action $"Checking root filesystem quotas: " /sbin/quotacheck -nug /
fi

if [ -x /sbin/isapnp -a -f /etc/isapnp.conf -a ! -f /proc/isapnp ]; then
    # check for arguments passed from kernel
    if ! strstr "$cmdline" nopnp ; then
	PNP=yes
    fi
    if [ -n "$PNP" ]; then
	action $"Setting up ISA PNP devices: " /sbin/isapnp /etc/isapnp.conf
    else
	action $"Skipping ISA PNP configuration at users request: " /bin/true
    fi
fi

# Remount the root filesystem read-write.
update_boot_stage RCmountfs
state=`awk '/ \/ / && ($3 !~ /rootfs/) { print $4 }' /proc/mounts`
[ "$state" != "rw" -a "$READONLY" != "yes" ] && \
  action $"Remounting root filesystem in read-write mode: " mount -n -o remount,rw /

if [ "$USE_UDEV" = "yes" -a "$UDEV_TMPFS" = "no" ]; then
	[ -x /sbin/start_udev ] && /sbin/start_udev
fi


# LVM2 initialization
if [ -x /sbin/lvm.static ]; then
    if ! LC_ALL=C fgrep -q "device-mapper" /proc/devices 2>/dev/null ; then
	modprobe dm-mod >/dev/null 2>&1
    fi
    echo "mkdmnod" | /sbin/nash --quiet >/dev/null 2>&1
    [ -n "$SELINUX" ] && restorecon /dev/mapper/control >/dev/null 2>&1
    if [ -c /dev/mapper/control -a -x /sbin/lvm.static ]; then
	if /sbin/lvm.static vgscan --mknodes --ignorelockingfailure > /dev/null 2>&1 ; then
	    action $"Setting up Logical Volume Management:" /sbin/lvm.static vgchange -a y --ignorelockingfailure
	fi
    fi
fi
# LVM initialization
if [ -f /etc/lvmtab ]; then
    [ -e /proc/lvm ] || modprobe lvm-mod > /dev/null 2>&1
    if [ -e /proc/lvm -a -x /sbin/vgchange ]; then
	action $"Setting up Logical Volume Management:" /sbin/vgscan && /sbin/vgchange -a y
    fi
fi

# Clean up SELinux labels
if [ -n "$SELINUX" ]; then
   for file in /etc/mtab /etc/ld.so.cache ; do
   	[ -r $file ] && restorecon $file  >/dev/null 2>&1
   done
fi

# Clear mtab
(> /etc/mtab) &> /dev/null

# Remove stale backups
rm -f /etc/mtab~ /etc/mtab~~

# Enter root, /proc and (potentially) /proc/bus/usb and devfs into mtab.
mount -f /
mount -f /proc
mount -f /sys >/dev/null 2>&1
mount -f /dev/pts
[ -f /proc/bus/usb/devices ] && mount -f -t usbdevfs usbdevfs /proc/bus/usb
[ -e /dev/.devfsd ] && mount -f -t devfs devfs /dev 

# configure all zfcp (scsi over fibrechannel) devices before trying to mount them
# zfcpconf.sh exists only on mainframe
[ -x /sbin/zfcpconf.sh ] && /sbin/zfcpconf.sh

# The root filesystem is now read-write, so we can now log
# via syslog() directly..
if [ -n "$IN_INITLOG" ]; then
    IN_INITLOG=
fi

if ! strstr "$cmdline" nomodules && [ -f /proc/modules ] ; then
    USEMODULES=y
fi

# Load modules (for backward compatibility with VARs)
if [ -f /etc/rc.modules ]; then
	/etc/rc.modules
fi

update_boot_stage RCraid
if [ -f /etc/raidtab ]; then
    # Add raid devices
    [ -f /proc/mdstat ] || modprobe md >/dev/null 2>&1

    if [ -f /proc/mdstat ]; then
	echo -n $"Starting up RAID devices: " 

	rc=0
	
	for i in `awk '{if ($1=="raiddev") print $2}' /etc/raidtab`
	do
		RAIDDEV=`basename $i`
                RAIDSTAT=`LC_ALL=C grep "^$RAIDDEV : active" /proc/mdstat`
		if [ -z "$RAIDSTAT" ]; then
			# First scan the /etc/fstab for the "noauto"-flag
			# for this device. If found, skip the initialization
			# for it to avoid dropping to a shell on errors.
			# If not, try raidstart...if that fails then
			# fall back to raidadd, raidrun.  If that
			# also fails, then we drop to a shell
			RESULT=1
			INFSTAB=`LC_ALL=C grep -c "^$i" /etc/fstab`
			if [ $INFSTAB -eq 0 ] ; then
			    RESULT=0
			    RAIDDEV="$RAIDDEV(skipped)"
			fi
			NOAUTO=`LC_ALL=C grep "^$i" /etc/fstab | LC_ALL=C fgrep -c "noauto"`
			if [ $NOAUTO -gt 0 ]; then
			    RESULT=0
			    RAIDDEV="$RAIDDEV(skipped)"
			fi
			if [ $RESULT -gt 0 -a -x /sbin/raidstart ]; then
				/sbin/raidstart $i
				RESULT=$?
			fi
			if [ $RESULT -gt 0 -a -x /sbin/raid0run ]; then
				/sbin/raid0run $i
				RESULT=$?
			fi
			if [ $RESULT -gt 0 -a -x /sbin/raidadd -a -x /sbin/raidrun ]; then
				/sbin/raidadd $i
				/sbin/raidrun $i
				RESULT=$?
			fi
			if [ $RESULT -gt 0 ]; then
				rc=1
			fi
			echo -n "$RAIDDEV "
		else
			echo -n "$RAIDDEV "
		fi
	done
	echo

	# A non-zero return means there were problems.
	if [ $rc -gt 0 ]; then
	        if [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --ping ; then
		    chvt 1
		fi
		echo
		echo
		echo $"*** An error occurred during the RAID startup"
		echo $"*** Dropping you to a shell; the system will reboot"
		echo $"*** when you leave the shell."

 		str=$"(RAID Repair)"
		PS1="$str \# # "; export PS1
		[ "$SELINUX" = "1" ] && disable_selinux
		sulogin

		echo $"Unmounting file systems"
		umount -a
		mount -n -o remount,ro /
		echo $"Automatic reboot in progress."
		reboot -f
	fi
	# LVM2 initialization, take 2
	if [ -c /dev/mapper/control -a -x /sbin/lvm.static ]; then
		if /sbin/lvm.static vgscan > /dev/null 2>&1 ; then 
			action $"Setting up Logical Volume Management:" /sbin/lvm.static vgscan --mknodes --ignorelockingfailure && /sbin/lvm.static vgchange -a y --ignorelockingfailure
		fi
	fi
	# LVM initialization, take 2 (it could be on top of RAID)
	if [ -e /proc/lvm -a -x /sbin/vgchange -a -f /etc/lvmtab ]; then
		action $"Setting up Logical Volume Management:" /sbin/vgscan && /sbin/vgchange -a y
	fi
    fi
fi

if [ -x /sbin/devlabel ]; then
	/sbin/devlabel restart
fi

_RUN_QUOTACHECK=0
# Check filesystems
if [ -z "$fastboot" ]; then
        STRING=$"Checking filesystems"
	echo $STRING
	initlog -c "fsck -T -R -A -a $fsckoptions"
	rc=$?
        if [ "$rc" -eq "0" ]; then
		success "$STRING"
		echo
	elif [ "$rc" -eq "1" ]; then
	        passed "$STRING"
		echo
	fi

	# A return of 2 or higher means there were serious problems.
	if [ $rc -gt 1 ]; then
	        if [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --ping ; then
		    chvt 1
		fi

	        failure "$STRING"
		echo
		echo
		echo $"*** An error occurred during the file system check."
		echo $"*** Dropping you to a shell; the system will reboot"
		echo $"*** when you leave the shell."

		str=$"(Repair filesystem)"
		PS1="$str \# # "; export PS1
		[ "$SELINUX" = "1" ] && disable_selinux
		sulogin

		echo $"Unmounting file systems"
		umount -a
		mount -n -o remount,ro /
		echo $"Automatic reboot in progress."
		reboot -f
	elif [ "$rc" -eq "1" -a -x /sbin/quotacheck ]; then
		_RUN_QUOTACHECK=1
	fi
fi

# Mount all other filesystems (except for NFS and /proc, which is already
# mounted). Contrary to standard usage,
# filesystems are NOT unmounted in single user mode.
action $"Mounting local filesystems: " mount -a -t nonfs,nfs4,smbfs,ncpfs,cifs,gfs -O no_netdev

# Start the graphical boot, if necessary and not done yet.
if fgrep rhgb /proc/cmdline > /dev/null 2>&1 && [ "$RHGB_STARTED" -eq 0 -a "$BOOTUP" = "color" -a "$GRAPHICAL" = "yes" -a -x /usr/bin/rhgb ]; then
   LC_MESSAGES= /usr/bin/rhgb
   RHGB_STARTED=1
fi

# check remaining quotas other than root
if [ X"$_RUN_QUOTACHECK" = X1 -a -x /sbin/quotacheck ]; then
	if [ -x /sbin/convertquota ]; then
	    # try to convert old quotas
	    for mountpt in `awk '$4 ~ /quota/{print $2}' /etc/mtab` ; do
		if [ -f "$mountpt/quota.user" ]; then
		    action $"Converting old user quota files: " \
		    /sbin/convertquota -u $mountpt && \
			rm -f $mountpt/quota.user
		fi
		if [ -f "$mountpt/quota.group" ]; then
		    action $"Converting old group quota files: " \
		    /sbin/convertquota -g $mountpt && \
			rm -f $mountpt/quota.group
		fi
	    done
	fi
	action $"Checking local filesystem quotas: " /sbin/quotacheck -aRnug
fi

if [ -x /sbin/quotaon ]; then
    action $"Enabling local filesystem quotas: " /sbin/quotaon -aug
fi

# Initialize pseudo-random number generator
if [ -f "/var/lib/random-seed" ]; then
	cat /var/lib/random-seed > /dev/urandom
else
	touch /var/lib/random-seed
fi
chmod 600 /var/lib/random-seed
dd if=/dev/urandom of=/var/lib/random-seed count=1 bs=512 2>/dev/null

# Use the hardware RNG to seed the entropy pool, if available
[ -x /sbin/rngd -a -f /dev/hw_random ] && rngd

# Configure machine if necessary.
if [ -f /.unconfigured ]; then
    if [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --ping ; then
	chvt 1
    fi

    if [ -x /usr/sbin/kbdconfig ]; then
	/usr/sbin/kbdconfig
    fi
    if [ -x /usr/bin/passwd ]; then 
        /usr/bin/passwd root
    fi
    if [ -x /usr/sbin/netconfig ]; then
	/usr/sbin/netconfig
    fi
    if [ -x /usr/sbin/timeconfig ]; then
	/usr/sbin/timeconfig
    fi
    if [ -x /usr/sbin/authconfig ]; then
	/usr/sbin/authconfig --nostart
    fi
    if [ -x /usr/sbin/ntsysv ]; then
	/usr/sbin/ntsysv --level 35
    fi

    # Reread in network configuration data.
    if [ -f /etc/sysconfig/network ]; then
	. /etc/sysconfig/network

	# Reset the hostname.
	action $"Resetting hostname ${HOSTNAME}: " hostname ${HOSTNAME}
    fi

    rm -f /.unconfigured

    if [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --ping ; then
	chvt 8
    fi
fi

# Clean out /.
rm -f /fastboot /fsckoptions /forcefsck /.autofsck /halt /poweroff &> /dev/null

# Do we need (w|u)tmpx files? We don't set them up, but the sysadmin might...
_NEED_XFILES=
[ -f /var/run/utmpx -o -f /var/log/wtmpx ] && _NEED_XFILES=1

# Clean up /var.  I'd use find, but /usr may not be mounted.
for afile in /var/lock/* /var/run/* ; do
	if [ -d "$afile" ]; then
	   case "$afile" in
		*/news|*/mon)	;;
		*/sudo)		rm -f $afile/*/* ;;
		*/vmware)	rm -rf $afile/*/* ;;
		*/samba)	rm -rf $afile/*/* ;;
		*)		rm -f $afile/* ;;
	   esac
	else
	   rm -f $afile
	fi
done
rm -f /var/lib/rpm/__db* &> /dev/null

# Reset pam_console permissions
[ -x /sbin/pam_console_apply ] && /sbin/pam_console_apply -r

{
# Clean up utmp/wtmp
> /var/run/utmp
touch /var/log/wtmp
chgrp utmp /var/run/utmp /var/log/wtmp
chmod 0664 /var/run/utmp /var/log/wtmp
if [ -n "$_NEED_XFILES" ]; then
  > /var/run/utmpx
  touch /var/log/wtmpx
  chgrp utmp /var/run/utmpx /var/log/wtmpx
  chmod 0664 /var/run/utmpx /var/log/wtmpx
fi

# Clean up various /tmp bits
rm -f /tmp/.X*-lock /tmp/.lock.* /tmp/.gdm_socket /tmp/.s.PGSQL.*
rm -rf /tmp/.X*-unix /tmp/.ICE-unix /tmp/.font-unix /tmp/hsperfdata_* \
       /tmp/kde-* /tmp/ksocket-* /tmp/mc-* /tmp/mcop-* /tmp/orbit-*  \
       /tmp/scrollkeeper-*  /tmp/ssh-*
# Make ICE directory
mkdir -m 1777 -p /tmp/.ICE-unix >/dev/null 2>&1
chown root:root /tmp/.ICE-unix
[ -n "$SELINUX" ] && restorecon /tmp/.ICE-unix >/dev/null 2>&1

# Start up swapping.
update_boot_stage RCswap
action $"Enabling swap space: " swapon -a -e

# Set up binfmt_misc
/bin/mount -t binfmt_misc none /proc/sys/fs/binfmt_misc > /dev/null 2>&1

# Initialize the serial ports.
if [ -f /etc/rc.serial ]; then
	. /etc/rc.serial
fi

# If they asked for ide-scsi, load it
if strstr "$cmdline" ide-scsi ; then
	modprobe ide-cd >/dev/null 2>&1
	modprobe ide-scsi >/dev/null 2>&1
fi

# Turn on harddisk optimization
# There is only one file /etc/sysconfig/harddisks for all disks
# after installing the hdparm-RPM. If you need different hdparm parameters
# for each of your disks, copy /etc/sysconfig/harddisks to
# /etc/sysconfig/harddiskhda (hdb, hdc...) and modify it.
# Each disk which has no special parameters will use the defaults.
# Each non-disk which has no special parameters will be ignored.
# 
 
disk[0]=s;
disk[1]=hda;  disk[2]=hdb;  disk[3]=hdc;  disk[4]=hdd;
disk[5]=hde;  disk[6]=hdf;  disk[7]=hdg;  disk[8]=hdh;
disk[9]=hdi;  disk[10]=hdj; disk[11]=hdk; disk[12]=hdl;
disk[13]=hdm; disk[14]=hdn; disk[15]=hdo; disk[16]=hdp;
disk[17]=hdq; disk[18]=hdr; disk[19]=hds; disk[20]=hdt;
 
 
if [ -x /sbin/hdparm ]; then
   for device in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20; do
	unset MULTIPLE_IO USE_DMA EIDE_32BIT LOOKAHEAD EXTRA_PARAMS
        if [ -f /etc/sysconfig/harddisk${disk[$device]} ]; then
                . /etc/sysconfig/harddisk${disk[$device]}
                HDFLAGS[$device]=
                if [ -n "$MULTIPLE_IO" ]; then
                    HDFLAGS[$device]="-q -m$MULTIPLE_IO"
                fi
                if [ -n "$USE_DMA" ]; then
                    HDFLAGS[$device]="${HDFLAGS[$device]} -q -d$USE_DMA"
                fi
                if [ -n "$EIDE_32BIT" ]; then
                    HDFLAGS[$device]="${HDFLAGS[$device]} -q -c$EIDE_32BIT"
                fi
                if [ -n "$LOOKAHEAD" ]; then
                    HDFLAGS[$device]="${HDFLAGS[$device]} -q -A$LOOKAHEAD"
                fi
                if [ -n "$EXTRA_PARAMS" ]; then
                    HDFLAGS[$device]="${HDFLAGS[$device]} $EXTRA_PARAMS"
                fi
        else
                HDFLAGS[$device]="${HDFLAGS[0]}"
        fi
        if [ -e "/proc/ide/${disk[$device]}/media" ]; then
             hdmedia=`cat /proc/ide/${disk[$device]}/media`
             if [ "$hdmedia" = "disk" -o -f "/etc/sysconfig/harddisk${disk[$device]}" ]; then
                  if [ -n "${HDFLAGS[$device]}" ]; then
                      action $"Setting hard drive parameters for ${disk[$device]}: "  /sbin/hdparm ${HDFLAGS[$device]} /dev/${disk[$device]}
                  fi
             fi
        fi
   done
fi

# Boot time profiles. Yes, this should be somewhere else.
if [ -x /usr/sbin/system-config-network-cmd ]; then
  if strstr "$cmdline" netprofile= ; then
    for arg in $cmdline ; do
        if [ "${arg##netprofile=}" != "${arg}" ]; then
	    /usr/sbin/system-config-network-cmd --profile ${arg##netprofile=}
        fi
    done
  fi
fi

# Now that we have all of our basic modules loaded and the kernel going,
# let's dump the syslog ring somewhere so we can find it later
dmesg -s 131072 > /var/log/dmesg

# create the crash indicator flag to warn on crashes, offer fsck with timeout
touch /.autofsck &> /dev/null

kill -TERM `/sbin/pidof getkey` >/dev/null 2>&1
} &
if strstr "$cmdline" confirm ; then
	touch /var/run/confirm
fi
if [ "$PROMPT" != "no" ]; then
	/sbin/getkey i && touch /var/run/confirm
fi
wait

# Let rhgb know that we're leaving rc.sysinit
if [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --ping ; then
    /usr/bin/rhgb-client --sysinit
fi

Re: Patch to make udev/tmpfs work and changes from colin walters for dbus.

[Luke Kenneth Casson Leighton]

On Wed, Sep 08, 2004 at 08:17:05AM -0400, Stephen Smalley wrote:
> On Tue, 2004-09-07 at 16:45, Daniel J Walsh wrote:
> > Adding
> > 
> > restorecon /dev /dev/null
> > restorecon /dev/*
> 
> Adding them where?  If you do this from /sbin/init immediately after the
> initial policy load, 

 oh.
 
 that's a good idea.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make udev/tmpfs work and changes from colin walters for dbus.

[James Carter]

When I build the policy with this patch there is a conflict with two
type transitions.

Because of the alias rule:
typealias system_dbusd_exec_t alias dbusd_exec_t;

The following type transitions conflict:
type_transition sysadm_t dbusd_exec_t:process sysadm_dbusd_t;
type_transition sysadm_t system_dbusd_exec_t:process system_dbusd_t;

The second transition is the one used when I build the policy.  I am not
sure if that is the desired transition.


Where they come from:

type_transition sysadm_t dbusd_exec_t:process sysadm_dbusd_t;
	from dbusd_macros.te, line 24:
		domain_auto_trans($1_t, dbusd_exec_t, $1_dbusd_t)
	from base_user_macros.te, line 120: dbusd_domain($1)
	from admin_macros.te, line 30: base_user_domain($1)
	from admin.te, line 19: admin_domain(sysadm)

type_transition sysadm_t system_dbusd_exec_t:process system_dbusd_t;
	from global_macros.te, line 351: 
		domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
	from dbusd_macros.te, line 12: 
		daemon_domain(system_dbusd, `, userspace_objmgr')
	from dbusd.te, line 5: dbusd_domain(system)

typealias system_dbusd_exec_t alias dbusd_exec_t;
	from dbusd_macros.te, line 15	

On Tue, 2004-09-07 at 16:45, Daniel J Walsh wrote:
> Adding
> 
> restorecon /dev /dev/null
> restorecon /dev/*
> 
> and the attached policy patch seems to clear up the problems with udev 
> and tmpfs.
> 
> Dan
> 
> ______________________________________________________________________
> diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.17.10/attrib.te
> --- nsapolicy/attrib.te	2004-09-01 14:00:01.000000000 -0400
> +++ policy-1.17.10/attrib.te	2004-09-07 15:55:15.049943838 -0400
> @@ -347,9 +347,6 @@
>  # For web clients such as netscape and squid
>  attribute web_client_domain;
>  
> -# For a dbus client
> -attribute dbus_client_domain;
> -
>  # For X Window System server domains
>  attribute xserver;
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.17.10/domains/program/hostname.te
> --- nsapolicy/domains/program/hostname.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.10/domains/program/hostname.te	2004-09-07 15:56:44.609170450 -0400
> @@ -22,3 +22,4 @@
>  
>  # for when /usr is not mounted
>  dontaudit hostname_t file_t:dir search;
> +dontaudit hostname_t tmpfs_t:chr_file { read write };
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.17.10/domains/program/init.te
> --- nsapolicy/domains/program/init.te	2004-09-02 08:03:26.000000000 -0400
> +++ policy-1.17.10/domains/program/init.te	2004-09-07 15:56:26.230974473 -0400
> @@ -49,7 +49,7 @@
>  ')
>  
>  # Create /dev/initctl.
> -file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
> +file_type_auto_trans(init_t, { device_t tmpfs_t }, initctl_t, fifo_file)
>  
>  # Create ioctl.save.
>  file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
> @@ -114,8 +114,7 @@
>  can_setbool(init_t)
>  
>  # Read and write the console and ttys.
> -allow init_t console_device_t:chr_file rw_file_perms;
> -allow init_t tty_device_t:chr_file rw_file_perms;
> +allow init_t { tmpfs_t tty_device_t console_device_t } :chr_file rw_file_perms;
>  allow init_t ttyfile:chr_file rw_file_perms;
>  allow init_t ptyfile:chr_file rw_file_perms;
>  
> @@ -140,3 +139,5 @@
>  
>  # file descriptors inherited from the rootfs.
>  dontaudit init_t root_t:{ file chr_file } { read write }; 
> +
> +rw_dir_file(init_t, tmpfs_t)
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.17.10/domains/program/restorecon.te
> --- nsapolicy/domains/program/restorecon.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.10/domains/program/restorecon.te	2004-09-07 15:57:33.287384531 -0400
> @@ -41,7 +41,9 @@
>  allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom };
>  allow restorecon_t unlabeled_t:dir read;
>  allow restorecon_t device_type:{ chr_file blk_file } { getattr relabelfrom relabelto };
> -allow restorecon_t device_t:{ chr_file blk_file } { getattr relabelfrom };
> +allow restorecon_t { tmpfs_t device_t device_type }:{chr_file blk_file} { getattr relabelfrom relabelto };
> +allow restorecon_t tmpfs_t:{chr_file blk_file} { read write };
> +
>  allow restorecon_t ptyfile:chr_file getattr;
>  
>  allow restorecon_t fs_t:filesystem getattr;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.17.10/domains/program/unused/bluetooth.te
> --- nsapolicy/domains/program/unused/bluetooth.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.10/domains/program/unused/bluetooth.te	2004-09-07 15:55:15.094939442 -0400
> @@ -8,7 +8,7 @@
>  #
>  # Rules for the bluetooth_t domain.
>  #
> -daemon_domain(bluetooth, `, dbus_client_domain')
> +daemon_domain(bluetooth)
>  
>  file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
>  
> @@ -22,6 +22,7 @@
>  # Use the network.
>  can_network(bluetooth_t)
>  can_ypbind(bluetooth_t)
> +dbusd_client(system, bluetooth_t)
>  allow bluetooth_t self:socket { create setopt ioctl bind listen };
>  allow bluetooth_t self:unix_dgram_socket create_socket_perms;
>  allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.10/domains/program/unused/cups.te
> --- nsapolicy/domains/program/unused/cups.te	2004-08-30 09:49:15.000000000 -0400
> +++ policy-1.17.10/domains/program/unused/cups.te	2004-09-07 15:55:15.138935145 -0400
> @@ -12,7 +12,7 @@
>  # cupsd_exec_t is the type of the cupsd executable.
>  #
>  type ipp_port_t, port_type;
> -daemon_domain(cupsd, `, auth_chkpwd, dbus_client_domain')
> +daemon_domain(cupsd, `, auth_chkpwd')
>  etcdir_domain(cupsd)
>  typealias cupsd_etc_t alias etc_cupsd_t;
>  type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
> @@ -20,6 +20,7 @@
>  
>  can_network(cupsd_t)
>  can_ypbind(cupsd_t)
> +dbusd_client(system, cupsd_t)
>  logdir_domain(cupsd)
>  
>  tmp_domain(cupsd)
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.17.10/domains/program/unused/dbusd.te
> --- nsapolicy/domains/program/unused/dbusd.te	2004-09-01 14:00:02.000000000 -0400
> +++ policy-1.17.10/domains/program/unused/dbusd.te	2004-09-07 15:55:15.028945889 -0400
> @@ -2,34 +2,17 @@
>  #
>  # Author:  Russell Coker <russell@coker.com.au>
>  
> -daemon_domain(dbusd, `, userspace_objmgr')
> -type etc_dbusd_t, file_type, sysadmfile;
> +dbusd_domain(system)
>  
> -allow dbusd_t dbusd_var_run_t:sock_file create_file_perms;
> +allow system_dbusd_t dbusd_var_run_t:sock_file create_file_perms;
>  
>  ifdef(`pamconsole.te', `
> -r_dir_file(dbusd_t, pam_var_console_t)
> +r_dir_file(system_dbusd_t, pam_var_console_t)
>  ')
>  
> -r_dir_file(dbusd_t, etc_dbusd_t)
> -allow dbusd_t self:unix_stream_socket create_stream_socket_perms;
> -allow dbusd_t self:unix_dgram_socket create_socket_perms;
> -
> -allow dbusd_t etc_t:file { getattr read };
>  # dac_override: /var/run/dbus is owned by messagebus on Debian
> -allow dbusd_t self:capability { dac_override setgid setuid };
> -allow dbusd_t self:file { getattr read };
> -allow dbusd_t proc_t:file { read };
> -can_ypbind(dbusd_t)
> +allow system_dbusd_t self:capability { dac_override setgid setuid };
> +can_ypbind(system_dbusd_t)
>  
>  # I expect we need more than this
> -allow { dbus_client_domain userdomain } { var_run_t dbusd_var_run_t }:dir search;
> -allow { dbus_client_domain userdomain } dbusd_var_run_t:sock_file { write };
> -allow { dbus_client_domain userdomain } dbusd_t:unix_stream_socket { connectto };
> -
> -# Permissions for SE-DBus operation
> -r_dir_file(dbusd_t,selinux_config_t)
> -
> -# SE-DBus specific permissions
> -allow { dbus_client_domain userdomain } { dbusd_t self }:dbus { send_msg };
> -domain_auto_trans(userdomain, dbusd_exec_t, dbusd_t)
> +
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.17.10/domains/program/unused/hald.te
> --- nsapolicy/domains/program/unused/hald.te	2004-09-02 08:03:26.000000000 -0400
> +++ policy-1.17.10/domains/program/unused/hald.te	2004-09-07 15:55:15.183930749 -0400
> @@ -10,7 +10,7 @@
>  #
>  # hald_exec_t is the type of the hald executable.
>  #
> -daemon_domain(hald, `, dbus_client_domain, fs_domain')
> +daemon_domain(hald, `, fs_domain')
>  
>  can_exec(hald_t, hald_exec_t)
>  
> @@ -18,7 +18,7 @@
>  allow hald_t self:unix_stream_socket create_stream_socket_perms;
>  allow hald_t self:unix_dgram_socket create_socket_perms;
>  
> -allow hald_t dbusd_t:dbus { acquire_svc };
> +allow hald_t system_dbusd_t:dbus { acquire_svc };
>  
>  allow hald_t { self proc_t }:file { getattr read };
>  
> @@ -31,6 +31,7 @@
>  allow hald_t self:capability { net_admin sys_admin };
>  can_network(hald_t)
>  can_ypbind(hald_t)
> +dbusd_client(system, hald_t)
>  
>  allow hald_t device_t:lnk_file read;
>  allow hald_t { fixed_disk_device_t removable_device_t }:blk_file { getattr read ioctl };
> @@ -47,3 +48,5 @@
>  
>  allow hald_t usbdevfs_t:dir search;
>  allow hald_t usbdevfs_t:file { getattr read };
> +allow hald_t usbfs_t:dir search;
> +allow hald_t usbfs_t:file { getattr read };
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.17.10/domains/program/unused/hotplug.te
> --- nsapolicy/domains/program/unused/hotplug.te	2004-09-01 14:00:02.000000000 -0400
> +++ policy-1.17.10/domains/program/unused/hotplug.te	2004-09-07 15:55:15.128936121 -0400
> @@ -11,7 +11,7 @@
>  # hotplug_exec_t is the type of the hotplug executable.
>  #
>  ifdef(`unlimitedUtils', `
> -daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, dbus_client_domain, unrestricted')
> +daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, unrestricted')
>  ', `
>  daemon_domain(hotplug, `, privmodule, dbus_client_domain')
>  ')
> @@ -143,6 +143,7 @@
>  
>  can_network(hotplug_t)
>  can_ypbind(hotplug_t)
> +dbusd_client(system, hotplug_t)
>  
>  # Allow hotplug (including /sbin/ifup-local) to start/stop services and # run sendmail -q
>  domain_auto_trans(hotplug_t, initrc_exec_t, initrc_t)
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.17.10/domains/program/unused/kudzu.te
> --- nsapolicy/domains/program/unused/kudzu.te	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.10/domains/program/unused/kudzu.te	2004-09-07 15:54:49.325454423 -0400
> @@ -29,6 +29,8 @@
>  allow kudzu_t sysctl_kernel_t:file { getattr read write };
>  allow kudzu_t usbdevfs_t:dir search;
>  allow kudzu_t usbdevfs_t:file { getattr read };
> +allow kudzu_t usbfs_t:dir search;
> +allow kudzu_t usbfs_t:file { getattr read };
>  allow kudzu_t var_t:dir search;
>  allow kudzu_t kernel_t:system { syslog_console };
>  allow kudzu_t self:udp_socket { create ioctl };
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.17.10/domains/program/unused/udev.te
> --- nsapolicy/domains/program/unused/udev.te	2004-09-01 14:00:02.000000000 -0400
> +++ policy-1.17.10/domains/program/unused/udev.te	2004-09-07 16:00:22.809653212 -0400
> @@ -9,7 +9,7 @@
>  #
>  # udev_exec_t is the type of the udev executable.
>  #
> -daemon_domain(udev, `, privmodule, privmem, fs_domain, privfd, dbus_client_domain')
> +daemon_domain(udev, `, privmodule, privmem, fs_domain, privfd')
>  
>  general_domain_access(udev_t)
>  
> @@ -28,10 +28,10 @@
>  allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
>  allow udev_t self:unix_dgram_socket create_socket_perms;
>  allow udev_t self:fifo_file rw_file_perms;
> -allow udev_t device_t:blk_file create_file_perms;
> -allow udev_t device_t:chr_file create_file_perms;
> -allow udev_t device_t:sock_file create_file_perms;
> -allow udev_t device_t:lnk_file create_lnk_perms;
> +allow udev_t { tmpfs_t device_t }:blk_file create_file_perms;
> +allow udev_t { tmpfs_t device_t }:chr_file create_file_perms;
> +allow udev_t { tmpfs_t device_t }:sock_file create_file_perms;
> +allow udev_t { tmpfs_t device_t }:lnk_file create_lnk_perms;
>  allow udev_t etc_t:file { getattr read };
>  allow udev_t { bin_t sbin_t }:dir r_dir_perms;
>  allow udev_t { sbin_t bin_t }:lnk_file read;
> @@ -40,7 +40,7 @@
>  can_exec(udev_t, udev_exec_t)
>  r_dir_file(udev_t, sysfs_t)
>  allow udev_t sysadm_tty_device_t:chr_file { read write };
> -allow udev_t { device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
> +allow udev_t { tmpfs_t device_t device_type }:{chr_file blk_file} { relabelfrom relabelto create_file_perms };
>  	
>  # to read the file_contexts file
>  r_dir_file(udev_t, { selinux_config_t file_context_t default_context_t } )
> @@ -96,3 +96,10 @@
>  ifdef(`dhcpc.te', `
>  domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
>  ')
> +
> +allow udev_t tmpfs_t:dir { search };
> +rw_dir_create_file(udev_t, { device_t tmpfs_t })
> +allow udev_t udev_helper_exec_t:dir r_dir_perms;
> +
> +dbusd_client(system, udev_t)
> +
> diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.17.10/domains/program/unused/updfstab.te
> --- nsapolicy/domains/program/unused/updfstab.te	2004-09-02 08:03:26.000000000 -0400
> +++ policy-1.17.10/domains/program/unused/updfstab.te	2004-09-07 15:55:15.115937391 -0400
> @@ -3,7 +3,7 @@
>  # Author:  Russell Coker <russell@coker.com.au>
>  #
>  
> -daemon_base_domain(updfstab, `, fs_domain, etc_writer, dbus_client_domain')
> +daemon_base_domain(updfstab, `, fs_domain, etc_writer')
>  
>  rw_dir_create_file(updfstab_t, etc_t)
>  create_dir_file(updfstab_t, mnt_t)
> @@ -28,6 +28,8 @@
>  
>  read_locale(updfstab_t)
>  
> +dbusd_client(system, updfstab_t)
> +
>  # not sure what the sysctl_kernel_t file is, or why it wants to write it, so
>  # I will not allow it
>  dontaudit updfstab_t { sysctl_t sysctl_kernel_t }:dir search;
> diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.17.10/file_contexts/program/named.fc
> --- nsapolicy/file_contexts/program/named.fc	2004-08-31 10:55:37.000000000 -0400
> +++ policy-1.17.10/file_contexts/program/named.fc	2004-09-07 15:54:49.325454423 -0400
> @@ -14,7 +14,7 @@
>  ') dnl distro_debian
>  
>  /etc/rndc.*		--	system_u:object_r:named_conf_t
> -/usr/sbin/named.*      	--	system_u:object_r:named_exec_t
> +/usr/sbin/named      	--	system_u:object_r:named_exec_t
>  /usr/sbin/r?ndc		--	system_u:object_r:ndc_exec_t
>  /var/run/ndc		-s	system_u:object_r:named_var_run_t
>  /var/run/bind(/.*)?		system_u:object_r:named_var_run_t
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.17.10/macros/base_user_macros.te
> --- nsapolicy/macros/base_user_macros.te	2004-09-04 07:28:25.000000000 -0400
> +++ policy-1.17.10/macros/base_user_macros.te	2004-09-07 15:55:15.195929577 -0400
> @@ -185,6 +185,10 @@
>  can_network($1_t)
>  can_ypbind($1_t)
>  
> +# Grant permissions to access the system DBus
> +dbusd_client(system, $1_t)
> +dbusd_domain($1)
> +
>  # allow port_t name binding for UDP because it is not very usable otherwise
>  allow $1_t port_t:udp_socket name_bind;
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.17.10/macros/program/dbusd_macros.te
> --- nsapolicy/macros/program/dbusd_macros.te	1969-12-31 19:00:00.000000000 -0500
> +++ policy-1.17.10/macros/program/dbusd_macros.te	2004-09-07 15:55:15.038944913 -0400
> @@ -0,0 +1,62 @@
> +#
> +# Macros for Dbus
> +#
> +# Author: Colin Walters <walters@redhat.com>
> +
> +# dbusd_domain(domain_prefix)
> +#
> +# Define a derived domain for the DBus daemon.
> +
> +define(`dbusd_domain', `
> +ifelse(`system', `$1',`
> +daemon_domain(system_dbusd, `, userspace_objmgr')
> +# For backwards compatibility
> +typealias system_dbusd_t alias dbusd_t;
> +typealias system_dbusd_exec_t alias dbusd_exec_t;
> +typealias system_dbusd_var_run_t alias dbusd_var_run_t;
> +type etc_dbusd_t, file_type, sysadmfile;
> +',`
> +ifdef(`single_userdomain', `
> +typealias $1_t alias $1_dbusd_t;
> +', `
> +type $1_dbusd_t, domain, privlog, userspace_objmgr;
> +role $1_r types $1_dbusd_t;
> +domain_auto_trans($1_t, dbusd_exec_t, $1_dbusd_t)
> +
> +')dnl end ifdef single_userdomain
> +')dnl end ifelse system
> +
> +base_file_read_access($1_dbusd_t)
> +uses_shlib($1_dbusd_t)
> +allow $1_dbusd_t etc_t:file { getattr read };
> +r_dir_file($1_dbusd_t, etc_dbusd_t)
> +
> +allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
> +allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
> +
> +allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
> +allow $1_dbusd_t self:file { getattr read };
> +allow $1_dbusd_t proc_t:file { read };
> +
> +')dnl end dbusd_domain definition
> +
> +# dbusd_client(dbus_type, domain)
> +# Example: dbusd_client_domain(system, user_t)
> +#
> +# Grant permissions for connecting to the specified DBus type
> +# from domain.
> +define(`dbusd_client',`')
> +ifdef(`dbusd.te',`
> +undefine(`dbusd_client')
> +define(`dbusd_client',`
> +# For connecting to the bus
> +allow $2 $1_dbusd_t:unix_stream_socket { connectto };
> +ifelse(`system', `$1', `
> +allow { $2 } { var_run_t system_dbusd_var_run_t }:dir search;
> +allow { $2 } system_dbusd_var_run_t:sock_file { write };
> +',`
> +') dnl endif system
> +# SE-DBus specific permissions
> +allow $2 { $1_dbusd_t self }:dbus { send_msg };
> +') dnl endif dbusd.te
> +')
> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.17.10/tunables/distro.tun
> --- nsapolicy/tunables/distro.tun	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.10/tunables/distro.tun	2004-09-07 15:54:49.326454326 -0400
> @@ -5,7 +5,7 @@
>  # appropriate ifdefs.
>  
> 
> -dnl define(`distro_redhat')
> +define(`distro_redhat')
>  
>  dnl define(`distro_suse')
>  
> diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.17.10/tunables/tunable.tun
> --- nsapolicy/tunables/tunable.tun	2004-08-27 14:44:11.000000000 -0400
> +++ policy-1.17.10/tunables/tunable.tun	2004-09-07 15:54:49.327454228 -0400
> @@ -5,50 +5,47 @@
>  dnl define(`user_net_control')
>  
>  # Allow users to execute the mount command
> -dnl define(`user_can_mount')
> +define(`user_can_mount')
>  
>  # Allow rpm to run unconfined.
> -dnl define(`unlimitedRPM')
> +define(`unlimitedRPM')
>  
>  # Allow privileged utilities like hotplug and insmod to run unconfined.
> -dnl define(`unlimitedUtils')
> +define(`unlimitedUtils')
>  
>  # Support NFS home directories
> -dnl define(`nfs_home_dirs')
> +define(`nfs_home_dirs')
>  
>  # Allow users to run games
> -dnl define(`use_games')
> +define(`use_games')
>  
>  # Allow ypbind to run with NIS
> -dnl define(`allow_ypbind')
> +define(`allow_ypbind')
>  
>  # Allow rc scripts to run unconfined, including any daemon
>  # started by an rc script that does not have a domain transition
>  # explicitly defined.
> -dnl define(`unlimitedRC')
> +define(`unlimitedRC')
>  
>  # Allow sysadm_t to directly start daemons
>  define(`direct_sysadm_daemon')
>  
>  # Do not audit things that we know to be broken but which
>  # are not security risks
> -dnl define(`hide_broken_symptoms')
> +define(`hide_broken_symptoms')
>  
>  # Allow sysadm_t to do almost everything
>  dnl define(`unrestricted_admin')
>  
>  # Allow the read/write/create on any NFS file system
> -dnl define(`nfs_export_all_rw')
> -
> -# Allow users to unrestricted access
> -dnl define(`unlimitedUsers')
> +define(`nfs_export_all_rw')
>  
>  # Allow the reading on any NFS file system
>  dnl define(`nfs_export_all_ro')
>  
>  # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
>  # Otherwise, only staff_r can do so.
> -dnl define(`user_canbe_sysadm')
> +define(`user_canbe_sysadm')
>  
>  # Allow xinetd to run unconfined, including any services it starts
>  # that do not have a domain transition explicitly defined.
> diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.17.10/types/file.te
> --- nsapolicy/types/file.te	2004-08-30 09:49:16.000000000 -0400
> +++ policy-1.17.10/types/file.te	2004-09-07 15:54:49.327454228 -0400
> @@ -258,6 +258,7 @@
>  # the default file system type.
>  #
>  allow { file_type device_type } fs_t:filesystem associate;
> +allow { file_type device_type } tmpfs_t:filesystem associate;
>  
>  # Allow the pty to be associated with the file system.
>  allow devpts_t devpts_t:filesystem associate;
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to make udev/tmpfs work and changes from colin walters for dbus.

[Colin Walters]

[-- Attachment #1.1: Type: text/plain, Size: 613 bytes --]

On Thu, 2004-09-09 at 08:53 -0400, James Carter wrote:
> When I build the policy with this patch there is a conflict with two
> type transitions.
> 
> Because of the alias rule:
> typealias system_dbusd_exec_t alias dbusd_exec_t;
> 
> The following type transitions conflict:
> type_transition sysadm_t dbusd_exec_t:process sysadm_dbusd_t;
> type_transition sysadm_t system_dbusd_exec_t:process system_dbusd_t;
> 
> The second transition is the one used when I build the policy.  I am not
> sure if that is the desired transition.

Hm.  Yes, we actually want the former.  Can you try this patch?


[-- Attachment #1.2: se-dbus-nosysadm.patch --]
[-- Type: text/x-patch, Size: 460 bytes --]

--- macros/program/dbusd_macros.te~	2004-09-09 14:08:20.192951192 -0400
+++ macros/program/dbusd_macros.te	2004-09-09 14:19:06.701666928 -0400
@@ -9,7 +9,7 @@
 
 define(`dbusd_domain', `
 ifelse(`system', `$1',`
-daemon_domain(system_dbusd, `, userspace_objmgr')
+daemon_domain(system_dbusd, `, userspace_objmgr', `nosysadm')
 # For backwards compatibility
 typealias system_dbusd_t alias dbusd_t;
 typealias system_dbusd_exec_t alias dbusd_exec_t;

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Patch to make udev/tmpfs work and changes from colin walters for dbus.

[James Carter]

That works.
Merged the original patch along with this fix.

On Thu, 2004-09-09 at 14:21, Colin Walters wrote:
> On Thu, 2004-09-09 at 08:53 -0400, James Carter wrote:
> > When I build the policy with this patch there is a conflict with two
> > type transitions.
> > 
> > Because of the alias rule:
> > typealias system_dbusd_exec_t alias dbusd_exec_t;
> > 
> > The following type transitions conflict:
> > type_transition sysadm_t dbusd_exec_t:process sysadm_dbusd_t;
> > type_transition sysadm_t system_dbusd_exec_t:process system_dbusd_t;
> > 
> > The second transition is the one used when I build the policy.  I am not
> > sure if that is the desired transition.
> 
> Hm.  Yes, we actually want the former.  Can you try this patch?
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.