2014-09-07 21:47:31

by Nicolas Iooss

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add file_type attribute to configfs_t

/sys/kernel/config filesystem can be used to configure some kernel
components such as netconsole [1]. Hence configfs_t can be used to
label files and directories and should be file_type.

Moreover this fixes the following AVC denial from collectd:

avc: denied { getattr } for pid=872 comm="collectd"
path="/sys/kernel/config" dev="configfs" ino=10234
scontext=system_u:system_r:collectd_t
tcontext=system_u:object_r:configfs_t tclass=dir

[1] https://www.kernel.org/doc/Documentation/networking/netconsole.txt
---
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index cf04fb76dc66..fab828f00f97 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -78,6 +78,7 @@ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)

type configfs_t;
fs_type(configfs_t)
+files_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)

type cpusetfs_t;
--
2.1.0


2014-09-12 18:09:21

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add file_type attribute to configfs_t

On 9/7/2014 5:47 PM, Nicolas Iooss wrote:
> /sys/kernel/config filesystem can be used to configure some kernel
> components such as netconsole [1]. Hence configfs_t can be used to
> label files and directories and should be file_type.

I don't think configfs_t labels any files but those in the configfs
pseudo filesystem, which is consistent with the following denial. I
don't think it should be a file type.



> Moreover this fixes the following AVC denial from collectd:
>
> avc: denied { getattr } for pid=872 comm="collectd"
> path="/sys/kernel/config" dev="configfs" ino=10234
> scontext=system_u:system_r:collectd_t
> tcontext=system_u:object_r:configfs_t tclass=dir
>
> [1] https://www.kernel.org/doc/Documentation/networking/netconsole.txt
> ---
> policy/modules/kernel/filesystem.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index cf04fb76dc66..fab828f00f97 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -78,6 +78,7 @@ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
>
> type configfs_t;
> fs_type(configfs_t)
> +files_type(configfs_t)
> genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
>
> type cpusetfs_t;
>

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com