From mboxrd@z Thu Jan 1 00:00:00 1970 From: mthode@mthode.org (Matthew Thode) Date: Fri, 20 Dec 2013 14:14:31 -0600 Subject: [refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS In-Reply-To: <52B4A382.9070507@tresys.com> References: <1387560695-24878-1-git-send-email-mthode@mthode.org> <52B4A382.9070507@tresys.com> Message-ID: <52B4A527.107@mthode.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/20/2013 02:07 PM, Christopher J. PeBenito wrote: > On 12/20/13 12:31, Matthew Thode wrote: >> Signed-off-by: Matthew Thode >> --- >> policy/modules/kernel/storage.fc | 5 +++++ >> policy/modules/system/fstools.fc | 6 ++++++ >> policy/modules/system/mount.fc | 4 ++++ >> 3 files changed, 15 insertions(+) >> >> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc >> index 54f1827..4315bd5 100644 >> --- a/policy/modules/kernel/storage.fc >> +++ b/policy/modules/kernel/storage.fc >> @@ -79,5 +79,10 @@ ifdef(`distro_redhat', ` >> >> /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0) >> >> +/dev/zfs -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) >> +/dev/zpios -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) >> +/dev/zvol(/.*)? -l gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > > Normally we leave the symlinks stay the generic type, in this case device_t. That type is sufficiently protected and the symlink isn't sensitive, so it doesn't merit having a different type. Otherwise the patch looks ok. > > >> +/dev/zd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) >> + >> /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) >> /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) >> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc >> index 948ce2a..39e6c25 100644 >> --- a/policy/modules/system/fstools.fc >> +++ b/policy/modules/system/fstools.fc >> @@ -36,6 +36,12 @@ >> /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> +/sbin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> +/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> +/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> +/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> +/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> +/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> >> /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc >> index a38605e..807ceef 100644 >> --- a/policy/modules/system/mount.fc >> +++ b/policy/modules/system/mount.fc >> @@ -1,6 +1,10 @@ >> /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) >> /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) >> >> +/sbin/mount.zfs -- gen_context(system_u:object_r:mount_exec_t,s0) >> +/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0) >> +/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0) >> + >> /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) >> >> /var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) >> > > Would you like me to resubmit? -- -- Matthew Thode -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131220/03cab114/attachment.bin