[refpolicy] kernel_devices.patch

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] kernel_devices.patch
@ 2010-08-26 22:46 Daniel J Walsh
  0 siblings, 0 replies; 20+ messages in thread
From: Daniel J Walsh @ 2010-08-26 22:46 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_devices.patch

Lots of new devices.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx27q0ACgkQrlYvE4MpobP0mACfWFFnrlVhkBGTIjljxBZpKTnb
GaAAnivq3u0tObRS7L/4Q1ArHewon2Le
=uOPL
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
@ 2010-06-02 20:19 Daniel J Walsh
  2010-06-07 13:20 ` Christopher J. PeBenito
  0 siblings, 1 reply; 20+ messages in thread
From: Daniel J Walsh @ 2010-06-02 20:19 UTC (permalink / raw)
  To: refpolicy

http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_devices.patch

vhost_device_t added for libvirt/qemu

/dev/usbmon device added

Added default label for /sys so libvirt could relabel to it.

lots of new interfaces.

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2010-06-02 20:19 Daniel J Walsh
@ 2010-06-07 13:20 ` Christopher J. PeBenito
  2010-06-07 13:23   ` Daniel J Walsh
  0 siblings, 1 reply; 20+ messages in thread
From: Christopher J. PeBenito @ 2010-06-07 13:20 UTC (permalink / raw)
  To: refpolicy

On Wed, 2010-06-02 at 16:19 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_devices.patch
> 
> vhost_device_t added for libvirt/qemu
> 
> /dev/usbmon device added
> 
> Added default label for /sys so libvirt could relabel to it.

I don't understand this.  There should be no files labeled sysfs_t,
except for the entries created by the kernel on the fs itself, which get
the right label already.

> lots of new interfaces.

Otherwise merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2010-06-07 13:20 ` Christopher J. PeBenito
@ 2010-06-07 13:23   ` Daniel J Walsh
  2010-06-07 13:39     ` Christopher J. PeBenito
  0 siblings, 1 reply; 20+ messages in thread
From: Daniel J Walsh @ 2010-06-07 13:23 UTC (permalink / raw)
  To: refpolicy

On 06/07/2010 09:20 AM, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:19 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_devices.patch
>>
>> vhost_device_t added for libvirt/qemu
>>
>> /dev/usbmon device added
>>
>> Added default label for /sys so libvirt could relabel to it.
>
> I don't understand this.  There should be no files labeled sysfs_t,
> except for the entries created by the kernel on the fs itself, which get
> the right label already.
>
>> lots of new interfaces.
>
> Otherwise merged.
>
libvirt currently does the equivalent of

chcon svirt_t:MCS1 DEVICE
Run QEMU
restorecon DEVICE

If /sys is <<none>> then it does not have a label to change the context 
back to.  And leaves the context with a label svirt_t:MCS1.  If it later 
picks an svirt_t:MCS1 for a different image, this /sys device is vulnerable.

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2010-06-07 13:23   ` Daniel J Walsh
@ 2010-06-07 13:39     ` Christopher J. PeBenito
  2010-06-07 15:52       ` Daniel J Walsh
  0 siblings, 1 reply; 20+ messages in thread
From: Christopher J. PeBenito @ 2010-06-07 13:39 UTC (permalink / raw)
  To: refpolicy

On Mon, 2010-06-07 at 09:23 -0400, Daniel J Walsh wrote:
> On 06/07/2010 09:20 AM, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:19 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_devices.patch
> >>
> >> Added default label for /sys so libvirt could relabel to it.
> >
> > I don't understand this.  There should be no files labeled sysfs_t,
> > except for the entries created by the kernel on the fs itself, which get
> > the right label already.
> >
> libvirt currently does the equivalent of
> 
> chcon svirt_t:MCS1 DEVICE
> Run QEMU
> restorecon DEVICE
> 
> If /sys is <<none>> then it does not have a label to change the context 
> back to.  And leaves the context with a label svirt_t:MCS1.  If it later 
> picks an svirt_t:MCS1 for a different image, this /sys device is vulnerable.

I still don't understand.  There are no device nodes in sysfs.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2010-06-07 13:39     ` Christopher J. PeBenito
@ 2010-06-07 15:52       ` Daniel J Walsh
  2010-06-07 17:42         ` Stephen Smalley
  2010-06-07 18:00         ` Christopher J. PeBenito
  0 siblings, 2 replies; 20+ messages in thread
From: Daniel J Walsh @ 2010-06-07 15:52 UTC (permalink / raw)
  To: refpolicy

On 06/07/2010 09:39 AM, Christopher J. PeBenito wrote:
> On Mon, 2010-06-07 at 09:23 -0400, Daniel J Walsh wrote:
>> On 06/07/2010 09:20 AM, Christopher J. PeBenito wrote:
>>> On Wed, 2010-06-02 at 16:19 -0400, Daniel J Walsh wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_devices.patch
>>>>
>>>> Added default label for /sys so libvirt could relabel to it.
>>>
>>> I don't understand this.  There should be no files labeled sysfs_t,
>>> except for the entries created by the kernel on the fs itself, which get
>>> the right label already.
>>>
>> libvirt currently does the equivalent of
>>
>> chcon svirt_t:MCS1 DEVICE
>> Run QEMU
>> restorecon DEVICE
>>
>> If /sys is<<none>>  then it does not have a label to change the context
>> back to.  And leaves the context with a label svirt_t:MCS1.  If it later
>> picks an svirt_t:MCS1 for a different image, this /sys device is vulnerable.
>
> I still don't understand.  There are no device nodes in sysfs.
>
sysfs supports labeling now.  Certain objects need to have a 
svirt_image_t:MCS label associated with them under /sys (Usb devices?) 
When libvirt needs to changes these labels back to the default it asks 
matchpathcon and it returns sysfs_t.

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2010-06-07 15:52       ` Daniel J Walsh
@ 2010-06-07 17:42         ` Stephen Smalley
  2010-06-07 18:00         ` Christopher J. PeBenito
  1 sibling, 0 replies; 20+ messages in thread
From: Stephen Smalley @ 2010-06-07 17:42 UTC (permalink / raw)
  To: refpolicy

On Mon, 2010-06-07 at 11:52 -0400, Daniel J Walsh wrote:
> On 06/07/2010 09:39 AM, Christopher J. PeBenito wrote:
> > On Mon, 2010-06-07 at 09:23 -0400, Daniel J Walsh wrote:
> >> On 06/07/2010 09:20 AM, Christopher J. PeBenito wrote:
> >>> On Wed, 2010-06-02 at 16:19 -0400, Daniel J Walsh wrote:
> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_devices.patch
> >>>>
> >>>> Added default label for /sys so libvirt could relabel to it.
> >>>
> >>> I don't understand this.  There should be no files labeled sysfs_t,
> >>> except for the entries created by the kernel on the fs itself, which get
> >>> the right label already.
> >>>
> >> libvirt currently does the equivalent of
> >>
> >> chcon svirt_t:MCS1 DEVICE
> >> Run QEMU
> >> restorecon DEVICE
> >>
> >> If /sys is<<none>>  then it does not have a label to change the context
> >> back to.  And leaves the context with a label svirt_t:MCS1.  If it later
> >> picks an svirt_t:MCS1 for a different image, this /sys device is vulnerable.
> >
> > I still don't understand.  There are no device nodes in sysfs.
> >
> sysfs supports labeling now.  Certain objects need to have a 
> svirt_image_t:MCS label associated with them under /sys (Usb devices?) 
> When libvirt needs to changes these labels back to the default it asks 
> matchpathcon and it returns sysfs_t.

This is to support access to PCI device resources via sysfs.
See Documentation/sysfs-pci.txt.

-- 
Stephen Smalley
National Security Agency

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2010-06-07 15:52       ` Daniel J Walsh
  2010-06-07 17:42         ` Stephen Smalley
@ 2010-06-07 18:00         ` Christopher J. PeBenito
  2010-06-07 18:09           ` Stephen Smalley
  1 sibling, 1 reply; 20+ messages in thread
From: Christopher J. PeBenito @ 2010-06-07 18:00 UTC (permalink / raw)
  To: refpolicy

On Mon, 2010-06-07 at 11:52 -0400, Daniel J Walsh wrote:
> On 06/07/2010 09:39 AM, Christopher J. PeBenito wrote:
> > On Mon, 2010-06-07 at 09:23 -0400, Daniel J Walsh wrote:
> >> On 06/07/2010 09:20 AM, Christopher J. PeBenito wrote:
> >>> On Wed, 2010-06-02 at 16:19 -0400, Daniel J Walsh wrote:
> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_devices.patch
> >>>>
> >>>> Added default label for /sys so libvirt could relabel to it.
> >>>
> >>> I don't understand this.  There should be no files labeled sysfs_t,
> >>> except for the entries created by the kernel on the fs itself, which get
> >>> the right label already.
> >>>
> >> libvirt currently does the equivalent of
> >>
> >> chcon svirt_t:MCS1 DEVICE
> >> Run QEMU
> >> restorecon DEVICE
> >>
> >> If /sys is<<none>>  then it does not have a label to change the context
> >> back to.  And leaves the context with a label svirt_t:MCS1.  If it later
> >> picks an svirt_t:MCS1 for a different image, this /sys device is vulnerable.
> >
> > I still don't understand.  There are no device nodes in sysfs.
> >
> sysfs supports labeling now.  Certain objects need to have a 
> svirt_image_t:MCS label associated with them under /sys (Usb devices?) 
> When libvirt needs to changes these labels back to the default it asks 
> matchpathcon and it returns sysfs_t.

Why doesn't it save the previous label and then restore it? That is much
more sane, in case the previous label was not sysfs_t.  I don't know if
thats likely to happen, but it seems safer too.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2010-06-07 18:00         ` Christopher J. PeBenito
@ 2010-06-07 18:09           ` Stephen Smalley
  0 siblings, 0 replies; 20+ messages in thread
From: Stephen Smalley @ 2010-06-07 18:09 UTC (permalink / raw)
  To: refpolicy

On Mon, 2010-06-07 at 14:00 -0400, Christopher J. PeBenito wrote:
> On Mon, 2010-06-07 at 11:52 -0400, Daniel J Walsh wrote:
> > On 06/07/2010 09:39 AM, Christopher J. PeBenito wrote:
> > > On Mon, 2010-06-07 at 09:23 -0400, Daniel J Walsh wrote:
> > >> On 06/07/2010 09:20 AM, Christopher J. PeBenito wrote:
> > >>> On Wed, 2010-06-02 at 16:19 -0400, Daniel J Walsh wrote:
> > >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_devices.patch
> > >>>>
> > >>>> Added default label for /sys so libvirt could relabel to it.
> > >>>
> > >>> I don't understand this.  There should be no files labeled sysfs_t,
> > >>> except for the entries created by the kernel on the fs itself, which get
> > >>> the right label already.
> > >>>
> > >> libvirt currently does the equivalent of
> > >>
> > >> chcon svirt_t:MCS1 DEVICE
> > >> Run QEMU
> > >> restorecon DEVICE
> > >>
> > >> If /sys is<<none>>  then it does not have a label to change the context
> > >> back to.  And leaves the context with a label svirt_t:MCS1.  If it later
> > >> picks an svirt_t:MCS1 for a different image, this /sys device is vulnerable.
> > >
> > > I still don't understand.  There are no device nodes in sysfs.
> > >
> > sysfs supports labeling now.  Certain objects need to have a 
> > svirt_image_t:MCS label associated with them under /sys (Usb devices?) 
> > When libvirt needs to changes these labels back to the default it asks 
> > matchpathcon and it returns sysfs_t.
> 
> Why doesn't it save the previous label and then restore it? That is much
> more sane, in case the previous label was not sysfs_t.  I don't know if
> thats likely to happen, but it seems safer too.

I suggested that as well, and they said the problem is tracking the
state across libvirtd restarts, although they hope to migrate to that
approach long term.

-- 
Stephen Smalley
National Security Agency

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
@ 2010-02-23 22:07 Daniel J Walsh
  2010-03-04 20:30 ` Christopher J. PeBenito
  0 siblings, 1 reply; 20+ messages in thread
From: Daniel J Walsh @ 2010-02-23 22:07 UTC (permalink / raw)
  To: refpolicy

http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_devices.patch

New devices
btrfs-control
dahdi
etherd
misc/dlm
pps
usbmon
uinput
uio

+dev_rw_generic_chr_files(devicekit_power_t)
+    dev_dontaudit_write_all_chr_files(abrt_helper_t)
+    dev_dontaudit_write_all_blk_files(abrt_helper_t)
+    dev_dontaudit_write_mtrr(iptables_t)
+dev_rw_all_inherited_chr_files(sandbox_domain)
+dev_rw_all_inherited_blk_files(sandbox_domain)
+dev_setattr_dlm_control(rgmanager_t)
+dev_setattr_dlm_control(gfs_controld_t
+dev_rw_dlm_control(dlm_controld_t)
+dev_write_kmsg(initrc_t)

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2010-02-23 22:07 Daniel J Walsh
@ 2010-03-04 20:30 ` Christopher J. PeBenito
  2010-03-05 16:08   ` Daniel J Walsh
  0 siblings, 1 reply; 20+ messages in thread
From: Christopher J. PeBenito @ 2010-03-04 20:30 UTC (permalink / raw)
  To: refpolicy

On Tue, 2010-02-23 at 17:07 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_devices.patch
> 
> New devices
> btrfs-control
> dahdi
> etherd
> misc/dlm
> pps
> usbmon
> uinput
> uio

Merged, except for usbmod, only because I wonder if it should be
debugfs_t, since the same info is available
under /sys/kernel/debug/usb/usbmon/* on a per-device basis.

> +dev_rw_generic_chr_files(devicekit_power_t)
> +    dev_dontaudit_write_all_chr_files(abrt_helper_t)
> +    dev_dontaudit_write_all_blk_files(abrt_helper_t)
> +    dev_dontaudit_write_mtrr(iptables_t)
> +dev_rw_all_inherited_chr_files(sandbox_domain)
> +dev_rw_all_inherited_blk_files(sandbox_domain)
> +dev_setattr_dlm_control(rgmanager_t)
> +dev_setattr_dlm_control(gfs_controld_t
> +dev_rw_dlm_control(dlm_controld_t)
> +dev_write_kmsg(initrc_t)
> 

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2010-03-04 20:30 ` Christopher J. PeBenito
@ 2010-03-05 16:08   ` Daniel J Walsh
  0 siblings, 0 replies; 20+ messages in thread
From: Daniel J Walsh @ 2010-03-05 16:08 UTC (permalink / raw)
  To: refpolicy

On 03/04/2010 03:30 PM, Christopher J. PeBenito wrote:
> On Tue, 2010-02-23 at 17:07 -0500, Daniel J Walsh wrote:
>    
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_devices.patch
>>
>> New devices
>> btrfs-control
>> dahdi
>> etherd
>> misc/dlm
>> pps
>> usbmon
>> uinput
>> uio
>>      
> Merged, except for usbmod, only because I wonder if it should be
> debugfs_t, since the same info is available
> under /sys/kernel/debug/usb/usbmon/* on a per-device basis.
>
>    
>> +dev_rw_generic_chr_files(devicekit_power_t)
>> +    dev_dontaudit_write_all_chr_files(abrt_helper_t)
>> +    dev_dontaudit_write_all_blk_files(abrt_helper_t)
>> +    dev_dontaudit_write_mtrr(iptables_t)
>> +dev_rw_all_inherited_chr_files(sandbox_domain)
>> +dev_rw_all_inherited_blk_files(sandbox_domain)
>> +dev_setattr_dlm_control(rgmanager_t)
>> +dev_setattr_dlm_control(gfs_controld_t
>> +dev_rw_dlm_control(dlm_controld_t)
>> +dev_write_kmsg(initrc_t)
>>
>>      

Should we label both usbmon_dev_t? usmonfs_t?

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
@ 2009-11-12 20:58 Daniel J Walsh
  2009-11-19 14:44 ` Christopher J. PeBenito
  0 siblings, 1 reply; 20+ messages in thread
From: Daniel J Walsh @ 2009-11-12 20:58 UTC (permalink / raw)
  To: refpolicy

http://people.fedoraproject.org/~dwalsh/SELinux/F12/kernel_devices.patch

New devices and interfaces to access them

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2009-11-12 20:58 Daniel J Walsh
@ 2009-11-19 14:44 ` Christopher J. PeBenito
  0 siblings, 0 replies; 20+ messages in thread
From: Christopher J. PeBenito @ 2009-11-19 14:44 UTC (permalink / raw)
  To: refpolicy

On Thu, 2009-11-12 at 15:58 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/kernel_devices.patch
> 
> New devices and interfaces to access them

Merged, with some rearrangement.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
@ 2009-05-21 15:17 Daniel J Walsh
  2009-06-08 17:17 ` Christopher J. PeBenito
  0 siblings, 1 reply; 20+ messages in thread
From: Daniel J Walsh @ 2009-05-21 15:17 UTC (permalink / raw)
  To: refpolicy

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_devices.patch

Add /dev/card, /dev/controlD64, /dev/tpm

Add interface to delete the null device

Fix interface type requires in dev_rw_generic_usb_dev

Add tpp_device_t type

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2009-05-21 15:17 Daniel J Walsh
@ 2009-06-08 17:17 ` Christopher J. PeBenito
  0 siblings, 0 replies; 20+ messages in thread
From: Christopher J. PeBenito @ 2009-06-08 17:17 UTC (permalink / raw)
  To: refpolicy

On Thu, 2009-05-21 at 11:17 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_devices.patch
> 
> Add /dev/card, /dev/controlD64, /dev/tpm
> 
> Add interface to delete the null device
> 
> Fix interface type requires in dev_rw_generic_usb_dev
> 
> Add tpp_device_t type

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
@ 2009-03-04 21:32 Daniel J Walsh
  2009-03-05 15:59 ` Christopher J. PeBenito
  0 siblings, 1 reply; 20+ messages in thread
From: Daniel J Walsh @ 2009-03-04 21:32 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_devices.patch


labels for

/dev/3dfx
/dev/autofs
/dev/gfx
/dev/graphics
...


Java wants to attempt to append to the rand device.  Dontaudit for now

interface to manage device_t directories

interfaces to handle new null devices
usb devices

kvm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmu82AACgkQrlYvE4MpobNYFACeN9Eh2IQy62hkLo7do8QMUiCX
/kcAniuwaoIL3/J0CfBHa9FlHi3U2x+l
=nfTV
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2009-03-04 21:32 Daniel J Walsh
@ 2009-03-05 15:59 ` Christopher J. PeBenito
  2009-03-05 17:27   ` Daniel J Walsh
  0 siblings, 1 reply; 20+ messages in thread
From: Christopher J. PeBenito @ 2009-03-05 15:59 UTC (permalink / raw)
  To: refpolicy

On Wed, 2009-03-04 at 16:32 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_devices.patch
> 
> 
> labels for
> 
> /dev/3dfx
> /dev/autofs
> /dev/gfx
> /dev/graphics
> ...
> 
> 
> Java wants to attempt to append to the rand device.  Dontaudit for now
> 
> interface to manage device_t directories
> 
> interfaces to handle new null devices
> usb devices
> 
> kvm

Merged with a bunch of reorganization.

Is this right?

+/dev/bometric/sensor.*	-c gen_context(system_u:object_r:event_device_t,s0)

should it be /dev/biometric instead of /dev/bometric?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
  2009-03-05 15:59 ` Christopher J. PeBenito
@ 2009-03-05 17:27   ` Daniel J Walsh
  0 siblings, 0 replies; 20+ messages in thread
From: Daniel J Walsh @ 2009-03-05 17:27 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Wed, 2009-03-04 at 16:32 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_devices.patch
>>
>>
>> labels for
>>
>> /dev/3dfx
>> /dev/autofs
>> /dev/gfx
>> /dev/graphics
>> ...
>>
>>
>> Java wants to attempt to append to the rand device.  Dontaudit for now
>>
>> interface to manage device_t directories
>>
>> interfaces to handle new null devices
>> usb devices
>>
>> kvm
> 
> Merged with a bunch of reorganization.
> 
> Is this right?
> 
> +/dev/bometric/sensor.*	-c gen_context(system_u:object_r:event_device_t,s0)
> 
> should it be /dev/biometric instead of /dev/bometric?
> 
Yes that is a bug.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmwC3oACgkQrlYvE4MpobMBegCfVnXHv1NkzDitODwITaCWnspV
yF4AoIlwB7F2WdDP2f4KUEkcCnolJFom
=uvPy
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [refpolicy] kernel_devices.patch
@ 2008-11-25 21:50 Daniel J Walsh
  0 siblings, 0 replies; 20+ messages in thread
From: Daniel J Walsh @ 2008-11-25 21:50 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_devices.patch

Add lots of device file context

Allow the relabeling ofr lnk_files from device_t to a device node

add interface for manageing device_t directories


Dontaudit device_t:blk_file as well as device_node:blk_file

Interfaces to handle cpu_dev, null_dev, generic usb_device, usb_pipes,
kvm_device, autofs_device, netcontrol, qemu_device

Add types for  null_dev, generic usb_device, usb_pipes, kvm_device,
autofs_device, netcontrol, qemu_device
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkksczoACgkQrlYvE4MpobNGuwCgwy4hCH956IHQKvfg1EDynttn
NoAAn22qekw7D5t5lhQQW69fWkmt9s7N
=hJkC
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 20+ messages in thread

end of thread, other threads:[~2010-08-26 22:46 UTC | newest]

Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-08-26 22:46 [refpolicy] kernel_devices.patch Daniel J Walsh
  -- strict thread matches above, loose matches on Subject: below --
2010-06-02 20:19 Daniel J Walsh
2010-06-07 13:20 ` Christopher J. PeBenito
2010-06-07 13:23   ` Daniel J Walsh
2010-06-07 13:39     ` Christopher J. PeBenito
2010-06-07 15:52       ` Daniel J Walsh
2010-06-07 17:42         ` Stephen Smalley
2010-06-07 18:00         ` Christopher J. PeBenito
2010-06-07 18:09           ` Stephen Smalley
2010-02-23 22:07 Daniel J Walsh
2010-03-04 20:30 ` Christopher J. PeBenito
2010-03-05 16:08   ` Daniel J Walsh
2009-11-12 20:58 Daniel J Walsh
2009-11-19 14:44 ` Christopher J. PeBenito
2009-05-21 15:17 Daniel J Walsh
2009-06-08 17:17 ` Christopher J. PeBenito
2009-03-04 21:32 Daniel J Walsh
2009-03-05 15:59 ` Christopher J. PeBenito
2009-03-05 17:27   ` Daniel J Walsh
2008-11-25 21:50 Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.