From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 21 Jan 2014 08:57:46 -0500 Subject: [refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS In-Reply-To: <52DD4F75.9060809@mthode.org> References: <1387573580-8603-1-git-send-email-mthode@mthode.org> <52DD4F75.9060809@mthode.org> Message-ID: <52DE7CDA.4050800@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/20/14 11:31, Matthew Thode wrote: > On 12/20/2013 03:06 PM, Matthew Thode wrote: >> Signed-off-by: Matthew Thode >> --- >> policy/modules/kernel/storage.fc | 5 +++++ >> policy/modules/system/fstools.fc | 6 ++++++ >> policy/modules/system/mount.fc | 4 ++++ >> 3 files changed, 15 insertions(+) >> >> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc >> index 54f1827..4315bd5 100644 >> --- a/policy/modules/kernel/storage.fc >> +++ b/policy/modules/kernel/storage.fc >> @@ -79,5 +79,10 @@ ifdef(`distro_redhat', ` >> >> /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0) >> >> +/dev/zfs -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) >> +/dev/zpios -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) >> +/dev/zvol(/.*)? -l gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) >> +/dev/zd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) >> + >> /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) >> /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) >> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc >> index 948ce2a..39e6c25 100644 >> --- a/policy/modules/system/fstools.fc >> +++ b/policy/modules/system/fstools.fc >> @@ -36,6 +36,12 @@ >> /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> +/sbin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> +/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> +/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> +/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> +/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> +/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> >> /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) >> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc >> index 4619000..a5e1c6e 100644 >> --- a/policy/modules/system/mount.fc >> +++ b/policy/modules/system/mount.fc >> @@ -2,6 +2,10 @@ >> /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) >> /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) >> >> +/sbin/mount.zfs -- gen_context(system_u:object_r:mount_exec_t,s0) >> +/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0) >> +/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0) >> + >> /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) >> >> /var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) >> > What's the status on the acceptance of this patch? Sorry, I lost track of it. Its committed now, though I removed the symlink label and rearranged the lines. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com