These are needed by cachefilesd
Dominick Grift (2):
Declare a cachfiles device node type
Implement files_create_all_files_as() for cachefilesd
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.if | 19 +++++++++++++++++++
policy/modules/kernel/devices.te | 3 +++
policy/modules/kernel/files.if | 18 ++++++++++++++++++
4 files changed, 41 insertions(+)
--
1.7.11.4
Used by kernel to communicate with user space (cachefilesd)
Label the character file accordingly
Create a dev_rw_cachefiles_dev() for cachefilesd
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.if | 19 +++++++++++++++++++
policy/modules/kernel/devices.te | 3 +++
3 files changed, 23 insertions(+)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 5214c08..ddbfa12 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -17,6 +17,7 @@
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index d820975..266b8b5 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1560,6 +1560,25 @@ interface(`dev_relabel_autofs_dev',`
########################################
## <summary>
+## Read and write cachefiles character
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_cachfiles',`
+ gen_require(`
+ type device_t, cachefiles_dev_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, cachefiles_dev_t)
+')
+
+########################################
+## <summary>
## Read and write the PCMCIA card manager device.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 108b68b..52519e3 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -43,6 +43,9 @@ type cardmgr_dev_t;
dev_node(cardmgr_dev_t)
files_tmp_file(cardmgr_dev_t)
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
#
# clock_device_t is the type of
# /dev/rtc.
--
1.7.11.4
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/files.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e1e814d..d1e42ac 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1182,6 +1182,24 @@ interface(`files_list_all',`
########################################
## <summary>
+## Create all files as is.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_files_as',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:kernel_service create_files_as;
+')
+
+########################################
+## <summary>
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
--
1.7.11.4
On Sat, 2012-09-22 at 12:57 +0200, Dominick Grift wrote:
>
> ########################################
> ## <summary>
> +## Read and write cachefiles character
> +## device nodes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_rw_cachfiles',`
Ignore this. Interface name has a typo.
Will resubmit a proper patch set