All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH] label for /run/tmpfiles.d
@ 2014-07-23 20:45 Jason Zaman
  2014-07-24  9:47 ` Laurent Bigonville
  0 siblings, 1 reply; 6+ messages in thread
From: Jason Zaman @ 2014-07-23 20:45 UTC (permalink / raw)
  To: refpolicy

kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
This patch was mostly taken from the fedora policy.
---
 policy/modules/system/modutils.fc | 2 ++
 policy/modules/system/modutils.te | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 9933677..744a49a 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -23,3 +23,5 @@ ifdef(`distro_gentoo',`
 /sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
 
 /usr/bin/kmod		--	gen_context(system_u:object_r:insmod_exec_t,s0)
+
+/var/run/tmpfiles.d(/.*)?	gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 59ecb2b..945b318 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,6 +18,9 @@ application_domain(insmod_t, insmod_exec_t)
 mls_file_write_all_levels(insmod_t)
 role system_r types insmod_t;
 
+type insmod_var_run_t;
+files_pid_file(insmod_var_run_t)
+
 # module loading config
 type modules_conf_t;
 files_type(modules_conf_t)
@@ -115,6 +118,10 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
 list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
 read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
 
+manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
+manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
+files_pid_filetrans(insmod_t, insmod_var_run_t, { dir file })
+
 can_exec(insmod_t, insmod_exec_t)
 
 kernel_load_module(insmod_t)
-- 
1.8.5.5

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] label for /run/tmpfiles.d
  2014-07-23 20:45 [refpolicy] [PATCH] label for /run/tmpfiles.d Jason Zaman
@ 2014-07-24  9:47 ` Laurent Bigonville
  2014-07-24 10:36   ` Jason Zaman
  0 siblings, 1 reply; 6+ messages in thread
From: Laurent Bigonville @ 2014-07-24  9:47 UTC (permalink / raw)
  To: refpolicy

Le Thu, 24 Jul 2014 00:45:40 +0400,
Jason Zaman <jason@perfinion.com> a ?crit :

> kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
> This patch was mostly taken from the fedora policy.

/run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be
labeled as part of this (still inexistant in refpolicy) module if we
wants a dedicated context for this directory.

Cheers,

Laurent Bigonville

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] label for /run/tmpfiles.d
  2014-07-24  9:47 ` Laurent Bigonville
@ 2014-07-24 10:36   ` Jason Zaman
  2014-07-24 12:51     ` Daniel J Walsh
  0 siblings, 1 reply; 6+ messages in thread
From: Jason Zaman @ 2014-07-24 10:36 UTC (permalink / raw)
  To: refpolicy

On 24 Jul 2014 13:47, "Laurent Bigonville" <bigon@debian.org> wrote:
>
> Le Thu, 24 Jul 2014 00:45:40 +0400,
> Jason Zaman <jason@perfinion.com> a ?crit :
>
> > kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
> > This patch was mostly taken from the fedora policy.
>
> /run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be
> labeled as part of this (still inexistant in refpolicy) module if we
> wants a dedicated context for this directory.

Having a tmpfiles module for this is doable (where would it go in the tree?
I'm assuming not contrib/?)

I need this for OpenRC too since it also uses tmpfiles so it is not
necessarily "systemd". The labels should definitely be in sync for both
tho.

Should it be tmpfiles_var_run_t and tmpfiles_etc_t?

Alternatively I could keep it in the Gentoo policy till the systemd stuff
is done but I would rather get the labels in sync first.

-- Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140724/e01d951c/attachment.html 

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] label for /run/tmpfiles.d
  2014-07-24 10:36   ` Jason Zaman
@ 2014-07-24 12:51     ` Daniel J Walsh
  2014-07-25 12:22       ` Christopher J. PeBenito
  0 siblings, 1 reply; 6+ messages in thread
From: Daniel J Walsh @ 2014-07-24 12:51 UTC (permalink / raw)
  To: refpolicy


On 07/24/2014 06:36 AM, Jason Zaman wrote:
>
>
> On 24 Jul 2014 13:47, "Laurent Bigonville" <bigon@debian.org
> <mailto:bigon@debian.org>> wrote:
> >
> > Le Thu, 24 Jul 2014 00:45:40 +0400,
> > Jason Zaman <jason at perfinion.com <mailto:jason@perfinion.com>> a ?crit :
> >
> > > kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
> > > This patch was mostly taken from the fedora policy.
> >
> > /run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be
> > labeled as part of this (still inexistant in refpolicy) module if we
> > wants a dedicated context for this directory.
>
> Having a tmpfiles module for this is doable (where would it go in the
> tree? I'm assuming not contrib/?)
>
> I need this for OpenRC too since it also uses tmpfiles so it is not
> necessarily "systemd". The labels should definitely be in sync for
> both tho.
>
> Should it be tmpfiles_var_run_t and tmpfiles_etc_t?
>
> Alternatively I could keep it in the Gentoo policy till the systemd
> stuff is done but I would rather get the labels in sync first.
>
> -- Jason
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Currently Fedora has
/var/run/tmpfiles.d/kmod.conf    --    system_u:object_r:insmod_var_run_t:s0

If we add a label for  /var/run/tmpfiles.d/ it needs a named file trans
rule for any process that creates content under it.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140724/4ad12b74/attachment.html 

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] label for /run/tmpfiles.d
  2014-07-24 12:51     ` Daniel J Walsh
@ 2014-07-25 12:22       ` Christopher J. PeBenito
  2014-07-25 12:49         ` Jason Zaman
  0 siblings, 1 reply; 6+ messages in thread
From: Christopher J. PeBenito @ 2014-07-25 12:22 UTC (permalink / raw)
  To: refpolicy

On 7/24/2014 8:51 AM, Daniel J Walsh wrote:
> 
> On 07/24/2014 06:36 AM, Jason Zaman wrote:
>>
>>
>> On 24 Jul 2014 13:47, "Laurent Bigonville" <bigon@debian.org
>> <mailto:bigon@debian.org>> wrote:
>> >
>> > Le Thu, 24 Jul 2014 00:45:40 +0400,
>> > Jason Zaman <jason at perfinion.com <mailto:jason@perfinion.com>> a ?crit :
>> >
>> > > kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
>> > > This patch was mostly taken from the fedora policy.
>> >
>> > /run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be
>> > labeled as part of this (still inexistant in refpolicy) module if we
>> > wants a dedicated context for this directory.
>>
>> Having a tmpfiles module for this is doable (where would it go in the
>> tree? I'm assuming not contrib/?)
>>
>> I need this for OpenRC too since it also uses tmpfiles so it is not
>> necessarily "systemd". The labels should definitely be in sync for
>> both tho.
>>
>> Should it be tmpfiles_var_run_t and tmpfiles_etc_t?
>>
>> Alternatively I could keep it in the Gentoo policy till the systemd
>> stuff is done but I would rather get the labels in sync first.
>>
> Currently Fedora has
> /var/run/tmpfiles.d/kmod.conf    --    system_u:object_r:insmod_var_run_t:s0
> 
> If we add a label for  /var/run/tmpfiles.d/ it needs a named file trans
> rule for any process that creates content under it.

The transitions require names?  Do individual domains create files in
there that necessitate different types?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] label for /run/tmpfiles.d
  2014-07-25 12:22       ` Christopher J. PeBenito
@ 2014-07-25 12:49         ` Jason Zaman
  0 siblings, 0 replies; 6+ messages in thread
From: Jason Zaman @ 2014-07-25 12:49 UTC (permalink / raw)
  To: refpolicy

On Fri, Jul 25, 2014 at 08:22:03AM -0400, Christopher J. PeBenito wrote:
> On 7/24/2014 8:51 AM, Daniel J Walsh wrote:
> > 
> > On 07/24/2014 06:36 AM, Jason Zaman wrote:
> >>
> >>
> >> On 24 Jul 2014 13:47, "Laurent Bigonville" <bigon@debian.org
> >> <mailto:bigon@debian.org>> wrote:
> >> >
> >> > Le Thu, 24 Jul 2014 00:45:40 +0400,
> >> > Jason Zaman <jason at perfinion.com <mailto:jason@perfinion.com>> a ?crit :
> >> >
> >> > > kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
> >> > > This patch was mostly taken from the fedora policy.
> >> >
> >> > /run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be
> >> > labeled as part of this (still inexistant in refpolicy) module if we
> >> > wants a dedicated context for this directory.
> >>
> >> Having a tmpfiles module for this is doable (where would it go in the
> >> tree? I'm assuming not contrib/?)
> >>
> >> I need this for OpenRC too since it also uses tmpfiles so it is not
> >> necessarily "systemd". The labels should definitely be in sync for
> >> both tho.
> >>
> >> Should it be tmpfiles_var_run_t and tmpfiles_etc_t?
> >>
> >> Alternatively I could keep it in the Gentoo policy till the systemd
> >> stuff is done but I would rather get the labels in sync first.
> >>
> > Currently Fedora has
> > /var/run/tmpfiles.d/kmod.conf    --    system_u:object_r:insmod_var_run_t:s0
> > 
> > If we add a label for  /var/run/tmpfiles.d/ it needs a named file trans
> > rule for any process that creates content under it.
> 
> The transitions require names?  Do individual domains create files in
> there that necessitate different types?

kmod just needs to be able to create the file, it doesnt use it after
creating. systemd-tmpfiles is the one that reads the file later. I think
having everything labelled tmpfiles_var_run_t and letting insmod_t
create a file in the dir is fine too.

-- Jason

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-07-25 12:49 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-07-23 20:45 [refpolicy] [PATCH] label for /run/tmpfiles.d Jason Zaman
2014-07-24  9:47 ` Laurent Bigonville
2014-07-24 10:36   ` Jason Zaman
2014-07-24 12:51     ` Daniel J Walsh
2014-07-25 12:22       ` Christopher J. PeBenito
2014-07-25 12:49         ` Jason Zaman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.