From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/1] Mark temporary block device as fixed_disk_device_t
Date: Wed, 8 Feb 2012 15:43:44 -0500 [thread overview]
Message-ID: <4F32DE80.1010302@tresys.com> (raw)
In-Reply-To: <20111115094545.GA3052@siphos.be>
On 11/15/11 04:45, Sven Vermeulen wrote:
> When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they
> get by default marked as device_t. However, in case of software raid devices,
> the mdadm application (running in mdadm_t) does not hold the proper privileges
> to access this for its auto-assembly of the raids.
>
> Other block device applications, like blkid (running in fsadm_t) use these
> temporary block devices as well, but already hold the necessary privileges on
> device_t to continue their work.
>
> By marking the temporary block device as a fixed_disk_device_t, all these block
> device handling applications (such as blkid, but also mdadm) now hold the proper
> privileges. Since udev is selinux-aware, the created files are immediately
> restorecon'ed before the rules are applied.
I'm conflicted on this. On one hand, I obviously want udev to apply the correct label, but I also don't want a restorecon/setfiles at a later date to change the label of what is clearly a temp file.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/kernel/storage.fc | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
> index 57c4a6a..54f1827 100644
> --- a/policy/modules/kernel/storage.fc
> +++ b/policy/modules/kernel/storage.fc
> @@ -1,4 +1,4 @@
> -
> +/dev/\.tmp-block-.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> /dev/n?(raw)?[qr]ft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0)
> /dev/n?[hs]t[0-9].* -c gen_context(system_u:object_r:tape_device_t,s0)
> /dev/n?z?qft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2012-02-08 20:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-15 9:45 [refpolicy] [PATCH 1/1] Mark temporary block device as fixed_disk_device_t Sven Vermeulen
2012-02-08 20:43 ` Christopher J. PeBenito [this message]
2012-02-09 6:52 ` Sven Vermeulen
2012-02-22 13:46 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F32DE80.1010302@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.