[refpolicy] [PATCH] Add file_type attribute to configfs

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] Add file_type attribute to configfs_t
@ 2014-09-07 21:47 Nicolas Iooss
  2014-09-12 18:09 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Nicolas Iooss @ 2014-09-07 21:47 UTC (permalink / raw)
  To: refpolicy

/sys/kernel/config filesystem can be used to configure some kernel
components such as netconsole [1].  Hence configfs_t can be used to
label files and directories and should be file_type.

Moreover this fixes the following AVC denial from collectd:

    avc:  denied  { getattr } for pid=872 comm="collectd"
    path="/sys/kernel/config" dev="configfs" ino=10234
    scontext=system_u:system_r:collectd_t
    tcontext=system_u:object_r:configfs_t tclass=dir

[1] https://www.kernel.org/doc/Documentation/networking/netconsole.txt
---
 policy/modules/kernel/filesystem.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index cf04fb76dc66..fab828f00f97 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -78,6 +78,7 @@ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
 
 type configfs_t;
 fs_type(configfs_t)
+files_type(configfs_t)
 genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
 
 type cpusetfs_t;
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [refpolicy] [PATCH] Add file_type attribute to configfs_t
  2014-09-07 21:47 [refpolicy] [PATCH] Add file_type attribute to configfs_t Nicolas Iooss
@ 2014-09-12 18:09 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2014-09-12 18:09 UTC (permalink / raw)
  To: refpolicy

On 9/7/2014 5:47 PM, Nicolas Iooss wrote:
> /sys/kernel/config filesystem can be used to configure some kernel
> components such as netconsole [1].  Hence configfs_t can be used to
> label files and directories and should be file_type.

I don't think configfs_t labels any files but those in the configfs
pseudo filesystem, which is consistent with the following denial.  I
don't think it should be a file type.



> Moreover this fixes the following AVC denial from collectd:
> 
>     avc:  denied  { getattr } for pid=872 comm="collectd"
>     path="/sys/kernel/config" dev="configfs" ino=10234
>     scontext=system_u:system_r:collectd_t
>     tcontext=system_u:object_r:configfs_t tclass=dir
> 
> [1] https://www.kernel.org/doc/Documentation/networking/netconsole.txt
> ---
>  policy/modules/kernel/filesystem.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index cf04fb76dc66..fab828f00f97 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -78,6 +78,7 @@ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
>  
>  type configfs_t;
>  fs_type(configfs_t)
> +files_type(configfs_t)
>  genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
>  
>  type cpusetfs_t;
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-09-12 18:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-07 21:47 [refpolicy] [PATCH] Add file_type attribute to configfs_t Nicolas Iooss
2014-09-12 18:09 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.