* [refpolicy] [PATCH 2/5] dontaudit mount writes to newly mounted filesystems
2010-11-09 1:25 [refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems Chris Richards
@ 2010-11-09 1:25 ` Chris Richards
2010-11-09 1:25 ` [refpolicy] [PATCH 3/5] " Chris Richards
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Chris Richards @ 2010-11-09 1:25 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Chris Richards <gizmo@giz-works.com>
---
policy/modules/kernel/files.if | 20 +++++++++++++++++++-
1 files changed, 19 insertions(+), 1 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5302dac..8f69b85 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1463,7 +1463,25 @@ interface(`files_list_root',`
allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
')
-########################################
+#############################################################
+## <summary>
+## Do not audit attempts to write to / dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_root_dirs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ dontaudit $1 root_t:dir write;
+')
+
+###################
## <summary>
## Do not audit attempts to write
## files in the root directory.
--
1.7.3.2
^ permalink raw reply related [flat|nested] 6+ messages in thread* [refpolicy] [PATCH 3/5] dontaudit mount writes to newly mounted filesystems
2010-11-09 1:25 [refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems Chris Richards
2010-11-09 1:25 ` [refpolicy] [PATCH 2/5] " Chris Richards
@ 2010-11-09 1:25 ` Chris Richards
2010-11-09 1:25 ` [refpolicy] [PATCH 4/5] " Chris Richards
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Chris Richards @ 2010-11-09 1:25 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Chris Richards <gizmo@giz-works.com>
---
policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 437a42a..b8714e5 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3791,6 +3791,25 @@ interface(`fs_manage_tmpfs_dirs',`
########################################
## <summary>
+## Do not audit attempts to write
+## tmpfs directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_dontaudit_write_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ dontaudit $1 tmpfs_t:dir write;
+')
+
+########################################
+## <summary>
## Create an object in a tmpfs filesystem, with a private
## type using a type transition.
## </summary>
--
1.7.3.2
^ permalink raw reply related [flat|nested] 6+ messages in thread* [refpolicy] [PATCH 4/5] dontaudit mount writes to newly mounted filesystems
2010-11-09 1:25 [refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems Chris Richards
2010-11-09 1:25 ` [refpolicy] [PATCH 2/5] " Chris Richards
2010-11-09 1:25 ` [refpolicy] [PATCH 3/5] " Chris Richards
@ 2010-11-09 1:25 ` Chris Richards
2010-11-09 1:25 ` [refpolicy] [PATCH 5/5] " Chris Richards
2010-11-11 14:59 ` [refpolicy] [PATCH 1/5] " Christopher J. PeBenito
4 siblings, 0 replies; 6+ messages in thread
From: Chris Richards @ 2010-11-09 1:25 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Chris Richards <gizmo@giz-works.com>
---
policy/modules/kernel/kernel.if | 37 +++++++++++++++++++++++++++++++++++++
1 files changed, 37 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index ed7667a..9d6df6d 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -678,6 +678,24 @@ interface(`kernel_dontaudit_search_debugfs',`
########################################
## <summary>
+## Do not audit attempts to write kernel debugging filesystem dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_debugfs_dirs',`
+ gen_require(`
+ type debugfs_t;
+ ')
+
+ dontaudit $1 debugfs_t:dir write;
+')
+
+########################################
+## <summary>
## Read information from the debugging filesystem.
## </summary>
## <param name="domain">
@@ -807,6 +825,25 @@ interface(`kernel_dontaudit_list_proc',`
########################################
## <summary>
+## Do not audit attempts to write the
+## directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_write_proc_dirs',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ dontaudit $1 proc_t:dir write;
+')
+
+########################################
+## <summary>
## Get the attributes of files in /proc.
## </summary>
## <param name="domain">
--
1.7.3.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 5/5] dontaudit mount writes to newly mounted filesystems
2010-11-09 1:25 [refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems Chris Richards
` (2 preceding siblings ...)
2010-11-09 1:25 ` [refpolicy] [PATCH 4/5] " Chris Richards
@ 2010-11-09 1:25 ` Chris Richards
2010-11-11 14:59 ` [refpolicy] [PATCH 1/5] " Christopher J. PeBenito
4 siblings, 0 replies; 6+ messages in thread
From: Chris Richards @ 2010-11-09 1:25 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Chris Richards <gizmo@giz-works.com>
---
policy/modules/system/mount.te | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fca6947..9d83898 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -49,16 +49,21 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
+kernel_dontaudit_write_debugfs_dirs(mount_t)
+kernel_dontaudit_write_proc_dirs(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
+dev_read_sysfs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
+dev_dontaudit_write_sysfs_dirs(mount_t)
dev_getattr_sound_dev(mount_t)
+
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(mount_t)
@@ -80,6 +85,7 @@ files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
+files_dontaudit_write_root_dirs(mount_t)
fs_getattr_xattr_fs(mount_t)
fs_getattr_cifs(mount_t)
@@ -90,6 +96,7 @@ fs_relabelfrom_all_fs(mount_t)
fs_list_auto_mountpoints(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t)
+fs_dontaudit_write_tmpfs_dirs(mount_t)
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
--
1.7.3.2
^ permalink raw reply related [flat|nested] 6+ messages in thread* [refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems
2010-11-09 1:25 [refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems Chris Richards
` (3 preceding siblings ...)
2010-11-09 1:25 ` [refpolicy] [PATCH 5/5] " Chris Richards
@ 2010-11-11 14:59 ` Christopher J. PeBenito
4 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2010-11-11 14:59 UTC (permalink / raw)
To: refpolicy
On 11/08/10 20:25, Chris Richards wrote:
> As of util-linux-n 2.18, the mount utility now attempts to write to the root
> of newly mounted filesystems. It does this in an attempt to ensure that the
> r/w status of a filesystem as shown in mtab is correct. To detect whether
> a filesystem is r/w, mount calls access() with the W_OK argument. This
> results in an AVC denial with current policy. As a fallback, mount also
> attempts to modify the access time of the directory being mounted on if
> the call to access() fails. As mount already possesses the necessary
> privileges, the modification of the access time succeeds (at least on systems
> with the futimens() function, which has existed in linux since kernel 2.6.22
> and glibc since version 2.6, or about July 2007).
This set is merged, with a few trivial tweaks.
> Signed-off-by: Chris Richards <gizmo@giz-works.com>
> ---
> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
> 1 files changed, 18 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 99482ca..15a7bef 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -3704,6 +3704,24 @@ interface(`dev_write_sysfs_dirs',`
>
> ########################################
> ## <summary>
> +## Do not audit attempts to write in a sysfs directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_dontaudit_write_sysfs_dirs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + dontaudit $1 sysfs_t:dir write;
> +')
> +
> +########################################
> +## <summary>
> ## Read hardware state information.
> ## </summary>
> ## <desc>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 6+ messages in thread