[refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS
@ 2013-12-20 21:06 Matthew Thode
  2014-01-20 16:31 ` Matthew Thode
  0 siblings, 1 reply; 7+ messages in thread
From: Matthew Thode @ 2013-12-20 21:06 UTC (permalink / raw)
  To: refpolicy

Signed-off-by: Matthew Thode <mthode@mthode.org>
---
 policy/modules/kernel/storage.fc | 5 +++++
 policy/modules/system/fstools.fc | 6 ++++++
 policy/modules/system/mount.fc   | 4 ++++
 3 files changed, 15 insertions(+)

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 54f1827..4315bd5 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
 
 /dev/usb/rio500		-c	gen_context(system_u:object_r:removable_device_t,s0)
 
+/dev/zfs			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zpios			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zvol(/.*)?		-l	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zd.*			-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
 /lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 948ce2a..39e6c25 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -36,6 +36,12 @@
 /sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zstreamdump	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
 /usr/bin/partition_uuid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 4619000..a5e1c6e 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -2,6 +2,10 @@
 /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
+/sbin/mount.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/zpool				--	gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/zfs				--	gen_context(system_u:object_r:mount_exec_t,s0)
+
 /usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 
 /var/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
-- 
1.8.3.2

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS
  2013-12-20 21:06 [refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS Matthew Thode
@ 2014-01-20 16:31 ` Matthew Thode
  2014-01-21 13:57   ` Christopher J. PeBenito
  0 siblings, 1 reply; 7+ messages in thread
From: Matthew Thode @ 2014-01-20 16:31 UTC (permalink / raw)
  To: refpolicy

On 12/20/2013 03:06 PM, Matthew Thode wrote:
> Signed-off-by: Matthew Thode <mthode@mthode.org>
> ---
>  policy/modules/kernel/storage.fc | 5 +++++
>  policy/modules/system/fstools.fc | 6 ++++++
>  policy/modules/system/mount.fc   | 4 ++++
>  3 files changed, 15 insertions(+)
> 
> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
> index 54f1827..4315bd5 100644
> --- a/policy/modules/kernel/storage.fc
> +++ b/policy/modules/kernel/storage.fc
> @@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
>  
>  /dev/usb/rio500		-c	gen_context(system_u:object_r:removable_device_t,s0)
>  
> +/dev/zfs			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/zpios			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/zvol(/.*)?		-l	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/zd.*			-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +
>  /lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>  /lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
> index 948ce2a..39e6c25 100644
> --- a/policy/modules/system/fstools.fc
> +++ b/policy/modules/system/fstools.fc
> @@ -36,6 +36,12 @@
>  /sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>  /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>  /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zstreamdump	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>  
>  /usr/bin/partition_uuid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>  /usr/bin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
> index 4619000..a5e1c6e 100644
> --- a/policy/modules/system/mount.fc
> +++ b/policy/modules/system/mount.fc
> @@ -2,6 +2,10 @@
>  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>  
> +/sbin/mount.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
> +/sbin/zpool				--	gen_context(system_u:object_r:mount_exec_t,s0)
> +/sbin/zfs				--	gen_context(system_u:object_r:mount_exec_t,s0)
> +
>  /usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
>  
>  /var/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
> 
What's the status on the acceptance of this patch?

-- 
-- Matthew Thode

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140120/e1d8a852/attachment.bin 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS
  2014-01-20 16:31 ` Matthew Thode
@ 2014-01-21 13:57   ` Christopher J. PeBenito
  0 siblings, 0 replies; 7+ messages in thread
From: Christopher J. PeBenito @ 2014-01-21 13:57 UTC (permalink / raw)
  To: refpolicy

On 01/20/14 11:31, Matthew Thode wrote:
> On 12/20/2013 03:06 PM, Matthew Thode wrote:
>> Signed-off-by: Matthew Thode <mthode@mthode.org>
>> ---
>>  policy/modules/kernel/storage.fc | 5 +++++
>>  policy/modules/system/fstools.fc | 6 ++++++
>>  policy/modules/system/mount.fc   | 4 ++++
>>  3 files changed, 15 insertions(+)
>>
>> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
>> index 54f1827..4315bd5 100644
>> --- a/policy/modules/kernel/storage.fc
>> +++ b/policy/modules/kernel/storage.fc
>> @@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
>>  
>>  /dev/usb/rio500		-c	gen_context(system_u:object_r:removable_device_t,s0)
>>  
>> +/dev/zfs			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +/dev/zpios			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +/dev/zvol(/.*)?		-l	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +/dev/zd.*			-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +
>>  /lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>>  /lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
>> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
>> index 948ce2a..39e6c25 100644
>> --- a/policy/modules/system/fstools.fc
>> +++ b/policy/modules/system/fstools.fc
>> @@ -36,6 +36,12 @@
>>  /sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>>  /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>>  /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zstreamdump	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>>  
>>  /usr/bin/partition_uuid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>>  /usr/bin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
>> index 4619000..a5e1c6e 100644
>> --- a/policy/modules/system/mount.fc
>> +++ b/policy/modules/system/mount.fc
>> @@ -2,6 +2,10 @@
>>  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>>  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>>  
>> +/sbin/mount.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
>> +/sbin/zpool				--	gen_context(system_u:object_r:mount_exec_t,s0)
>> +/sbin/zfs				--	gen_context(system_u:object_r:mount_exec_t,s0)
>> +
>>  /usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
>>  
>>  /var/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
>>
> What's the status on the acceptance of this patch?

Sorry, I lost track of it.  Its committed now, though I removed the symlink label and rearranged the lines.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS
@ 2013-12-20 17:31 Matthew Thode
  2013-12-20 20:07 ` Christopher J. PeBenito
  0 siblings, 1 reply; 7+ messages in thread
From: Matthew Thode @ 2013-12-20 17:31 UTC (permalink / raw)
  To: refpolicy

Signed-off-by: Matthew Thode <mthode@mthode.org>
---
 policy/modules/kernel/storage.fc | 5 +++++
 policy/modules/system/fstools.fc | 6 ++++++
 policy/modules/system/mount.fc   | 4 ++++
 3 files changed, 15 insertions(+)

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 54f1827..4315bd5 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
 
 /dev/usb/rio500		-c	gen_context(system_u:object_r:removable_device_t,s0)
 
+/dev/zfs			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zpios			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zvol(/.*)?		-l	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zd.*			-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
 /lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 948ce2a..39e6c25 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -36,6 +36,12 @@
 /sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zstreamdump	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
 /usr/bin/partition_uuid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index a38605e..807ceef 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -1,6 +1,10 @@
 /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
+/sbin/mount.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/zpool				--	gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/zfs				--	gen_context(system_u:object_r:mount_exec_t,s0)
+
 /usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 
 /var/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
-- 
1.8.3.2

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS
  2013-12-20 17:31 Matthew Thode
@ 2013-12-20 20:07 ` Christopher J. PeBenito
  2013-12-20 20:14   ` Matthew Thode
  0 siblings, 1 reply; 7+ messages in thread
From: Christopher J. PeBenito @ 2013-12-20 20:07 UTC (permalink / raw)
  To: refpolicy

On 12/20/13 12:31, Matthew Thode wrote:
> Signed-off-by: Matthew Thode <mthode@mthode.org>
> ---
>  policy/modules/kernel/storage.fc | 5 +++++
>  policy/modules/system/fstools.fc | 6 ++++++
>  policy/modules/system/mount.fc   | 4 ++++
>  3 files changed, 15 insertions(+)
> 
> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
> index 54f1827..4315bd5 100644
> --- a/policy/modules/kernel/storage.fc
> +++ b/policy/modules/kernel/storage.fc
> @@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
>  
>  /dev/usb/rio500		-c	gen_context(system_u:object_r:removable_device_t,s0)
>  
> +/dev/zfs			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/zpios			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/zvol(/.*)?		-l	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)

Normally we leave the symlinks stay the generic type, in this case device_t.  That type is sufficiently protected and the symlink isn't sensitive, so it doesn't merit having a different type.  Otherwise the patch looks ok.


> +/dev/zd.*			-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +
>  /lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>  /lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
> index 948ce2a..39e6c25 100644
> --- a/policy/modules/system/fstools.fc
> +++ b/policy/modules/system/fstools.fc
> @@ -36,6 +36,12 @@
>  /sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>  /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>  /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zstreamdump	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>  
>  /usr/bin/partition_uuid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>  /usr/bin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
> index a38605e..807ceef 100644
> --- a/policy/modules/system/mount.fc
> +++ b/policy/modules/system/mount.fc
> @@ -1,6 +1,10 @@
>  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>  
> +/sbin/mount.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
> +/sbin/zpool				--	gen_context(system_u:object_r:mount_exec_t,s0)
> +/sbin/zfs				--	gen_context(system_u:object_r:mount_exec_t,s0)
> +
>  /usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
>  
>  /var/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS
  2013-12-20 20:07 ` Christopher J. PeBenito
@ 2013-12-20 20:14   ` Matthew Thode
  2013-12-20 20:22     ` Christopher J. PeBenito
  0 siblings, 1 reply; 7+ messages in thread
From: Matthew Thode @ 2013-12-20 20:14 UTC (permalink / raw)
  To: refpolicy

On 12/20/2013 02:07 PM, Christopher J. PeBenito wrote:
> On 12/20/13 12:31, Matthew Thode wrote:
>> Signed-off-by: Matthew Thode <mthode@mthode.org>
>> ---
>>  policy/modules/kernel/storage.fc | 5 +++++
>>  policy/modules/system/fstools.fc | 6 ++++++
>>  policy/modules/system/mount.fc   | 4 ++++
>>  3 files changed, 15 insertions(+)
>>
>> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
>> index 54f1827..4315bd5 100644
>> --- a/policy/modules/kernel/storage.fc
>> +++ b/policy/modules/kernel/storage.fc
>> @@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
>>  
>>  /dev/usb/rio500		-c	gen_context(system_u:object_r:removable_device_t,s0)
>>  
>> +/dev/zfs			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +/dev/zpios			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +/dev/zvol(/.*)?		-l	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> 
> Normally we leave the symlinks stay the generic type, in this case device_t.  That type is sufficiently protected and the symlink isn't sensitive, so it doesn't merit having a different type.  Otherwise the patch looks ok.
> 
> 
>> +/dev/zd.*			-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +
>>  /lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>>  /lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
>> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
>> index 948ce2a..39e6c25 100644
>> --- a/policy/modules/system/fstools.fc
>> +++ b/policy/modules/system/fstools.fc
>> @@ -36,6 +36,12 @@
>>  /sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>>  /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>>  /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zstreamdump	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>>  
>>  /usr/bin/partition_uuid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>>  /usr/bin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
>> index a38605e..807ceef 100644
>> --- a/policy/modules/system/mount.fc
>> +++ b/policy/modules/system/mount.fc
>> @@ -1,6 +1,10 @@
>>  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>>  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>>  
>> +/sbin/mount.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
>> +/sbin/zpool				--	gen_context(system_u:object_r:mount_exec_t,s0)
>> +/sbin/zfs				--	gen_context(system_u:object_r:mount_exec_t,s0)
>> +
>>  /usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
>>  
>>  /var/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
>>
> 
> 
Would you like me to resubmit?

-- 
-- Matthew Thode

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131220/03cab114/attachment.bin 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS
  2013-12-20 20:14   ` Matthew Thode
@ 2013-12-20 20:22     ` Christopher J. PeBenito
  0 siblings, 0 replies; 7+ messages in thread
From: Christopher J. PeBenito @ 2013-12-20 20:22 UTC (permalink / raw)
  To: refpolicy

On 12/20/13 15:14, Matthew Thode wrote:
> On 12/20/2013 02:07 PM, Christopher J. PeBenito wrote:
>> On 12/20/13 12:31, Matthew Thode wrote:
>>> Signed-off-by: Matthew Thode <mthode@mthode.org>
>>> ---
>>>  policy/modules/kernel/storage.fc | 5 +++++
>>>  policy/modules/system/fstools.fc | 6 ++++++
>>>  policy/modules/system/mount.fc   | 4 ++++
>>>  3 files changed, 15 insertions(+)
>>>
>>> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
>>> index 54f1827..4315bd5 100644
>>> --- a/policy/modules/kernel/storage.fc
>>> +++ b/policy/modules/kernel/storage.fc
>>> @@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
>>>  
>>>  /dev/usb/rio500		-c	gen_context(system_u:object_r:removable_device_t,s0)
>>>  
>>> +/dev/zfs			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>>> +/dev/zpios			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>>> +/dev/zvol(/.*)?		-l	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>>
>> Normally we leave the symlinks stay the generic type, in this case device_t.  That type is sufficiently protected and the symlink isn't sensitive, so it doesn't merit having a different type.  Otherwise the patch looks ok.

> Would you like me to resubmit?
 
Please do.  I was going to apply it and then fix it, but it fails to apply; looks like a conflict from something I just merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2014-01-21 13:57 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-20 21:06 [refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS Matthew Thode
2014-01-20 16:31 ` Matthew Thode
2014-01-21 13:57   ` Christopher J. PeBenito
  -- strict thread matches above, loose matches on Subject: below --
2013-12-20 17:31 Matthew Thode
2013-12-20 20:07 ` Christopher J. PeBenito
2013-12-20 20:14   ` Matthew Thode
2013-12-20 20:22     ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.