From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 20 Dec 2013 15:07:30 -0500 Subject: [refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS In-Reply-To: <1387560695-24878-1-git-send-email-mthode@mthode.org> References: <1387560695-24878-1-git-send-email-mthode@mthode.org> Message-ID: <52B4A382.9070507@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/20/13 12:31, Matthew Thode wrote: > Signed-off-by: Matthew Thode > --- > policy/modules/kernel/storage.fc | 5 +++++ > policy/modules/system/fstools.fc | 6 ++++++ > policy/modules/system/mount.fc | 4 ++++ > 3 files changed, 15 insertions(+) > > diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc > index 54f1827..4315bd5 100644 > --- a/policy/modules/kernel/storage.fc > +++ b/policy/modules/kernel/storage.fc > @@ -79,5 +79,10 @@ ifdef(`distro_redhat', ` > > /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0) > > +/dev/zfs -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > +/dev/zpios -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > +/dev/zvol(/.*)? -l gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) Normally we leave the symlinks stay the generic type, in this case device_t. That type is sufficiently protected and the symlink isn't sensitive, so it doesn't merit having a different type. Otherwise the patch looks ok. > +/dev/zd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > + > /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) > diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc > index 948ce2a..39e6c25 100644 > --- a/policy/modules/system/fstools.fc > +++ b/policy/modules/system/fstools.fc > @@ -36,6 +36,12 @@ > /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) > /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) > /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) > +/sbin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0) > +/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) > +/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) > +/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) > +/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) > +/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) > > /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) > /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) > diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc > index a38605e..807ceef 100644 > --- a/policy/modules/system/mount.fc > +++ b/policy/modules/system/mount.fc > @@ -1,6 +1,10 @@ > /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) > /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) > > +/sbin/mount.zfs -- gen_context(system_u:object_r:mount_exec_t,s0) > +/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0) > +/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0) > + > /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) > > /var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com