* fusermount policy
@ 2007-03-23 19:34 Daniel J Walsh
2007-04-16 15:55 ` Christopher J. PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2007-03-23 19:34 UTC (permalink / raw)
To: Christopher J. PeBenito, SE Linux
[-- Attachment #1: Type: text/plain, Size: 66 bytes --]
This is also used to add support for ntfs-3g from previous patch.
[-- Attachment #2: fusermount.patch --]
[-- Type: text/x-patch, Size: 4611 bytes --]
--- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/system/fusermount.fc 2007-03-22 15:06:59.000000000 -0400
@@ -0,0 +1,6 @@
+# fusermount executable will have:
+# label: system_u:object_r:fusermount_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
--- nsaserefpolicy/policy/modules/system/fusermount.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/system/fusermount.if 2007-03-22 15:06:59.000000000 -0400
@@ -0,0 +1,41 @@
+## <summary>policy for fusermount</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run fusermount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fusermount_domtrans',`
+ gen_require(`
+ type fusermount_t, fusermount_exec_t;
+ ')
+
+ domain_auto_trans($1,fusermount_exec_t,fusermount_t)
+
+ allow fusermount_t $1:fd use;
+ allow fusermount_t $1:fifo_file rw_file_perms;
+ allow fusermount_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from fusermount.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fusermount_use_fds',`
+ gen_require(`
+ type fusermount_t;
+ ')
+
+ allow $1 fusermount_t:fd use;
+')
\ No newline at end of file
--- nsaserefpolicy/policy/modules/system/fusermount.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/system/fusermount.te 2007-03-22 15:06:59.000000000 -0400
@@ -0,0 +1,44 @@
+policy_module(fusermount,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type fusermount_t;
+type fusermount_exec_t;
+application_domain(fusermount_t, fusermount_exec_t)
+role system_r types fusermount_t;
+
+########################################
+#
+# fusermount local policy
+#
+allow fusermount_t self:capability sys_admin;
+allow fusermount_t self:fifo_file { read write };
+allow fusermount_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(fusermount_t)
+
+libs_use_ld_so(fusermount_t)
+libs_use_shared_libs(fusermount_t)
+
+miscfiles_read_localization(fusermount_t)
+
+files_manage_etc_runtime_files(fusermount_t)
+files_etc_filetrans_etc_runtime(fusermount_t,file)
+files_mounton_all_mountpoints(fusermount_t)
+
+fs_mount_fusefs(fusermount_t)
+
+storage_raw_read_fixed_disk(fusermount_t)
+storage_raw_write_fixed_disk(fusermount_t)
+
+optional_policy(`
+ mount_ntfs_rw_stream_sockets(fusermount_t)
+')
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(fusermount_t)
+')
+
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-02-19 11:32:51.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/kernel/filesystem.if 2007-03-22 15:06:58.000000000 -0400
@@ -1110,11 +1110,31 @@
type dosfs_t;
')
+ manage_dirs_pattern($1,dosfs_t,dosfs_t)
manage_files_pattern($1,dosfs_t,dosfs_t)
')
########################################
## <summary>
+## read files
+## on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_dos_files',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ read_files_pattern($1,dosfs_t,dosfs_t)
+')
+
+########################################
+## <summary>
## Read eventpollfs files.
## </summary>
## <desc>
@@ -3402,3 +3422,22 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
+
+
+########################################
+## <summary>
+## Mount an fuse filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mount_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:filesystem mount;
+')
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-02-19 11:32:51.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/kernel/filesystem.te 2007-03-22 15:06:58.000000000 -0400
@@ -65,6 +65,11 @@
# change to task SID 20060628
#genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
+type fusefs_t;
+fs_type(fusefs_t)
+allow fusefs_t self:filesystem associate;
+genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: fusermount policy
2007-03-23 19:34 fusermount policy Daniel J Walsh
@ 2007-04-16 15:55 ` Christopher J. PeBenito
2007-04-16 16:18 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2007-04-16 15:55 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
On Fri, 2007-03-23 at 15:34 -0400, Daniel J Walsh wrote:
> This is also used to add support for ntfs-3g from previous patch.
Do these two (mount_nfs and fusermount) really need to be separated?
They're both for FUSE filesystems, and the rules aren't really different
since they're both local filesystems. It would make more sense if one
was a network fs, like how we have smbmount in its own domain.
>
>
>
>
>
>
> differences
> between files
> attachment
> (fusermount.patch), "fusermount.patch"
>
> --- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31
> 19:00:00.000000000 -0500
> +++
> serefpolicy-2.5.10/policy/modules/system/fusermount.fc 2007-03-22
> 15:06:59.000000000 -0400
> @@ -0,0 +1,6 @@
> +# fusermount executable will have:
> +# label: system_u:object_r:fusermount_exec_t
> +# MLS sensitivity: s0
> +# MCS categories: <none>
> +
> +/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
> --- nsaserefpolicy/policy/modules/system/fusermount.if 1969-12-31
> 19:00:00.000000000 -0500
> +++
> serefpolicy-2.5.10/policy/modules/system/fusermount.if 2007-03-22
> 15:06:59.000000000 -0400
> @@ -0,0 +1,41 @@
> +## <summary>policy for fusermount</summary>
> +
> +########################################
> +## <summary>
> +## Execute a domain transition to run fusermount.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`fusermount_domtrans',`
> + gen_require(`
> + type fusermount_t, fusermount_exec_t;
> + ')
> +
> + domain_auto_trans($1,fusermount_exec_t,fusermount_t)
> +
> + allow fusermount_t $1:fd use;
> + allow fusermount_t $1:fifo_file rw_file_perms;
> + allow fusermount_t $1:process sigchld;
> +')
> +
> +########################################
> +## <summary>
> +## Inherit and use file descriptors from fusermount.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fusermount_use_fds',`
> + gen_require(`
> + type fusermount_t;
> + ')
> +
> + allow $1 fusermount_t:fd use;
> +')
> \ No newline at end of file
> --- nsaserefpolicy/policy/modules/system/fusermount.te 1969-12-31
> 19:00:00.000000000 -0500
> +++
> serefpolicy-2.5.10/policy/modules/system/fusermount.te 2007-03-22
> 15:06:59.000000000 -0400
> @@ -0,0 +1,44 @@
> +policy_module(fusermount,1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type fusermount_t;
> +type fusermount_exec_t;
> +application_domain(fusermount_t, fusermount_exec_t)
> +role system_r types fusermount_t;
> +
> +########################################
> +#
> +# fusermount local policy
> +#
> +allow fusermount_t self:capability sys_admin;
> +allow fusermount_t self:fifo_file { read write };
> +allow fusermount_t self:unix_stream_socket
> create_stream_socket_perms;
> +
> +files_read_etc_files(fusermount_t)
> +
> +libs_use_ld_so(fusermount_t)
> +libs_use_shared_libs(fusermount_t)
> +
> +miscfiles_read_localization(fusermount_t)
> +
> +files_manage_etc_runtime_files(fusermount_t)
> +files_etc_filetrans_etc_runtime(fusermount_t,file)
> +files_mounton_all_mountpoints(fusermount_t)
> +
> +fs_mount_fusefs(fusermount_t)
> +
> +storage_raw_read_fixed_disk(fusermount_t)
> +storage_raw_write_fixed_disk(fusermount_t)
> +
> +optional_policy(`
> + mount_ntfs_rw_stream_sockets(fusermount_t)
> +')
> +
> +ifdef(`targeted_policy',`
> + term_use_generic_ptys(fusermount_t)
> +')
> +
> --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-02-19
> 11:32:51.000000000 -0500
> +++
> serefpolicy-2.5.10/policy/modules/kernel/filesystem.if 2007-03-22
> 15:06:58.000000000 -0400
> @@ -1110,11 +1110,31 @@
> type dosfs_t;
> ')
>
> + manage_dirs_pattern($1,dosfs_t,dosfs_t)
> manage_files_pattern($1,dosfs_t,dosfs_t)
> ')
>
> ########################################
> ## <summary>
> +## read files
> +## on a DOS filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_read_dos_files',`
> + gen_require(`
> + type dosfs_t;
> + ')
> +
> + read_files_pattern($1,dosfs_t,dosfs_t)
> +')
> +
> +########################################
> +## <summary>
> ## Read eventpollfs files.
> ## </summary>
> ## <desc>
> @@ -3402,3 +3422,22 @@
> relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
> relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
> ')
> +
> +
> +########################################
> +## <summary>
> +## Mount an fuse filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_mount_fusefs',`
> + gen_require(`
> + type fusefs_t;
> + ')
> +
> + allow $1 fusefs_t:filesystem mount;
> +')
> --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-02-19
> 11:32:51.000000000 -0500
> +++
> serefpolicy-2.5.10/policy/modules/kernel/filesystem.te 2007-03-22
> 15:06:58.000000000 -0400
> @@ -65,6 +65,11 @@
> # change to task SID 20060628
> #genfscon eventpollfs /
> gen_context(system_u:object_r:eventpollfs_t,s0)
>
> +type fusefs_t;
> +fs_type(fusefs_t)
> +allow fusefs_t self:filesystem associate;
> +genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
> +
> type futexfs_t;
> fs_type(futexfs_t)
> genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: fusermount policy
2007-04-16 15:55 ` Christopher J. PeBenito
@ 2007-04-16 16:18 ` Daniel J Walsh
0 siblings, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2007-04-16 16:18 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: SE Linux
Christopher J. PeBenito wrote:
> On Fri, 2007-03-23 at 15:34 -0400, Daniel J Walsh wrote:
>
>> This is also used to add support for ntfs-3g from previous patch.
>>
>
> Do these two (mount_nfs and fusermount) really need to be separated?
> They're both for FUSE filesystems, and the rules aren't really different
> since they're both local filesystems. It would make more sense if one
> was a network fs, like how we have smbmount in its own domain.
>
>
I guess so. I was just thinking eventually we might need to deal with
encrypted file system in fuse and these might need different privs the
ntfs. But I am just guessing.
>>
>>
>>
>>
>> differences
>> between files
>> attachment
>> (fusermount.patch), "fusermount.patch"
>>
>> --- nsaserefpolicy/policy/modules/system/fusermount.fc 1969-12-31
>> 19:00:00.000000000 -0500
>> +++
>> serefpolicy-2.5.10/policy/modules/system/fusermount.fc 2007-03-22
>> 15:06:59.000000000 -0400
>> @@ -0,0 +1,6 @@
>> +# fusermount executable will have:
>> +# label: system_u:object_r:fusermount_exec_t
>> +# MLS sensitivity: s0
>> +# MCS categories: <none>
>> +
>> +/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
>> --- nsaserefpolicy/policy/modules/system/fusermount.if 1969-12-31
>> 19:00:00.000000000 -0500
>> +++
>> serefpolicy-2.5.10/policy/modules/system/fusermount.if 2007-03-22
>> 15:06:59.000000000 -0400
>> @@ -0,0 +1,41 @@
>> +## <summary>policy for fusermount</summary>
>> +
>> +########################################
>> +## <summary>
>> +## Execute a domain transition to run fusermount.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed to transition.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`fusermount_domtrans',`
>> + gen_require(`
>> + type fusermount_t, fusermount_exec_t;
>> + ')
>> +
>> + domain_auto_trans($1,fusermount_exec_t,fusermount_t)
>> +
>> + allow fusermount_t $1:fd use;
>> + allow fusermount_t $1:fifo_file rw_file_perms;
>> + allow fusermount_t $1:process sigchld;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Inherit and use file descriptors from fusermount.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`fusermount_use_fds',`
>> + gen_require(`
>> + type fusermount_t;
>> + ')
>> +
>> + allow $1 fusermount_t:fd use;
>> +')
>> \ No newline at end of file
>> --- nsaserefpolicy/policy/modules/system/fusermount.te 1969-12-31
>> 19:00:00.000000000 -0500
>> +++
>> serefpolicy-2.5.10/policy/modules/system/fusermount.te 2007-03-22
>> 15:06:59.000000000 -0400
>> @@ -0,0 +1,44 @@
>> +policy_module(fusermount,1.0.0)
>> +
>> +########################################
>> +#
>> +# Declarations
>> +#
>> +
>> +type fusermount_t;
>> +type fusermount_exec_t;
>> +application_domain(fusermount_t, fusermount_exec_t)
>> +role system_r types fusermount_t;
>> +
>> +########################################
>> +#
>> +# fusermount local policy
>> +#
>> +allow fusermount_t self:capability sys_admin;
>> +allow fusermount_t self:fifo_file { read write };
>> +allow fusermount_t self:unix_stream_socket
>> create_stream_socket_perms;
>> +
>> +files_read_etc_files(fusermount_t)
>> +
>> +libs_use_ld_so(fusermount_t)
>> +libs_use_shared_libs(fusermount_t)
>> +
>> +miscfiles_read_localization(fusermount_t)
>> +
>> +files_manage_etc_runtime_files(fusermount_t)
>> +files_etc_filetrans_etc_runtime(fusermount_t,file)
>> +files_mounton_all_mountpoints(fusermount_t)
>> +
>> +fs_mount_fusefs(fusermount_t)
>> +
>> +storage_raw_read_fixed_disk(fusermount_t)
>> +storage_raw_write_fixed_disk(fusermount_t)
>> +
>> +optional_policy(`
>> + mount_ntfs_rw_stream_sockets(fusermount_t)
>> +')
>> +
>> +ifdef(`targeted_policy',`
>> + term_use_generic_ptys(fusermount_t)
>> +')
>> +
>> --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-02-19
>> 11:32:51.000000000 -0500
>> +++
>> serefpolicy-2.5.10/policy/modules/kernel/filesystem.if 2007-03-22
>> 15:06:58.000000000 -0400
>> @@ -1110,11 +1110,31 @@
>> type dosfs_t;
>> ')
>>
>> + manage_dirs_pattern($1,dosfs_t,dosfs_t)
>> manage_files_pattern($1,dosfs_t,dosfs_t)
>> ')
>>
>> ########################################
>> ## <summary>
>> +## read files
>> +## on a DOS filesystem.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`fs_read_dos_files',`
>> + gen_require(`
>> + type dosfs_t;
>> + ')
>> +
>> + read_files_pattern($1,dosfs_t,dosfs_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## Read eventpollfs files.
>> ## </summary>
>> ## <desc>
>> @@ -3402,3 +3422,22 @@
>> relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
>> relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
>> ')
>> +
>> +
>> +########################################
>> +## <summary>
>> +## Mount an fuse filesystem.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`fs_mount_fusefs',`
>> + gen_require(`
>> + type fusefs_t;
>> + ')
>> +
>> + allow $1 fusefs_t:filesystem mount;
>> +')
>> --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-02-19
>> 11:32:51.000000000 -0500
>> +++
>> serefpolicy-2.5.10/policy/modules/kernel/filesystem.te 2007-03-22
>> 15:06:58.000000000 -0400
>> @@ -65,6 +65,11 @@
>> # change to task SID 20060628
>> #genfscon eventpollfs /
>> gen_context(system_u:object_r:eventpollfs_t,s0)
>>
>> +type fusefs_t;
>> +fs_type(fusefs_t)
>> +allow fusefs_t self:filesystem associate;
>> +genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
>> +
>> type futexfs_t;
>> fs_type(futexfs_t)
>> genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
>>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-04-16 16:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-23 19:34 fusermount policy Daniel J Walsh
2007-04-16 15:55 ` Christopher J. PeBenito
2007-04-16 16:18 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.