From: Laurent Bigonville <[email protected]>
Create xattrfs attribute and use it instead of fs_t for the file systems
that support extended file attributes.
This patch add a new fs_xattr_type() interface.
---
policy/modules/kernel/devices.te | 4 +--
policy/modules/kernel/filesystem.if | 55 ++++++++++++++++++++++++++-----------
policy/modules/kernel/filesystem.te | 43 +++++++++++++++--------------
policy/modules/kernel/kernel.te | 6 ++--
policy/modules/kernel/selinux.te | 2 +-
policy/modules/kernel/terminal.te | 2 +-
6 files changed, 68 insertions(+), 44 deletions(-)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 8af85d3..9a18dda 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -18,7 +18,7 @@ fs_associate_tmpfs(device_t)
files_type(device_t)
files_mountpoint(device_t)
files_associate_tmp(device_t)
-fs_type(device_t)
+fs_xattr_type(device_t)
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
#
@@ -224,7 +224,7 @@ dev_node(sound_device_t)
#
type sysfs_t;
files_mountpoint(sysfs_t)
-fs_type(sysfs_t)
+fs_xattr_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 8416beb..fe7dc95 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -106,6 +106,29 @@ interface(`fs_exec_noxattr',`
can_exec($1, noxattrfs)
')
+
+########################################
+## <summary>
+## Transform specified type into a filesystem
+## type which has extended attribute
+## support.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_xattr_type',`
+ gen_require(`
+ attribute xattrfs;
+ ')
+
+ fs_type($1)
+
+ typeattribute $1 xattrfs;
+')
+
########################################
## <summary>
## Mount a persistent filesystem which
@@ -120,10 +143,10 @@ interface(`fs_exec_noxattr',`
#
interface(`fs_mount_xattr_fs',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem mount;
+ allow $1 xattrfs:filesystem mount;
')
########################################
@@ -141,10 +164,10 @@ interface(`fs_mount_xattr_fs',`
#
interface(`fs_remount_xattr_fs',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem remount;
+ allow $1 xattrfs:filesystem remount;
')
########################################
@@ -161,10 +184,10 @@ interface(`fs_remount_xattr_fs',`
#
interface(`fs_unmount_xattr_fs',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem unmount;
+ allow $1 xattrfs:filesystem unmount;
')
########################################
@@ -197,10 +220,10 @@ interface(`fs_unmount_xattr_fs',`
#
interface(`fs_getattr_xattr_fs',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem getattr;
+ allow $1 xattrfs:filesystem getattr;
')
########################################
@@ -218,10 +241,10 @@ interface(`fs_getattr_xattr_fs',`
#
interface(`fs_dontaudit_getattr_xattr_fs',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- dontaudit $1 fs_t:filesystem getattr;
+ dontaudit $1 xattrfs:filesystem getattr;
')
########################################
@@ -238,10 +261,10 @@ interface(`fs_dontaudit_getattr_xattr_fs',`
#
interface(`fs_relabelfrom_xattr_fs',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem relabelfrom;
+ allow $1 xattrfs:filesystem relabelfrom;
')
########################################
@@ -258,10 +281,10 @@ interface(`fs_relabelfrom_xattr_fs',`
#
interface(`fs_get_xattr_fs_quotas',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem quotaget;
+ allow $1 xattrfs:filesystem quotaget;
')
########################################
@@ -278,10 +301,10 @@ interface(`fs_get_xattr_fs_quotas',`
#
interface(`fs_set_xattr_fs_quotas',`
gen_require(`
- type fs_t;
+ attribute xattrfs;
')
- allow $1 fs_t:filesystem quotamod;
+ allow $1 xattrfs:filesystem quotamod;
')
########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index aaf0506..3c95bfc 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -8,6 +8,7 @@ policy_module(filesystem, 1.17.3)
attribute filesystem_type;
attribute filesystem_unconfined_type;
attribute noxattrfs;
+attribute xattrfs;
##############################
#
@@ -15,7 +16,7 @@ attribute noxattrfs;
# filesystems with extended attributes
#
type fs_t;
-fs_type(fs_t)
+fs_xattr_type(fs_t)
sid fs gen_context(system_u:object_r:fs_t,s0)
# Use xattrs for the following filesystem types.
@@ -51,36 +52,36 @@ fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
#
type anon_inodefs_t;
-fs_type(anon_inodefs_t)
+fs_xattr_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
type bdev_t;
-fs_type(bdev_t)
+fs_xattr_type(bdev_t)
genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
type binfmt_misc_fs_t;
-fs_type(binfmt_misc_fs_t)
+fs_xattr_type(binfmt_misc_fs_t)
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
type capifs_t;
-fs_type(capifs_t)
+fs_xattr_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
type cgroup_t;
-fs_type(cgroup_t)
+fs_xattr_type(cgroup_t)
files_mountpoint(cgroup_t)
dev_associate_sysfs(cgroup_t)
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
type configfs_t;
-fs_type(configfs_t)
+fs_xattr_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
type cpusetfs_t;
-fs_type(cpusetfs_t)
+fs_xattr_type(cpusetfs_t)
allow cpusetfs_t self:filesystem associate;
genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
@@ -90,26 +91,26 @@ files_mountpoint(ecryptfs_t)
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
type futexfs_t;
-fs_type(futexfs_t)
+fs_xattr_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
type hugetlbfs_t;
-fs_type(hugetlbfs_t)
+fs_xattr_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
type ibmasmfs_t;
-fs_type(ibmasmfs_t)
+fs_xattr_type(ibmasmfs_t)
allow ibmasmfs_t self:filesystem associate;
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
type infinibandeventfs_t;
-fs_type(infinibandeventfs_t)
+fs_xattr_type(infinibandeventfs_t)
allow infinibandeventfs_t self:filesystem associate;
genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
type inotifyfs_t;
-fs_type(inotifyfs_t)
+fs_xattr_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
type mvfs_t;
@@ -118,36 +119,36 @@ allow mvfs_t self:filesystem associate;
genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
-fs_type(nfsd_fs_t)
+fs_xattr_type(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
type oprofilefs_t;
-fs_type(oprofilefs_t)
+fs_xattr_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
type pstore_t;
-fs_type(pstore_t)
+fs_xattr_type(pstore_t)
files_mountpoint(pstore_t)
dev_associate_sysfs(pstore_t)
genfscon pstore / gen_context(system_u:object_r:pstore_t,s0)
type ramfs_t;
-fs_type(ramfs_t)
+fs_xattr_type(ramfs_t)
files_mountpoint(ramfs_t)
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
type romfs_t;
-fs_type(romfs_t)
+fs_xattr_type(romfs_t)
genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)
genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
type rpc_pipefs_t;
-fs_type(rpc_pipefs_t)
+fs_xattr_type(rpc_pipefs_t)
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
files_mountpoint(rpc_pipefs_t)
type spufs_t;
-fs_type(spufs_t)
+fs_xattr_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -174,7 +175,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
#
type tmpfs_t;
dev_associate(tmpfs_t)
-fs_type(tmpfs_t)
+fs_xattr_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7f7372f..633b63c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -57,7 +57,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
type debugfs_t;
files_mountpoint(debugfs_t)
-fs_type(debugfs_t)
+fs_xattr_type(debugfs_t)
allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -66,7 +66,7 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
#
type kvmfs_t;
-fs_type(kvmfs_t)
+fs_xattr_type(kvmfs_t)
genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0)
#
@@ -75,7 +75,7 @@ genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0)
type proc_t, proc_type;
files_mountpoint(proc_t)
-fs_type(proc_t)
+fs_xattr_type(proc_t)
genfscon proc / gen_context(system_u:object_r:proc_t,s0)
genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0)
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index e0a973b..5cf625d 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -30,7 +30,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
#
type security_t, boolean_type;
files_mountpoint(security_t)
-fs_type(security_t)
+fs_xattr_type(security_t)
mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 66e116a..c59df22 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -27,7 +27,7 @@ dev_node(console_device_t)
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
-fs_type(devpts_t)
+fs_xattr_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
#
--
1.9.0
Le Wed, 5 Mar 2014 21:12:06 +0100,
Laurent at oss1.tresys.com, "Bigoville <bigon"@debian.org a ?crit :
> From: Laurent Bigonville <[email protected]>
>
> Create xattrfs attribute and use it instead of fs_t for the file
> systems that support extended file attributes.
>
> This patch add a new fs_xattr_type() interface.
Mhhh, nevermind, I didn't saw Christopher answer to my previous mail
before sending this