These are needed by cachefilesd
Dominick Grift (2):
Declare a cachfiles device node type
Implement files_create_all_files_as() for cachefilesd
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.if | 19 +++++++++++++++++++
policy/modules/kernel/devices.te | 3 +++
policy/modules/kernel/files.if | 18 ++++++++++++++++++
4 files changed, 41 insertions(+)
--
1.7.11.4
Used by kernel to communicate with user space (cachefilesd)
Label the character file accordingly
Create a dev_rw_cachefiles_dev() for cachefilesd
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.if | 19 +++++++++++++++++++
policy/modules/kernel/devices.te | 3 +++
3 files changed, 23 insertions(+)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 5214c08..ddbfa12 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -17,6 +17,7 @@
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index d820975..7b585be 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1560,6 +1560,25 @@ interface(`dev_relabel_autofs_dev',`
########################################
## <summary>
+## Read and write cachefiles character
+## device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_cachefiles',`
+ gen_require(`
+ type device_t, cachefiles_dev_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, cachefiles_dev_t)
+')
+
+########################################
+## <summary>
## Read and write the PCMCIA card manager device.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 108b68b..52519e3 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -43,6 +43,9 @@ type cardmgr_dev_t;
dev_node(cardmgr_dev_t)
files_tmp_file(cardmgr_dev_t)
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
#
# clock_device_t is the type of
# /dev/rtc.
--
1.7.11.4
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/files.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index e1e814d..d1e42ac 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1182,6 +1182,24 @@ interface(`files_list_all',`
########################################
## <summary>
+## Create all files as is.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_files_as',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:kernel_service create_files_as;
+')
+
+########################################
+## <summary>
## Do not audit attempts to search the
## contents of any directories on extended
## attribute filesystems.
--
1.7.11.4
On 09/23/12 11:15, Dominick Grift wrote:
> These are needed by cachefilesd
>
> Dominick Grift (2):
> Declare a cachfiles device node type
> Implement files_create_all_files_as() for cachefilesd
>
> policy/modules/kernel/devices.fc | 1 +
> policy/modules/kernel/devices.if | 19 +++++++++++++++++++
> policy/modules/kernel/devices.te | 3 +++
> policy/modules/kernel/files.if | 18 ++++++++++++++++++
> 4 files changed, 41 insertions(+)
This set is merged, though I renamed the type to cachefiles_device_t.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
What is the kernel_service class and create_file_as permission for?
On Sep 23, 2012 5:16 PM, "Dominick Grift" <[email protected]> wrote:
> These are needed by cachefilesd
>
> Dominick Grift (2):
> Declare a cachfiles device node type
> Implement files_create_all_files_as() for cachefilesd
>
> policy/modules/kernel/devices.fc | 1 +
> policy/modules/kernel/devices.if | 19 +++++++++++++++++++
> policy/modules/kernel/devices.te | 3 +++
> policy/modules/kernel/files.if | 18 ++++++++++++++++++
> 4 files changed, 41 insertions(+)
>
> --
> 1.7.11.4
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20121004/4357fca7/attachment-0001.html
On Thu, 2012-10-04 at 14:42 +0200, Sven Vermeulen wrote:
> What is the kernel_service class and create_file_as permission for?
http://www.mail-archive.com/linux-security-module at vger.kernel.org/msg02892.html