From: Laurent Bigonville <[email protected]>
Create a new attribute and fs_getattr_all_xattr_fs() interface that will
be used for all the filesystems that support xattr
---
policy/modules/kernel/filesystem.if | 58 +++++++++++++++++++++++++++++++++++++
policy/modules/kernel/filesystem.te | 1 +
2 files changed, 59 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb..d24ae64 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -108,6 +108,64 @@ interface(`fs_exec_noxattr',`
########################################
## <summary>
+## Transform specified type into a filesystem
+## type which has extended attribute
+## support.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_xattr_type',`
+ gen_require(`
+ attribute xattrfs;
+ ')
+
+ fs_type($1)
+
+ typeattribute $1 xattrfs;
+')
+
+########################################
+## <summary>
+## Get the attributes of all the
+## filesystems which have extended
+## attributes.
+## This includes pseudo filesystems.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to
+## get the attributes of a filesystems
+## which have extended attributes.
+## Example attributes:
+## </p>
+## <ul>
+## <li>Type of the file system (e.g., tmpfs)</li>
+## <li>Size of the file system</li>
+## <li>Available space on the file system</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+## <rolecap/>
+#
+interface(`fs_getattr_all_xattr_fs',`
+ gen_require(`
+ attribute xattrfs;
+ ')
+
+ allow $1 xattrfs:filesystem getattr;
+')
+
+########################################
+## <summary>
## Mount a persistent filesystem which
## has extended attributes, such as
## ext3, JFS, or XFS.
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index d9cc21f..4207e8f 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -8,6 +8,7 @@ policy_module(filesystem, 1.18.0)
attribute filesystem_type;
attribute filesystem_unconfined_type;
attribute noxattrfs;
+attribute xattrfs;
##############################
#
--
1.9.1
From: Laurent Bigonville <[email protected]>
Associate the new xattrfs attribute to fs_t and the pseudo filesystems
that we know support xattr
This patch adds the attribute to the following (pseudo) filesystems
- device_t
- devpts_t
- fs_t
- hugetlbfs
- sysfs_t
- tmpfs_t
---
policy/modules/kernel/devices.te | 4 ++--
policy/modules/kernel/filesystem.te | 6 +++---
policy/modules/kernel/terminal.te | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 520f4ee..e42c5ee 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -18,7 +18,7 @@ fs_associate_tmpfs(device_t)
files_type(device_t)
files_mountpoint(device_t)
files_associate_tmp(device_t)
-fs_type(device_t)
+fs_xattr_type(device_t)
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
#
@@ -224,7 +224,7 @@ dev_node(sound_device_t)
#
type sysfs_t;
files_mountpoint(sysfs_t)
-fs_type(sysfs_t)
+fs_xattr_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
#
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 4207e8f..427ef46 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -16,7 +16,7 @@ attribute xattrfs;
# filesystems with extended attributes
#
type fs_t;
-fs_type(fs_t)
+fs_xattr_type(fs_t)
sid fs gen_context(system_u:object_r:fs_t,s0)
# Use xattrs for the following filesystem types.
@@ -95,7 +95,7 @@ fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
type hugetlbfs_t;
-fs_type(hugetlbfs_t)
+fs_xattr_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -175,7 +175,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
#
type tmpfs_t;
dev_associate(tmpfs_t)
-fs_type(tmpfs_t)
+fs_xattr_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index e05079a..01dbf46 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -27,7 +27,7 @@ dev_node(console_device_t)
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
-fs_type(devpts_t)
+fs_xattr_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
#
--
1.9.1
From: Laurent Bigonville <[email protected]>
Use the new fs_getattr_all_xattr_fs() interface to allow setfiles_t and
restorecond_t domain to also get the attributes on pseudo-filesystems
that support xattr
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682
---
policy/modules/system/selinuxutil.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index f4d17cd..c78dd63 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -330,7 +330,7 @@ kernel_read_system_state(restorecond_t)
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
-fs_getattr_xattr_fs(restorecond_t)
+fs_getattr_all_xattr_fs(restorecond_t)
fs_list_inotifyfs(restorecond_t)
selinux_validate_context(restorecond_t)
@@ -558,7 +558,7 @@ files_relabel_all_files(setfiles_t)
files_read_usr_symlinks(setfiles_t)
files_dontaudit_read_all_symlinks(setfiles_t)
-fs_getattr_xattr_fs(setfiles_t)
+fs_getattr_all_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
--
1.9.1
On 04/04/2014 04:52 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> Create a new attribute and fs_getattr_all_xattr_fs() interface that will
> be used for all the filesystems that support xattr
This set is merged.
> ---
> policy/modules/kernel/filesystem.if | 58 +++++++++++++++++++++++++++++++++++++
> policy/modules/kernel/filesystem.te | 1 +
> 2 files changed, 59 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 8416beb..d24ae64 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -108,6 +108,64 @@ interface(`fs_exec_noxattr',`
>
> ########################################
> ## <summary>
> +## Transform specified type into a filesystem
> +## type which has extended attribute
> +## support.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_xattr_type',`
> + gen_require(`
> + attribute xattrfs;
> + ')
> +
> + fs_type($1)
> +
> + typeattribute $1 xattrfs;
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of all the
> +## filesystems which have extended
> +## attributes.
> +## This includes pseudo filesystems.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to
> +## get the attributes of a filesystems
> +## which have extended attributes.
> +## Example attributes:
> +## </p>
> +## <ul>
> +## <li>Type of the file system (e.g., tmpfs)</li>
> +## <li>Size of the file system</li>
> +## <li>Available space on the file system</li>
> +## </ul>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +## <rolecap/>
> +#
> +interface(`fs_getattr_all_xattr_fs',`
> + gen_require(`
> + attribute xattrfs;
> + ')
> +
> + allow $1 xattrfs:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Mount a persistent filesystem which
> ## has extended attributes, such as
> ## ext3, JFS, or XFS.
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index d9cc21f..4207e8f 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -8,6 +8,7 @@ policy_module(filesystem, 1.18.0)
> attribute filesystem_type;
> attribute filesystem_unconfined_type;
> attribute noxattrfs;
> +attribute xattrfs;
>
> ##############################
> #
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com