[refpolicy] [PATCH 1/3] Create new xattrfs attribute and fs_*_all_xattr_fs() interfaces

[refpolicy] [PATCH 1/3] Create new xattrfs attribute and fs_*_all_xattr_fs() interfaces

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

Create a new attribute and fs_*_all_xattr_fs() interfaces that will be
used for pseudo filesystems that support xattr
---
 policy/modules/kernel/filesystem.if | 200 ++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/filesystem.te |   1 +
 2 files changed, 201 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb..36cb57b 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -108,6 +108,206 @@ interface(`fs_exec_noxattr',`
 
 ########################################
 ## <summary>
+##	Transform specified type into a filesystem
+##	type which has extended attribute
+##	support.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_xattr_type',`
+	gen_require(`
+		attribute xattrfs;
+	')
+
+	fs_type($1)
+
+	typeattribute $1 xattrfs;
+')
+
+########################################
+## <summary>
+##	Mount a pseudo filesystem which
+##	has extended attributes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_all_xattr_fs',`
+	gen_require(`
+		attribute xattrfs;
+	')
+
+	allow $1 xattrfs:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount a pseudo filesystem which
+##	has extended attributes.
+##	This allows some mount options
+##	to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_all_xattr_fs',`
+	gen_require(`
+		attribute xattrfs;
+	')
+
+	allow $1 xattrfs:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a pseudo filesystem which
+##	has extended attributes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_all_xattr_fs',`
+	gen_require(`
+		attribute xattrfs;
+	')
+
+	allow $1 xattrfs:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of pseudo
+##	filesystems which have extended
+##	attributes.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to
+##	get the attributes of a pseudo
+##	filesystems which have extended
+##	attributes.
+##	Example attributes:
+##	</p>
+##	<ul>
+##		<li>Type of the file system (e.g., tmpfs)</li>
+##		<li>Size of the file system</li>
+##		<li>Available space on the file system</li>
+##	</ul>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+## <rolecap/>
+#
+interface(`fs_getattr_all_xattr_fs',`
+	gen_require(`
+		attribute xattrfs;
+	')
+
+	allow $1 xattrfs:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to
+##	get the attributes of a pseudo
+##	filesystem which has extended
+##	attributes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_all_xattr_fs',`
+	gen_require(`
+		attribute xattrfs;
+	')
+
+	dontaudit $1 xattrfs:filesystem getattr;
+')
+
+########################################
+## <summary>
+##	Allow changing of the label of a
+##	pseudo filesystem with extended
+##	attributes using the context=
+##	mount option.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_relabelfrom_all_xattr_fs',`
+	gen_require(`
+		attribute xattrfs;
+	')
+
+	allow $1 xattrfs:filesystem relabelfrom;
+')
+
+########################################
+## <summary>
+##	Get the pseudo filesystem quotas of
+##	a filesystem with extended attributes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_get_all_xattr_fs_quotas',`
+	gen_require(`
+		attribute xattrfs;
+	')
+
+	allow $1 xattrfs:filesystem quotaget;
+')
+
+########################################
+## <summary>
+##	Set the pseudo filesystem quotas of
+##	a filesystem with extended attributes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_set_all_xattr_fs_quotas',`
+	gen_require(`
+		attribute xattrfs;
+	')
+
+	allow $1 xattrfs:filesystem quotamod;
+')
+
+
+########################################
+## <summary>
 ##	Mount a persistent filesystem which
 ##	has extended attributes, such as
 ##	ext3, JFS, or XFS.
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index d9cc21f..4207e8f 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -8,6 +8,7 @@ policy_module(filesystem, 1.18.0)
 attribute filesystem_type;
 attribute filesystem_unconfined_type;
 attribute noxattrfs;
+attribute xattrfs;
 
 ##############################
 #
-- 
1.9.1

[refpolicy] [PATCH 2/3] Associate the new xattrfs attribute to some pseudo filesystems

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

Associate the new xattrfs attribute to the pseudo filesystems that we
know support xattr

This patch adds the attribute to:

 - device_t
 - devpts_t
 - hugetlbfs
 - sysfs_t
 - tmpfs_t
---
 policy/modules/kernel/devices.te    | 4 ++--
 policy/modules/kernel/filesystem.te | 4 ++--
 policy/modules/kernel/terminal.te   | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 520f4ee..e42c5ee 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -18,7 +18,7 @@ fs_associate_tmpfs(device_t)
 files_type(device_t)
 files_mountpoint(device_t)
 files_associate_tmp(device_t)
-fs_type(device_t)
+fs_xattr_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 
 #
@@ -224,7 +224,7 @@ dev_node(sound_device_t)
 #
 type sysfs_t;
 files_mountpoint(sysfs_t)
-fs_type(sysfs_t)
+fs_xattr_type(sysfs_t)
 genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
 
 #
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 4207e8f..4328cd8 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -95,7 +95,7 @@ fs_type(futexfs_t)
 genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
 
 type hugetlbfs_t;
-fs_type(hugetlbfs_t)
+fs_xattr_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
 fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
 
@@ -175,7 +175,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
 #
 type tmpfs_t;
 dev_associate(tmpfs_t)
-fs_type(tmpfs_t)
+fs_xattr_type(tmpfs_t)
 files_type(tmpfs_t)
 files_mountpoint(tmpfs_t)
 files_poly_parent(tmpfs_t)
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index e05079a..01dbf46 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -27,7 +27,7 @@ dev_node(console_device_t)
 type devpts_t;
 files_mountpoint(devpts_t)
 fs_associate_tmpfs(devpts_t)
-fs_type(devpts_t)
+fs_xattr_type(devpts_t)
 fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
 
 #
-- 
1.9.1

[refpolicy] [PATCH 3/3] Allow setfiles_t and restorecond_t to getattr on pseudo-fs

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

Use the new fs_getattr_all_xattr_fs() interface to allow setfiles_t and
restorecond_t domain to get the attributes on pseudo-filesystems that
support xattr

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682
---
 policy/modules/system/selinuxutil.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index f4d17cd..aa9772f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -330,6 +330,7 @@ kernel_read_system_state(restorecond_t)
 
 fs_relabelfrom_noxattr_fs(restorecond_t)
 fs_dontaudit_list_nfs(restorecond_t)
+fs_getattr_all_xattr_fs(restorecond_t)
 fs_getattr_xattr_fs(restorecond_t)
 fs_list_inotifyfs(restorecond_t)
 
@@ -558,6 +559,7 @@ files_relabel_all_files(setfiles_t)
 files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
+fs_getattr_all_xattr_fs(setfiles_t)
 fs_getattr_xattr_fs(setfiles_t)
 fs_list_all(setfiles_t)
 fs_search_auto_mountpoints(setfiles_t)
-- 
1.9.1

[refpolicy] [PATCH 2/3] Associate the new xattrfs attribute to some pseudo filesystems

[Christopher J. PeBenito]

On 03/19/2014 06:17 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> Associate the new xattrfs attribute to the pseudo filesystems that we
> know support xattr
> 
> This patch adds the attribute to:
> 
>  - device_t
>  - devpts_t
>  - hugetlbfs
>  - sysfs_t
>  - tmpfs_t

It would seem that fs_t should also be in that list.  I think the set can be merged with that fixed.


> ---
>  policy/modules/kernel/devices.te    | 4 ++--
>  policy/modules/kernel/filesystem.te | 4 ++--
>  policy/modules/kernel/terminal.te   | 2 +-
>  3 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 520f4ee..e42c5ee 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -18,7 +18,7 @@ fs_associate_tmpfs(device_t)
>  files_type(device_t)
>  files_mountpoint(device_t)
>  files_associate_tmp(device_t)
> -fs_type(device_t)
> +fs_xattr_type(device_t)
>  fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
>  
>  #
> @@ -224,7 +224,7 @@ dev_node(sound_device_t)
>  #
>  type sysfs_t;
>  files_mountpoint(sysfs_t)
> -fs_type(sysfs_t)
> +fs_xattr_type(sysfs_t)
>  genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
>  
>  #
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index 4207e8f..4328cd8 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -95,7 +95,7 @@ fs_type(futexfs_t)
>  genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
>  
>  type hugetlbfs_t;
> -fs_type(hugetlbfs_t)
> +fs_xattr_type(hugetlbfs_t)
>  files_mountpoint(hugetlbfs_t)
>  fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
>  
> @@ -175,7 +175,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
>  #
>  type tmpfs_t;
>  dev_associate(tmpfs_t)
> -fs_type(tmpfs_t)
> +fs_xattr_type(tmpfs_t)
>  files_type(tmpfs_t)
>  files_mountpoint(tmpfs_t)
>  files_poly_parent(tmpfs_t)
> diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
> index e05079a..01dbf46 100644
> --- a/policy/modules/kernel/terminal.te
> +++ b/policy/modules/kernel/terminal.te
> @@ -27,7 +27,7 @@ dev_node(console_device_t)
>  type devpts_t;
>  files_mountpoint(devpts_t)
>  fs_associate_tmpfs(devpts_t)
> -fs_type(devpts_t)
> +fs_xattr_type(devpts_t)
>  fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
>  
>  #
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com