[refpolicy] kernel_filesystem.patch

[refpolicy] kernel_filesystem.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch

Handle hugetblfs, infinibandeventfs, sysv
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx29jAACgkQrlYvE4MpobMYkQCg6CI+KKd9QWlQ8pYiBhEMZbUD
E7oAn2dWknwZnFvBbLwq5Lskn7DwgWPa
=7vPP
-----END PGP SIGNATURE-----

[refpolicy] kernel_filesystem.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch

Changes for /cgroup policy

[refpolicy] kernel_filesystem.patch

[Christopher J. PeBenito]

On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> 
> Changes for /cgroup policy

While moving the labeling of cgroup from kernel to filesystem modules
may make sense, I'm not sure why the type and interfaces need to be
renamed.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] kernel_filesystem.patch

[Daniel J Walsh]

On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
>>
>> Changes for /cgroup policy
>
> While moving the labeling of cgroup from kernel to filesystem modules
> may make sense, I'm not sure why the type and interfaces need to be
> renamed.
>
Well it is a file system?

[refpolicy] kernel_filesystem.patch

[Christopher J. PeBenito]

On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> >>
> >> Changes for /cgroup policy
> >
> > While moving the labeling of cgroup from kernel to filesystem modules
> > may make sense, I'm not sure why the type and interfaces need to be
> > renamed.
> >
> Well it is a file system?

Thats not necessarily a good reason, since other pseudo filesystems
exist in other modules, for good reason.  It also doesn't explain the
renaming.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] kernel_filesystem.patch

[Dominick Grift]

On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > >>
> > >> Changes for /cgroup policy
> > >
> > > While moving the labeling of cgroup from kernel to filesystem modules
> > > may make sense, I'm not sure why the type and interfaces need to be
> > > renamed.
> > >
> > Well it is a file system?
> 
> Thats not necessarily a good reason, since other pseudo filesystems
> exist in other modules, for good reason.  It also doesn't explain the
> renaming.

the libcgroup suite was one of the reasons to rename. libcgroup which automates cgroup management installs the /cgroup mountpoint. whilst that directories content is the cgroup pseudo filesystem. So we needed two types for almost the same purpose. So we choose cgroup_t for libcgroups /cgroup mountpoint and we decided to rename the cgroupfs pseudo fs cgroupfs

> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/6a39ad43/attachment.bin 

[refpolicy] kernel_filesystem.patch

[Christopher J. PeBenito]

On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
> On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> > On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > > >>
> > > >> Changes for /cgroup policy
> > > >
> > > > While moving the labeling of cgroup from kernel to filesystem modules
> > > > may make sense, I'm not sure why the type and interfaces need to be
> > > > renamed.
> > > >
> > > Well it is a file system?
> > 
> > Thats not necessarily a good reason, since other pseudo filesystems
> > exist in other modules, for good reason.  It also doesn't explain the
> > renaming.
> 
> the libcgroup suite was one of the reasons to rename. libcgroup which
> automates cgroup management installs the /cgroup mountpoint. whilst
> that directories content is the cgroup pseudo filesystem. So we needed
> two types for almost the same purpose. So we choose cgroup_t for
> libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
> pseudo fs cgroupfs

I don't see a need for two different types.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] kernel_filesystem.patch

[Dominick Grift]

On Mon, Jun 07, 2010 at 10:00:08AM -0400, Christopher J. PeBenito wrote:
> On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
> > On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> > > On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > > > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > > > >>
> > > > >> Changes for /cgroup policy
> > > > >
> > > > > While moving the labeling of cgroup from kernel to filesystem modules
> > > > > may make sense, I'm not sure why the type and interfaces need to be
> > > > > renamed.
> > > > >
> > > > Well it is a file system?
> > > 
> > > Thats not necessarily a good reason, since other pseudo filesystems
> > > exist in other modules, for good reason.  It also doesn't explain the
> > > renaming.
> > 
> > the libcgroup suite was one of the reasons to rename. libcgroup which
> > automates cgroup management installs the /cgroup mountpoint. whilst
> > that directories content is the cgroup pseudo filesystem. So we needed
> > two types for almost the same purpose. So we choose cgroup_t for
> > libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
> > pseudo fs cgroupfs
> 
> I don't see a need for two different types.

I guess strictly speaking there is no need for two types. We can just add the fc spec for /cgroup -d to filesystem.fc
And let libcgroup and other domains call cgroup filesystem interfaces.

We might lose a bit flexibility but most likely insignificant anyway.

> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/3246972a/attachment.bin 

[refpolicy] kernel_filesystem.patch

[Christopher J. PeBenito]

On Mon, 2010-06-07 at 16:17 +0200, Dominick Grift wrote:
> On Mon, Jun 07, 2010 at 10:00:08AM -0400, Christopher J. PeBenito wrote:
> > On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
> > > On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> > > > On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > > > > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > > > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > > > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > > > > >>
> > > > > >> Changes for /cgroup policy
> > > > > >
> > > > > > While moving the labeling of cgroup from kernel to filesystem modules
> > > > > > may make sense, I'm not sure why the type and interfaces need to be
> > > > > > renamed.
> > > > > >
> > > > > Well it is a file system?
> > > > 
> > > > Thats not necessarily a good reason, since other pseudo filesystems
> > > > exist in other modules, for good reason.  It also doesn't explain the
> > > > renaming.
> > > 
> > > the libcgroup suite was one of the reasons to rename. libcgroup which
> > > automates cgroup management installs the /cgroup mountpoint. whilst
> > > that directories content is the cgroup pseudo filesystem. So we needed
> > > two types for almost the same purpose. So we choose cgroup_t for
> > > libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
> > > pseudo fs cgroupfs
> > 
> > I don't see a need for two different types.
> 
> I guess strictly speaking there is no need for two types. We can just
> add the fc spec for /cgroup -d to filesystem.fc

Thats what I had in mind.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] kernel_filesystem.patch

[Dominick Grift]

On Mon, Jun 07, 2010 at 10:56:08AM -0400, Christopher J. PeBenito wrote:
> On Mon, 2010-06-07 at 16:17 +0200, Dominick Grift wrote:
> > On Mon, Jun 07, 2010 at 10:00:08AM -0400, Christopher J. PeBenito wrote:
> > > On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
> > > > On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> > > > > On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > > > > > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > > > > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > > > > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > > > > > >>
> > > > > > >> Changes for /cgroup policy
> > > > > > >
> > > > > > > While moving the labeling of cgroup from kernel to filesystem modules
> > > > > > > may make sense, I'm not sure why the type and interfaces need to be
> > > > > > > renamed.
> > > > > > >
> > > > > > Well it is a file system?
> > > > > 
> > > > > Thats not necessarily a good reason, since other pseudo filesystems
> > > > > exist in other modules, for good reason.  It also doesn't explain the
> > > > > renaming.
> > > > 
> > > > the libcgroup suite was one of the reasons to rename. libcgroup which
> > > > automates cgroup management installs the /cgroup mountpoint. whilst
> > > > that directories content is the cgroup pseudo filesystem. So we needed
> > > > two types for almost the same purpose. So we choose cgroup_t for
> > > > libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
> > > > pseudo fs cgroupfs
> > > 
> > > I don't see a need for two different types.
> > 
> > I guess strictly speaking there is no need for two types. We can just
> > add the fc spec for /cgroup -d to filesystem.fc
> 
> Thats what I had in mind.

So.. you want cgroup_t instead of cgroupfs_t?

You realize that when we merge the two, that the chosen type will get the mountpoint attribute even if its a directory under /cgroup?

If we can come to some agreement i will submit a patch with the changes if required.

> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100607/d4227978/attachment.bin 

[refpolicy] kernel_filesystem.patch

[Christopher J. PeBenito]

On Mon, 2010-06-07 at 17:24 +0200, Dominick Grift wrote:
> On Mon, Jun 07, 2010 at 10:56:08AM -0400, Christopher J. PeBenito wrote:
> > On Mon, 2010-06-07 at 16:17 +0200, Dominick Grift wrote:
> > > On Mon, Jun 07, 2010 at 10:00:08AM -0400, Christopher J. PeBenito wrote:
> > > > On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
> > > > > On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
> > > > > > On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
> > > > > > > On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
> > > > > > > > On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > > > > > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > > > > > > >>
> > > > > > > >> Changes for /cgroup policy
> > > > > > > >
> > > > > > > > While moving the labeling of cgroup from kernel to filesystem modules
> > > > > > > > may make sense, I'm not sure why the type and interfaces need to be
> > > > > > > > renamed.
> > > > > > > >
> > > > > > > Well it is a file system?
> > > > > > 
> > > > > > Thats not necessarily a good reason, since other pseudo filesystems
> > > > > > exist in other modules, for good reason.  It also doesn't explain the
> > > > > > renaming.
> > > > > 
> > > > > the libcgroup suite was one of the reasons to rename. libcgroup which
> > > > > automates cgroup management installs the /cgroup mountpoint. whilst
> > > > > that directories content is the cgroup pseudo filesystem. So we needed
> > > > > two types for almost the same purpose. So we choose cgroup_t for
> > > > > libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
> > > > > pseudo fs cgroupfs
> > > > 
> > > > I don't see a need for two different types.
> > > 
> > > I guess strictly speaking there is no need for two types. We can just
> > > add the fc spec for /cgroup -d to filesystem.fc
> > 
> > Thats what I had in mind.
> 
> So.. you want cgroup_t instead of cgroupfs_t?

Yes, since the filesystem is called cgroup and the cgroup_t type already
exists to label it.

> You realize that when we merge the two, that the chosen type will get
> the mountpoint attribute even if its a directory under /cgroup?

Yes.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] kernel_filesystem.patch

[Daniel J Walsh]

On 06/07/2010 11:41 AM, Christopher J. PeBenito wrote:
> On Mon, 2010-06-07 at 17:24 +0200, Dominick Grift wrote:
>> On Mon, Jun 07, 2010 at 10:56:08AM -0400, Christopher J. PeBenito wrote:
>>> On Mon, 2010-06-07 at 16:17 +0200, Dominick Grift wrote:
>>>> On Mon, Jun 07, 2010 at 10:00:08AM -0400, Christopher J. PeBenito wrote:
>>>>> On Mon, 2010-06-07 at 14:57 +0200, Dominick Grift wrote:
>>>>>> On Mon, Jun 07, 2010 at 08:49:09AM -0400, Christopher J. PeBenito wrote:
>>>>>>> On Fri, 2010-06-04 at 09:41 -0400, Daniel J Walsh wrote:
>>>>>>>> On 06/04/2010 09:34 AM, Christopher J. PeBenito wrote:
>>>>>>>>> On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
>>>>>>>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
>>>>>>>>>>
>>>>>>>>>> Changes for /cgroup policy
>>>>>>>>>
>>>>>>>>> While moving the labeling of cgroup from kernel to filesystem modules
>>>>>>>>> may make sense, I'm not sure why the type and interfaces need to be
>>>>>>>>> renamed.
>>>>>>>>>
>>>>>>>> Well it is a file system?
>>>>>>>
>>>>>>> Thats not necessarily a good reason, since other pseudo filesystems
>>>>>>> exist in other modules, for good reason.  It also doesn't explain the
>>>>>>> renaming.
>>>>>>
>>>>>> the libcgroup suite was one of the reasons to rename. libcgroup which
>>>>>> automates cgroup management installs the /cgroup mountpoint. whilst
>>>>>> that directories content is the cgroup pseudo filesystem. So we needed
>>>>>> two types for almost the same purpose. So we choose cgroup_t for
>>>>>> libcgroups /cgroup mountpoint and we decided to rename the cgroupfs
>>>>>> pseudo fs cgroupfs
>>>>>
>>>>> I don't see a need for two different types.
>>>>
>>>> I guess strictly speaking there is no need for two types. We can just
>>>> add the fc spec for /cgroup -d to filesystem.fc
>>>
>>> Thats what I had in mind.
>>
>> So.. you want cgroup_t instead of cgroupfs_t?
>
> Yes, since the filesystem is called cgroup and the cgroup_t type already
> exists to label it.
>
>> You realize that when we merge the two, that the chosen type will get
>> the mountpoint attribute even if its a directory under /cgroup?
>
> Yes.
>
I don't care either way.  Just want to get it settled.

[refpolicy] kernel_filesystem.patch

[Dominick Grift]

On Fri, Jun 04, 2010 at 09:34:13AM -0400, Christopher J. PeBenito wrote:
> On Wed, 2010-06-02 at 16:23 -0400, Daniel J Walsh wrote:
> > http://people.fedoraproject.org/~dwalsh/SELinux/F14/kernel_filesystem.patch
> > 
> > Changes for /cgroup policy
> 
> While moving the labeling of cgroup from kernel to filesystem modules
> may make sense, I'm not sure why the type and interfaces need to be
> renamed.

Because /cgroup (dir) is owned by the libcg package. The cgroupfs files are not. Besides that cgroupfs_t seems an appropriate name.

> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100604/7b9c3dec/attachment.bin 

[refpolicy] kernel_filesystem.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_filesystem.patch

Changes for handling leaks

Handling fusefs and hugetlbfs, cgroups

gpfs file system
devtmpfs file system

[refpolicy] kernel_filesystem.patch

[Christopher J. PeBenito]

On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_filesystem.patch
> 
> Changes for handling leaks
> 
> Handling fusefs and hugetlbfs, cgroups

I'm confused by this:

+files_type(hugetlbfs_t)
+files_poly_parent(hugetlbfs_t)

If its a filesystem, its not a regular file.

> gpfs file system
> devtmpfs file system

I'm thinking that perhaps devtmpfs should be moved to devices and use
device_t, since thats its only purpose.

Fixed fs_dontaudit_read_nfs_symlinks() (it was allowing instead of
dontauditing).

Otherwise merged, with some rearrangement.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] kernel_filesystem.patch

[Daniel J Walsh]

On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
>    
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/kernel_filesystem.patch
>>
>> Changes for handling leaks
>>
>> Handling fusefs and hugetlbfs, cgroups
>>      
> I'm confused by this:
>
> +files_type(hugetlbfs_t)
> +files_poly_parent(hugetlbfs_t)
>
> If its a filesystem, its not a regular file.
>
>    
Looks like a cut and paste error.
>> gpfs file system
>> devtmpfs file system
>>      
> I'm thinking that perhaps devtmpfs should be moved to devices and use
> device_t, since thats its only purpose.
>
>    
Sounds good to me.

Will this work?

fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);


> Fixed fs_dontaudit_read_nfs_symlinks() (it was allowing instead of
> dontauditing).
>
> Otherwise merged, with some rearrangement.
>
>    
Thanks.

[refpolicy] kernel_filesystem.patch

[Christopher J. PeBenito]

On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
> On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> >> devtmpfs file system
> >>      
> > I'm thinking that perhaps devtmpfs should be moved to devices and use
> > device_t, since thats its only purpose.
> >
> >    
> Sounds good to me.
> 
> Will this work?
> 
> fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);

I don't have a system with devtmpfs, so I can't be sure, but I would
think it would work.  That line would go in the devices module.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] kernel_filesystem.patch

[Dominick Grift]

On Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote:
> On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
> > On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> > > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> > >> devtmpfs file system
> > >>      
> > > I'm thinking that perhaps devtmpfs should be moved to devices and use
> > > device_t, since thats its only purpose.
> > >
> > >    
> > Sounds good to me.
> > 
> > Will this work?
> > 
> > fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
> 
> I don't have a system with devtmpfs, so I can't be sure, but I would
> think it would work.  That line would go in the devices module.

Yes that works i can confirm that.

> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100313/689ab977/attachment.bin 

[refpolicy] kernel_filesystem.patch

[Dominick Grift]

in Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote:
> On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
> > On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> > > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> > >> devtmpfs file system
> > >>      
> > > I'm thinking that perhaps devtmpfs should be moved to devices and use
> > > device_t, since thats its only purpose.
> > >
> > >    
> > Sounds good to me.
> > 
> > Will this work?
> > 
> > fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
> 
> I don't have a system with devtmpfs, so I can't be sure, but I would
> think it would work.  That line would go in the devices module.

Although we might get some of these:

allow devlog_t device_t:filesystem associate;
allow tty_device_t device_t:filesystem associate;

> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100313/72db90f3/attachment.bin 

[refpolicy] kernel_filesystem.patch

[Chris PeBenito]

On Sat, 2010-03-13 at 19:17 +0100, Dominick Grift wrote:
> in Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote:
> > On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
> > > On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> > > > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> > > >> devtmpfs file system
> > > >>      
> > > > I'm thinking that perhaps devtmpfs should be moved to devices and use
> > > > device_t, since thats its only purpose.
> > > >
> > > >    
> > > Sounds good to me.
> > > 
> > > Will this work?
> > > 
> > > fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
> > 
> > I don't have a system with devtmpfs, so I can't be sure, but I would
> > think it would work.  That line would go in the devices module.
> 
> Although we might get some of these:
> 
> allow devlog_t device_t:filesystem associate;
> allow tty_device_t device_t:filesystem associate;

Thats easy enough to fix, just put this in devices.te:

allow device_node device_t:filesystem associate;

along with something similar in dev_filetrans().  Thanks for testing it
out.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[refpolicy] kernel_filesystem.patch

[Dominick Grift]

On Sat, Mar 13, 2010 at 06:38:08PM -0500, Chris PeBenito wrote:
> On Sat, 2010-03-13 at 19:17 +0100, Dominick Grift wrote:
> > in Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote:
> > > On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
> > > > On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> > > > > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> > > > >> devtmpfs file system
> > > > >>      
> > > > > I'm thinking that perhaps devtmpfs should be moved to devices and use
> > > > > device_t, since thats its only purpose.
> > > > >
> > > > >    
> > > > Sounds good to me.
> > > > 
> > > > Will this work?
> > > > 
> > > > fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
> > > 
> > > I don't have a system with devtmpfs, so I can't be sure, but I would
> > > think it would work.  That line would go in the devices module.
> > 
> > Although we might get some of these:
> > 
> > allow devlog_t device_t:filesystem associate;
> > allow tty_device_t device_t:filesystem associate;
> 
> Thats easy enough to fix, just put this in devices.te:
> 
> allow device_node device_t:filesystem associate;
> 
> along with something similar in dev_filetrans().  Thanks for testing it
> out.

I was wrong. It works in permissive mode but as soon as i boot in enforcing mode things stop working and i have no clue as to why.

> 
> -- 
> Chris PeBenito
> <pebenito@gentoo.org>
> Developer,
> Hardened Gentoo Linux
>  
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
> Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100320/8b27e069/attachment.bin 

[refpolicy] kernel_filesystem.patch

[Daniel J Walsh]

On 03/20/2010 11:59 AM, Dominick Grift wrote:
> On Sat, Mar 13, 2010 at 06:38:08PM -0500, Chris PeBenito wrote:
>    
>> On Sat, 2010-03-13 at 19:17 +0100, Dominick Grift wrote:
>>      
>>> in Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote:
>>>        
>>>> On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
>>>>          
>>>>> On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
>>>>>            
>>>>>> On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
>>>>>>              
>>>>>>> devtmpfs file system
>>>>>>>
>>>>>>>                
>>>>>> I'm thinking that perhaps devtmpfs should be moved to devices and use
>>>>>> device_t, since thats its only purpose.
>>>>>>
>>>>>>
>>>>>>              
>>>>> Sounds good to me.
>>>>>
>>>>> Will this work?
>>>>>
>>>>> fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
>>>>>            
>>>> I don't have a system with devtmpfs, so I can't be sure, but I would
>>>> think it would work.  That line would go in the devices module.
>>>>          
>>> Although we might get some of these:
>>>
>>> allow devlog_t device_t:filesystem associate;
>>> allow tty_device_t device_t:filesystem associate;
>>>        
>> Thats easy enough to fix, just put this in devices.te:
>>
>> allow device_node device_t:filesystem associate;
>>
>> along with something similar in dev_filetrans().  Thanks for testing it
>> out.
>>      
> I was wrong. It works in permissive mode but as soon as i boot in enforcing mode things stop working and i have no clue as to why.
>
>    
I started on this but pulled back when I had too many problems.  I think 
we can work on this in F14,  We need to identify what kind of files can 
be associated with a device_t file system.  And then set up the rules.

[refpolicy] kernel_filesystem.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F12/kernel_filesystem.patch

new file systems

new interfaces

[refpolicy] kernel_filesystem.patch

[Christopher J. PeBenito]

On Thu, 2009-11-12 at 16:02 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/kernel_filesystem.patch
> 
> new file systems
> 
> new interfaces
> 
Merged, with some rearrangement.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] kernel_filesystem.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_filesystem.patch

Added additional interfaces used by Fedora.

Labeles for hfs and hfsplus treated as dosfs_t instead of nfs_t

Added xenfs and gadgetfs as nfs_t

[refpolicy] kernel_filesystem.patch

[Christopher J. PeBenito]

On Thu, 2009-05-21 at 11:26 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_filesystem.patch
> 
> Added additional interfaces used by Fedora.
> 
> Labeles for hfs and hfsplus treated as dosfs_t instead of nfs_t
> 
> Added xenfs and gadgetfs as nfs_t

Merged except for the file context change.  I don't think we want the
directory /dev/shm to be tmpfs_t unless there actually is a tmpfs
mounted there.  And then when it is mounted, the label is automatically
taken care of.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] kernel_filesystem.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_filesystem.patch


Add label for /dev/shm to be tmpfs_t

Add lots of interfaces for cifs, nfs, dos 

to handle things like xdm appending .xsession-errors in homedirs if they are nfs, or cifs

Allow people to mounton cifs and nfs file systems (they do)

Interfaces to handle new fusefs in the homedir.

Fix sorting on btfs in filesystem.te

Add type for ecryptfs_t

Add types for vmblock file systems

Setup ncpfs and dazukofs as nfs_t 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmsW6kACgkQrlYvE4MpobN24ACdHnBZXkm1TUSFi/nhaQ7wJG0r
btcAmweLsXCpdlmUxPc1uMcd6cC23S3f
=1CVf
-----END PGP SIGNATURE-----

[refpolicy] kernel_filesystem.patch

[Christopher J. PeBenito]

On Mon, 2009-03-02 at 17:20 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_filesystem.patch
> 
> 
> Add label for /dev/shm to be tmpfs_t

I'm not sure we want this.  If a tmpfs isn't mounted there, I think we
want the directory to remain device_t.

> Add lots of interfaces for cifs, nfs, dos 

I did some rearrangement.  I also dropped the
fs_dontaudit_list_cifs_dirs() as there already is a
fs_dontaudit_list_cifs().

Otherwise, merged.

> to handle things like xdm appending .xsession-errors in homedirs if they are nfs, or cifs
> 
> Allow people to mounton cifs and nfs file systems (they do)
> 
> Interfaces to handle new fusefs in the homedir.
> 
> Fix sorting on btfs in filesystem.te
> 
> Add type for ecryptfs_t
> 
> Add types for vmblock file systems
> 
> Setup ncpfs and dazukofs as nfs_t 

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] kernel_filesystem.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F11/kernel_filesystem.patch


Allow mounting on cifs file systems

Allow listing of directories when  using noxattr

Add interface to dontaudit listing of cifs file system

Add interface to append cifs file

Add interface to manage dos files

add interface to mounon nfs file systems

Add interface to append to nfs files

Add interface to dontaudit append nfs files

Add interface to rw blk files on removable file systems

Add interfaces to search, read, manage, dontaudit manage  ... fusefile
system

Add fs_use for btrfs

Add ecryptfs_t

Add additional file systems for vmware

Add ncpfs as an nfs file system




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkscfAACgkQrlYvE4MpobP2sACgov6vZVRS1gzit2v72EzGP62J
q2wAn2coCcV8IkLWB4Blwh+iR7NWRKDW
=+R6M
-----END PGP SIGNATURE-----