* [refpolicy] [PATCH 0/7] Small set of updates on non-contrib modules
@ 2013-08-17 18:51 Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 1/7] Get grub2-install to work properly Sven Vermeulen
` (6 more replies)
0 siblings, 7 replies; 14+ messages in thread
From: Sven Vermeulen @ 2013-08-17 18:51 UTC (permalink / raw)
To: refpolicy
Not sure about patch 5/7 if this is wanted/needed. It just seems like a good
idea to combine the rights as the dontaudit interface itself is meant to, well,
ignore certain behavior of applications. With the move to /sys/fs/selinux, these
applications would otherwise also need the dontaudit rules against the sysfs
parts, so I thought that making them part of the same dontaudit interface makes
sense.
Sven Vermeulen (7):
Get grub2-install to work properly
Support /sys/devices/system/cpu/online
Mark f2fs as a xattr-enabled file system
The security_t file system can be at /sys/fs/selinux
Dontaudit access on security_t file system at /sys/fs/selinux
Support named file transition for fixed_disk_device_t
Alsasound init script writes asound.state file
policy/modules/admin/bootloader.fc | 2 ++
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.if | 61 +++++++++++++++++++++++++++++++++++++
policy/modules/kernel/devices.te | 7 +++++
policy/modules/kernel/domain.te | 2 ++
policy/modules/kernel/filesystem.te | 1 +
policy/modules/kernel/selinux.if | 8 +++++
policy/modules/kernel/storage.if | 7 ++++-
policy/modules/system/init.te | 4 +++
9 files changed, 92 insertions(+), 1 deletion(-)
--
1.8.1.5
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 1/7] Get grub2-install to work properly
2013-08-17 18:51 [refpolicy] [PATCH 0/7] Small set of updates on non-contrib modules Sven Vermeulen
@ 2013-08-17 18:51 ` Sven Vermeulen
2013-08-26 12:39 ` Christopher J. PeBenito
2013-08-17 18:51 ` [refpolicy] [PATCH 2/7] Support /sys/devices/system/cpu/online Sven Vermeulen
` (5 subsequent siblings)
6 siblings, 1 reply; 14+ messages in thread
From: Sven Vermeulen @ 2013-08-17 18:51 UTC (permalink / raw)
To: refpolicy
The grub2-install application runs a few grub2-* commands. Two of those,
grub2-bios-setup and grub2-probe, need read/write access to the (fixed) disks.
Mark those two applications as bootloader_exec_t (as is the case with the "grub"
legacy command in the past) allows the commands to continue.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/admin/bootloader.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 7a6f06f..2626ebf 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -7,3 +7,5 @@
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
--
1.8.1.5
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 2/7] Support /sys/devices/system/cpu/online
2013-08-17 18:51 [refpolicy] [PATCH 0/7] Small set of updates on non-contrib modules Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 1/7] Get grub2-install to work properly Sven Vermeulen
@ 2013-08-17 18:51 ` Sven Vermeulen
2013-08-26 12:49 ` Christopher J. PeBenito
2013-08-17 18:51 ` [refpolicy] [PATCH 3/7] Mark f2fs as a xattr-enabled file system Sven Vermeulen
` (4 subsequent siblings)
6 siblings, 1 reply; 14+ messages in thread
From: Sven Vermeulen @ 2013-08-17 18:51 UTC (permalink / raw)
To: refpolicy
In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so we need
to grant most domains read access to this file. As we don't want them to have
read access on sysfs_t by default, create a new type (cpu_online_t) and assign
it to the file, and grant domains read access to the file.
This does require systems to relabel the file upon every boot, something
distributions do in their bootup scripts, as /sys devices don't keep their
context.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
policy/modules/kernel/devices.te | 7 +++++++
policy/modules/kernel/domain.te | 2 ++
4 files changed, 35 insertions(+)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index b31c054..d6ebfcd 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -199,6 +199,7 @@ ifdef(`distro_debian',`
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online -- gen_context(system_u:object_r:cpu_online_t,s0)
ifdef(`distro_redhat',`
# originally from named.fc
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285e..49f0acb 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4836,6 +4836,31 @@ interface(`dev_create_zero_dev',`
########################################
## <summary>
+## Read cpu online hardware state information
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read /sys/devices/system/cpu/online
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_cpu_online',`
+ gen_require(`
+ type cpu_online_t;
+ ')
+
+ allow $1 cpu_online_t:file read_file_perms;
+
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Unconfined access to devices.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 0b1a871..0d7790c 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -60,6 +60,13 @@ type cpu_device_t;
dev_node(cpu_device_t)
#
+# /sys/devices/system/cpu/online device
+#
+type cpu_online_t;
+files_type(cpu_online_t)
+dev_associate_sysfs(cpu_online_t)
+
+#
# Type for /dev/crash
#
type crash_device_t;
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..ea5cdee 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -96,6 +96,8 @@ kernel_dontaudit_link_key(domain)
# create child processes in the domain
allow domain self:process { fork sigchld };
+# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
+dev_read_cpu_online(domain)
# Use trusted objects in /dev
dev_rw_null(domain)
dev_rw_zero(domain)
--
1.8.1.5
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 3/7] Mark f2fs as a xattr-enabled file system
2013-08-17 18:51 [refpolicy] [PATCH 0/7] Small set of updates on non-contrib modules Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 1/7] Get grub2-install to work properly Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 2/7] Support /sys/devices/system/cpu/online Sven Vermeulen
@ 2013-08-17 18:51 ` Sven Vermeulen
2013-08-26 12:38 ` Christopher J. PeBenito
2013-08-17 18:51 ` [refpolicy] [PATCH 4/7] The security_t file system can be at /sys/fs/selinux Sven Vermeulen
` (3 subsequent siblings)
6 siblings, 1 reply; 14+ messages in thread
From: Sven Vermeulen @ 2013-08-17 18:51 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 1c66416..9949d77 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,6 +26,7 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
--
1.8.1.5
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 4/7] The security_t file system can be at /sys/fs/selinux
2013-08-17 18:51 [refpolicy] [PATCH 0/7] Small set of updates on non-contrib modules Sven Vermeulen
` (2 preceding siblings ...)
2013-08-17 18:51 ` [refpolicy] [PATCH 3/7] Mark f2fs as a xattr-enabled file system Sven Vermeulen
@ 2013-08-17 18:51 ` Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 5/7] Dontaudit access on security_t file system " Sven Vermeulen
` (2 subsequent siblings)
6 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2013-08-17 18:51 UTC (permalink / raw)
To: refpolicy
Because it is no longer a top-level file system, we need to enhance some of the
interfaces with the appropriate rights towards sysfs_t.
First set to allow getattr rights on the file system, which now also means
getattr on the sysfs_t file system as well as search privileges in sysfs_t.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/selinux.if | 4 ++++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 49f0acb..a0a2a0d 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3855,6 +3855,24 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
+## Get the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 81440c5..9623a80 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -63,6 +63,10 @@ interface(`selinux_get_fs_mount',`
# (/selinux) is already a selinuxfs
allow $1 security_t:filesystem getattr;
+ # Same for /sys/fs/selinux
+ dev_getattr_sysfs_fs($1)
+ dev_search_sysfs($1)
+
# read /proc/filesystems to see if selinuxfs is supported
# then read /proc/self/mount to see where selinuxfs is mounted
kernel_read_system_state($1)
--
1.8.1.5
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 5/7] Dontaudit access on security_t file system at /sys/fs/selinux
2013-08-17 18:51 [refpolicy] [PATCH 0/7] Small set of updates on non-contrib modules Sven Vermeulen
` (3 preceding siblings ...)
2013-08-17 18:51 ` [refpolicy] [PATCH 4/7] The security_t file system can be at /sys/fs/selinux Sven Vermeulen
@ 2013-08-17 18:51 ` Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 6/7] Support named file transition for fixed_disk_device_t Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 7/7] Alsasound init script writes asound.state file Sven Vermeulen
6 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2013-08-17 18:51 UTC (permalink / raw)
To: refpolicy
Second part of the support of security_t under /sys/fs/selinux - when asked not
to audit getting attributes on the selinux file system, have this propagate to
the sysfs parts as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/selinux.if | 4 ++++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a0a2a0d..2a4a3ca 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3871,6 +3871,24 @@ interface(`dev_getattr_sysfs_fs',`
allow $1 sysfs_t:filesystem getattr;
')
+#######################################
+## <summary>
+## Do not audit getting the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access from
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ dontaudit $1 sysfs_t:filesystem getattr;
+')
+
########################################
## <summary>
## Search the sysfs directories.
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 9623a80..a62ac8f 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -93,6 +93,10 @@ interface(`selinux_dontaudit_get_fs_mount',`
# (/selinux) is already a selinuxfs
dontaudit $1 security_t:filesystem getattr;
+ # Same for /sys/fs/selinux
+ dev_dontaudit_getattr_sysfs_fs($1)
+ dev_dontaudit_search_sysfs($1)
+
# read /proc/filesystems to see if selinuxfs is supported
# then read /proc/self/mount to see where selinuxfs is mounted
kernel_dontaudit_read_system_state($1)
--
1.8.1.5
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 6/7] Support named file transition for fixed_disk_device_t
2013-08-17 18:51 [refpolicy] [PATCH 0/7] Small set of updates on non-contrib modules Sven Vermeulen
` (4 preceding siblings ...)
2013-08-17 18:51 ` [refpolicy] [PATCH 5/7] Dontaudit access on security_t file system " Sven Vermeulen
@ 2013-08-17 18:51 ` Sven Vermeulen
2013-08-26 12:51 ` Christopher J. PeBenito
2013-08-17 18:51 ` [refpolicy] [PATCH 7/7] Alsasound init script writes asound.state file Sven Vermeulen
6 siblings, 1 reply; 14+ messages in thread
From: Sven Vermeulen @ 2013-08-17 18:51 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/storage.if | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 1700ef2..64c4cd0 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -260,13 +260,18 @@ interface(`storage_manage_fixed_disk',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Optional filename of the block device to be created
+## </summary>
+## </param>
#
interface(`storage_dev_filetrans_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
')
- dev_filetrans($1, fixed_disk_device_t, blk_file)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
')
########################################
--
1.8.1.5
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 7/7] Alsasound init script writes asound.state file
2013-08-17 18:51 [refpolicy] [PATCH 0/7] Small set of updates on non-contrib modules Sven Vermeulen
` (5 preceding siblings ...)
2013-08-17 18:51 ` [refpolicy] [PATCH 6/7] Support named file transition for fixed_disk_device_t Sven Vermeulen
@ 2013-08-17 18:51 ` Sven Vermeulen
2013-08-26 12:57 ` Christopher J. PeBenito
6 siblings, 1 reply; 14+ messages in thread
From: Sven Vermeulen @ 2013-08-17 18:51 UTC (permalink / raw)
To: refpolicy
The alsasound init script writes updates into alsa state files, such as
/var/lib/alsa/asound.state (for storing the ALSA mixer levels at shutdown).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/init.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a97372a..08dd000 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -578,6 +578,10 @@ ifdef(`distro_suse',`
')
optional_policy(`
+ alsa_write_lib(initrc_t)
+')
+
+optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
')
--
1.8.1.5
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 3/7] Mark f2fs as a xattr-enabled file system
2013-08-17 18:51 ` [refpolicy] [PATCH 3/7] Mark f2fs as a xattr-enabled file system Sven Vermeulen
@ 2013-08-26 12:38 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2013-08-26 12:38 UTC (permalink / raw)
To: refpolicy
Is this support upstreamed? I don't see it in my 3.10 kernel tree.
On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/kernel/filesystem.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index 1c66416..9949d77 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -26,6 +26,7 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
> +fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
> fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 1/7] Get grub2-install to work properly
2013-08-17 18:51 ` [refpolicy] [PATCH 1/7] Get grub2-install to work properly Sven Vermeulen
@ 2013-08-26 12:39 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2013-08-26 12:39 UTC (permalink / raw)
To: refpolicy
On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> The grub2-install application runs a few grub2-* commands. Two of those,
> grub2-bios-setup and grub2-probe, need read/write access to the (fixed) disks.
>
> Mark those two applications as bootloader_exec_t (as is the case with the "grub"
> legacy command in the past) allows the commands to continue.
Merged.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/admin/bootloader.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
> index 7a6f06f..2626ebf 100644
> --- a/policy/modules/admin/bootloader.fc
> +++ b/policy/modules/admin/bootloader.fc
> @@ -7,3 +7,5 @@
> /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
>
> /usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/usr/sbin/grub2-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/usr/sbin/grub2-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 2/7] Support /sys/devices/system/cpu/online
2013-08-17 18:51 ` [refpolicy] [PATCH 2/7] Support /sys/devices/system/cpu/online Sven Vermeulen
@ 2013-08-26 12:49 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2013-08-26 12:49 UTC (permalink / raw)
To: refpolicy
On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so we need
> to grant most domains read access to this file. As we don't want them to have
> read access on sysfs_t by default, create a new type (cpu_online_t) and assign
> it to the file, and grant domains read access to the file.
>
> This does require systems to relabel the file upon every boot, something
> distributions do in their bootup scripts, as /sys devices don't keep their
> context.
Adding permissions to all domains shouldn't be taken lightly, so I'll have to do some additional research.
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/kernel/devices.fc | 1 +
> policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
> policy/modules/kernel/devices.te | 7 +++++++
> policy/modules/kernel/domain.te | 2 ++
> 4 files changed, 35 insertions(+)
>
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index b31c054..d6ebfcd 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -199,6 +199,7 @@ ifdef(`distro_debian',`
> /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
>
> /sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
> +/sys/devices/system/cpu/online -- gen_context(system_u:object_r:cpu_online_t,s0)
>
> ifdef(`distro_redhat',`
> # originally from named.fc
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 76f285e..49f0acb 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -4836,6 +4836,31 @@ interface(`dev_create_zero_dev',`
>
> ########################################
> ## <summary>
> +## Read cpu online hardware state information
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to read /sys/devices/system/cpu/online
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_read_cpu_online',`
> + gen_require(`
> + type cpu_online_t;
> + ')
> +
> + allow $1 cpu_online_t:file read_file_perms;
> +
> + dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Unconfined access to devices.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 0b1a871..0d7790c 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -60,6 +60,13 @@ type cpu_device_t;
> dev_node(cpu_device_t)
>
> #
> +# /sys/devices/system/cpu/online device
> +#
> +type cpu_online_t;
> +files_type(cpu_online_t)
> +dev_associate_sysfs(cpu_online_t)
> +
> +#
> # Type for /dev/crash
> #
> type crash_device_t;
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index cf04cb5..ea5cdee 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -96,6 +96,8 @@ kernel_dontaudit_link_key(domain)
> # create child processes in the domain
> allow domain self:process { fork sigchld };
>
> +# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
> +dev_read_cpu_online(domain)
> # Use trusted objects in /dev
> dev_rw_null(domain)
> dev_rw_zero(domain)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 6/7] Support named file transition for fixed_disk_device_t
2013-08-17 18:51 ` [refpolicy] [PATCH 6/7] Support named file transition for fixed_disk_device_t Sven Vermeulen
@ 2013-08-26 12:51 ` Christopher J. PeBenito
0 siblings, 0 replies; 14+ messages in thread
From: Christopher J. PeBenito @ 2013-08-26 12:51 UTC (permalink / raw)
To: refpolicy
On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/kernel/storage.if | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
> index 1700ef2..64c4cd0 100644
> --- a/policy/modules/kernel/storage.if
> +++ b/policy/modules/kernel/storage.if
> @@ -260,13 +260,18 @@ interface(`storage_manage_fixed_disk',`
> ## Domain allowed access.
> ## </summary>
> ## </param>
> +## <param name="filename" optional="true">
> +## <summary>
> +## Optional filename of the block device to be created
> +## </summary>
> +## </param>
> #
> interface(`storage_dev_filetrans_fixed_disk',`
> gen_require(`
> type fixed_disk_device_t;
> ')
>
> - dev_filetrans($1, fixed_disk_device_t, blk_file)
> + dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
> ')
>
> ########################################
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 7/7] Alsasound init script writes asound.state file
2013-08-17 18:51 ` [refpolicy] [PATCH 7/7] Alsasound init script writes asound.state file Sven Vermeulen
@ 2013-08-26 12:57 ` Christopher J. PeBenito
2013-08-27 10:42 ` Sven Vermeulen
0 siblings, 1 reply; 14+ messages in thread
From: Christopher J. PeBenito @ 2013-08-26 12:57 UTC (permalink / raw)
To: refpolicy
On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> The alsasound init script writes updates into alsa state files, such as
> /var/lib/alsa/asound.state (for storing the ALSA mixer levels at shutdown).
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/system/init.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index a97372a..08dd000 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -578,6 +578,10 @@ ifdef(`distro_suse',`
> ')
>
> optional_policy(`
> + alsa_write_lib(initrc_t)
> +')
> +
> +optional_policy(`
> amavis_search_lib(initrc_t)
> amavis_setattr_pid_files(initrc_t)
> ')
Shouldn't this be handled by alsa_t?
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [PATCH 7/7] Alsasound init script writes asound.state file
2013-08-26 12:57 ` Christopher J. PeBenito
@ 2013-08-27 10:42 ` Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2013-08-27 10:42 UTC (permalink / raw)
To: refpolicy
On Mon, Aug 26, 2013 at 2:57 PM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
>> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
>> index a97372a..08dd000 100644
>> --- a/policy/modules/system/init.te
>> +++ b/policy/modules/system/init.te
>> @@ -578,6 +578,10 @@ ifdef(`distro_suse',`
>> ')
>>
>> optional_policy(`
>> + alsa_write_lib(initrc_t)
>> +')
>> +
>> +optional_policy(`
>> amavis_search_lib(initrc_t)
>> amavis_setattr_pid_files(initrc_t)
>> ')
>
> Shouldn't this be handled by alsa_t?
>
It is the /etc/init.d/alsasound init script itself that is writing
into /var/lib/alsa, for instance:
for ossfile in /proc/asound/card*/pcm*/oss; do
[ -e "${ossfile}" ] || continue
local device=${ossfile##/proc/asound/} ; device=${device%%/oss}
device="$(echo "${device}" | sed -e 's,/,_,g')"
mkdir -p "${alsastatedir}/oss/"
cp "${ossfile}" "${alsastatedir}/oss/${device}"
done
Here, ${alsastatedir} = /var/lib/alsa.
It does seem however that the asound.state itself is handled by
alsactl (and thus through alsa_t). Shall I update the description to
explain that it is for restoring OSS state information instead?
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2013-08-27 10:42 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-17 18:51 [refpolicy] [PATCH 0/7] Small set of updates on non-contrib modules Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 1/7] Get grub2-install to work properly Sven Vermeulen
2013-08-26 12:39 ` Christopher J. PeBenito
2013-08-17 18:51 ` [refpolicy] [PATCH 2/7] Support /sys/devices/system/cpu/online Sven Vermeulen
2013-08-26 12:49 ` Christopher J. PeBenito
2013-08-17 18:51 ` [refpolicy] [PATCH 3/7] Mark f2fs as a xattr-enabled file system Sven Vermeulen
2013-08-26 12:38 ` Christopher J. PeBenito
2013-08-17 18:51 ` [refpolicy] [PATCH 4/7] The security_t file system can be at /sys/fs/selinux Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 5/7] Dontaudit access on security_t file system " Sven Vermeulen
2013-08-17 18:51 ` [refpolicy] [PATCH 6/7] Support named file transition for fixed_disk_device_t Sven Vermeulen
2013-08-26 12:51 ` Christopher J. PeBenito
2013-08-17 18:51 ` [refpolicy] [PATCH 7/7] Alsasound init script writes asound.state file Sven Vermeulen
2013-08-26 12:57 ` Christopher J. PeBenito
2013-08-27 10:42 ` Sven Vermeulen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.