Move devtmpfs to devices module (remove from filesystem module)
Make device_t a filesystem
Add interface for associating types with device_t filesystem (dev_associate)
Call dev_associate from dev_filetrans
Allow all device nodes associate with device_t filesystem
Remove dev_tmpfs_filetrans_dev from kernel_t
Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate
Mounton interface, to allow the kernel to mounton device_t
Signed-off-by: Jeremy Solt <[email protected]>
---
policy/modules/kernel/corecommands.te | 1 +
policy/modules/kernel/devices.if | 39 ++++++++++++++++++++++++++++++++-
policy/modules/kernel/devices.te | 4 +++
policy/modules/kernel/filesystem.te | 1 -
policy/modules/kernel/kernel.te | 3 +-
policy/modules/system/init.te | 1 -
6 files changed, 44 insertions(+), 5 deletions(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 5e99b33..39a4e97 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -15,6 +15,7 @@ attribute exec_type;
#
type bin_t alias { ls_exec_t sbin_t };
corecmd_executable_file(bin_t)
+dev_associate(bin_t) #For /dev/MAKEDEV
#
# shell_exec_t is the type of user shells such as /bin/bash.
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index f13a505..075a91b 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -73,6 +73,43 @@ interface(`dev_node',`
########################################
## <summary>
+## Associate the specified file type with device filesystem.
+## </summary>
+## <param name="file_type">
+## <summary>
+## The type of the file to be associated.
+## </summary>
+## </param>
+#
+interface(`dev_associate',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:filesystem associate;
+ fs_associate_tmpfs($1) #For backwards compatibility
+')
+
+########################################
+## <summary>
+## Mount a filesystem on /dev
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allow access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:dir mounton;
+')
+
+########################################
+## <summary>
## Allow full relabeling (to and from) of all device nodes.
## </summary>
## <param name="domain">
@@ -759,7 +796,7 @@ interface(`dev_filetrans',`
filetrans_pattern($1, device_t, $2, $3)
- fs_associate_tmpfs($2)
+ dev_associate($2)
files_associate_tmp($2)
')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 102d130..c4c843b 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -18,6 +18,8 @@ fs_associate_tmpfs(device_t)
files_type(device_t)
files_mountpoint(device_t)
files_associate_tmp(device_t)
+fs_type(device_t)
+fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
#
# Type for /dev/agpgart
@@ -294,6 +296,8 @@ fs_associate_tmpfs(device_node)
files_associate_tmp(device_node)
+allow device_node device_t:filesystem associate;
+
########################################
#
# Unconfined access to this module
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index fb63c3a..22dc0f3 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -174,7 +174,6 @@ files_poly_parent(tmpfs_t)
# and label the filesystem itself with the specified context.
# This is appropriate for pseudo filesystems like devpts and tmpfs
# where we want to label objects with a derived type.
-fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 6fa55f2..f87946f 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -245,8 +245,7 @@ dev_create_generic_blk_files(kernel_t)
dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
-# work around until devtmpfs has device_t type
-dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
+dev_mounton(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 29f9757..a2f3b96 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -108,7 +108,6 @@ files_pid_filetrans(init_t, init_var_run_t, file)
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-fs_associate_tmpfs(initctl_t)
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
--
1.7.2
dontaudit attempts to read/write device_t chr files occurring before udev relabel
allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined)
Signed-off-by: Jeremy Solt <[email protected]>
---
policy/modules/admin/readahead.te | 2 ++
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/system/hostname.te | 2 ++
policy/modules/system/init.te | 4 ++++
policy/modules/system/mount.te | 3 +++
5 files changed, 29 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index c5c7852..f7d3b90 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -45,6 +45,8 @@ dev_getattr_all_blk_files(readahead_t)
dev_dontaudit_read_all_blk_files(readahead_t)
dev_dontaudit_getattr_memory_dev(readahead_t)
dev_dontaudit_getattr_nvram_dev(readahead_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(readahead_t)
domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 075a91b..2adb830 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -552,6 +552,24 @@ interface(`dev_rw_generic_chr_files',`
########################################
## <summary>
+## Dontaudit attempts to read/write generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ dontaudit $1 device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
## Create generic character device files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index b9efd1b..e384dcd 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -25,6 +25,8 @@ kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)
dev_read_sysfs(hostname_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(hostname_t)
domain_use_interactive_fds(hostname_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a2f3b96..53db1a0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -119,6 +119,8 @@ corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
dev_read_sysfs(init_t)
+# Early devtmpfs
+dev_rw_generic_chr_files(init_t)
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
@@ -296,6 +298,8 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
+# Early devtmpfs
+dev_rw_generic_chr_files(initrc_t)
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index ee6520c..280a534 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -60,6 +60,9 @@ dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(mount_t)
+
domain_use_interactive_fds(mount_t)
files_search_all(mount_t)
--
1.7.2