---
policy/modules/kernel/filesystem.if | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 42ab95c0..20461505 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -944,6 +944,41 @@ interface(`fs_mounton_cgroup', `
########################################
## <summary>
+## Create an object in a cgroup tmpfs filesystem, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`fs_cgroup_filetrans',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ allow $2 tmpfs_t:filesystem associate;
+ filetrans_pattern($1, cgroup_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read
## dirs on a CIFS or SMB filesystem.
## </summary>
--
2.13.0
On Sun, Jun 04, 2017 at 11:20:08PM +0800, Jason Zaman via refpolicy wrote:
> ---
> policy/modules/kernel/filesystem.if | 35 +++++++++++++++++++++++++++++++++++
> 1 file changed, 35 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 42ab95c0..20461505 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -944,6 +944,41 @@ interface(`fs_mounton_cgroup', `
>
> ########################################
> ## <summary>
> +## Create an object in a cgroup tmpfs filesystem, with a private
> +## type using a type transition.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="private type">
> +## <summary>
> +## The type of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="object">
> +## <summary>
> +## The object class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_cgroup_filetrans',`
> + gen_require(`
> + type cgroup_t;
> + ')
> +
> + allow $2 tmpfs_t:filesystem associate;
youre referencing tmpfs_t without requiring it, but i think that this is probably not the right place to deal with this in the first place
what i probably would add instead however is: fs_search_sysfs($1)
> + filetrans_pattern($1, cgroup_t, $2, $3, $4)
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to read
> ## dirs on a CIFS or SMB filesystem.
> ## </summary>
> --
> 2.13.0
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170604/7ed623c2/attachment.bin
On Sun, Jun 04, 2017 at 05:25:43PM +0200, Dominick Grift via refpolicy wrote:
> On Sun, Jun 04, 2017 at 11:20:08PM +0800, Jason Zaman via refpolicy wrote:
> > ---
> > policy/modules/kernel/filesystem.if | 35 +++++++++++++++++++++++++++++++++++
> > 1 file changed, 35 insertions(+)
> >
> > diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> > index 42ab95c0..20461505 100644
> > --- a/policy/modules/kernel/filesystem.if
> > +++ b/policy/modules/kernel/filesystem.if
> > @@ -944,6 +944,41 @@ interface(`fs_mounton_cgroup', `
> >
> > ########################################
> > ## <summary>
> > +## Create an object in a cgroup tmpfs filesystem, with a private
> > +## type using a type transition.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="private type">
> > +## <summary>
> > +## The type of the object to be created.
> > +## </summary>
> > +## </param>
> > +## <param name="object">
> > +## <summary>
> > +## The object class of the object being created.
> > +## </summary>
> > +## </param>
> > +## <param name="name" optional="true">
> > +## <summary>
> > +## The name of the object being created.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`fs_cgroup_filetrans',`
> > + gen_require(`
> > + type cgroup_t;
> > + ')
> > +
> > + allow $2 tmpfs_t:filesystem associate;
>
> youre referencing tmpfs_t without requiring it, but i think that this is probably not the right place to deal with this in the first place
>
> what i probably would add instead however is: fs_search_sysfs($1)
Hmm
I could add fs_associate_tmpfs(cgmanager_cgroup_t) to cgmanager.te
instead, but cgroup_t is a tmpfs underneath so this assoc needs to be
there, and fs_tmpfs_filetrans has the fs assoc perm too which is why i
kept it.
fs_search_sysfs isnt strictly required because cgmanager mounts things
in a mount namespace in /run instead. but adding it makes sense so i can
do it anyway.
# cat /proc/`pidof cgmanager`/mounts
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
cgmfs /run/cgmanager/fs tmpfs rw,seclabel,relatime,size=100k,mode=755 0 0
blkio /run/cgmanager/fs/blkio cgroup rw,relatime,blkio 0 0
cpu /run/cgmanager/fs/cpu cgroup rw,relatime,cpu 0 0
cpuacct /run/cgmanager/fs/cpuacct cgroup rw,relatime,cpuacct 0 0
cpuset /run/cgmanager/fs/cpuset cgroup rw,relatime,cpuset,clone_children 0 0
devices /run/cgmanager/fs/devices cgroup rw,relatime,devices 0 0
freezer /run/cgmanager/fs/freezer cgroup rw,relatime,freezer 0 0
memory /run/cgmanager/fs/memory cgroup rw,relatime,memory 0 0
net_prio /run/cgmanager/fs/net_prio cgroup rw,relatime,net_prio 0 0
none,name=openrc /run/cgmanager/fs/none,name=openrc cgroup rw,relatime,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc 0 0
pids /run/cgmanager/fs/pids cgroup rw,relatime,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids 0 0
none,name=systemd /run/cgmanager/fs/none,name=systemd cgroup rw,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0
zmeriadoc/root / zfs rw,seclabel,relatime,xattr,posixacl 0 0
tmpfs /run tmpfs rw,rootcontext=system_u:object_r:var_run_t:s0,seclabel,nosuid,nodev,noexec,relatime,size=131072k,mode=755 0 0
root /root tmpfs rw,seclabel,relatime,size=12k 0 0
>
> > + filetrans_pattern($1, cgroup_t, $2, $3, $4)
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Do not audit attempts to read
> > ## dirs on a CIFS or SMB filesystem.
> > ## </summary>
> > --
> > 2.13.0
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On Sun, Jun 04, 2017 at 11:52:51PM +0800, Jason Zaman via refpolicy wrote:
> On Sun, Jun 04, 2017 at 05:25:43PM +0200, Dominick Grift via refpolicy wrote:
> > On Sun, Jun 04, 2017 at 11:20:08PM +0800, Jason Zaman via refpolicy wrote:
> > > ---
> > > policy/modules/kernel/filesystem.if | 35 +++++++++++++++++++++++++++++++++++
> > > 1 file changed, 35 insertions(+)
> > >
> > > diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> > > index 42ab95c0..20461505 100644
> > > --- a/policy/modules/kernel/filesystem.if
> > > +++ b/policy/modules/kernel/filesystem.if
> > > @@ -944,6 +944,41 @@ interface(`fs_mounton_cgroup', `
> > >
> > > ########################################
> > > ## <summary>
> > > +## Create an object in a cgroup tmpfs filesystem, with a private
> > > +## type using a type transition.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +## <param name="private type">
> > > +## <summary>
> > > +## The type of the object to be created.
> > > +## </summary>
> > > +## </param>
> > > +## <param name="object">
> > > +## <summary>
> > > +## The object class of the object being created.
> > > +## </summary>
> > > +## </param>
> > > +## <param name="name" optional="true">
> > > +## <summary>
> > > +## The name of the object being created.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`fs_cgroup_filetrans',`
> > > + gen_require(`
> > > + type cgroup_t;
> > > + ')
> > > +
> > > + allow $2 tmpfs_t:filesystem associate;
> >
> > youre referencing tmpfs_t without requiring it, but i think that this is probably not the right place to deal with this in the first place
> >
> > what i probably would add instead however is: fs_search_sysfs($1)
>
> Hmm
> I could add fs_associate_tmpfs(cgmanager_cgroup_t) to cgmanager.te
> instead, but cgroup_t is a tmpfs underneath so this assoc needs to be
> there, and fs_tmpfs_filetrans has the fs assoc perm too which is why i
> kept it.
Okay yes then I suppose for the sake of consistency you might add it here as well.
side note though: the situation in /sys/fs got quite messy. I got an headache just looking at your cgmanager patch, but that is
not your fault. It's probably actually my fault because we should have never added an fc spec for /sys/fs/cgroup (instead we should have just relied on contexts of file system mounts and getfscon)
Because having to add rules that allow the creation of sock files on cgroup filesystem type filesystems doesnt make sense (its actually probably creating that stuff on tmpfs but that tmpfs fs gets labeled cgroupfs due to the fc spec ....
anyhow ce'st la vie
>
> fs_search_sysfs isnt strictly required because cgmanager mounts things
> in a mount namespace in /run instead. but adding it makes sense so i can
> do it anyway.
>
> # cat /proc/`pidof cgmanager`/mounts
> proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
> binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
> cgmfs /run/cgmanager/fs tmpfs rw,seclabel,relatime,size=100k,mode=755 0 0
> blkio /run/cgmanager/fs/blkio cgroup rw,relatime,blkio 0 0
> cpu /run/cgmanager/fs/cpu cgroup rw,relatime,cpu 0 0
> cpuacct /run/cgmanager/fs/cpuacct cgroup rw,relatime,cpuacct 0 0
> cpuset /run/cgmanager/fs/cpuset cgroup rw,relatime,cpuset,clone_children 0 0
> devices /run/cgmanager/fs/devices cgroup rw,relatime,devices 0 0
> freezer /run/cgmanager/fs/freezer cgroup rw,relatime,freezer 0 0
> memory /run/cgmanager/fs/memory cgroup rw,relatime,memory 0 0
> net_prio /run/cgmanager/fs/net_prio cgroup rw,relatime,net_prio 0 0
> none,name=openrc /run/cgmanager/fs/none,name=openrc cgroup rw,relatime,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc 0 0
> pids /run/cgmanager/fs/pids cgroup rw,relatime,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids 0 0
> none,name=systemd /run/cgmanager/fs/none,name=systemd cgroup rw,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0
> zmeriadoc/root / zfs rw,seclabel,relatime,xattr,posixacl 0 0
> tmpfs /run tmpfs rw,rootcontext=system_u:object_r:var_run_t:s0,seclabel,nosuid,nodev,noexec,relatime,size=131072k,mode=755 0 0
> root /root tmpfs rw,seclabel,relatime,size=12k 0 0
>
> >
> > > + filetrans_pattern($1, cgroup_t, $2, $3, $4)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > ## Do not audit attempts to read
> > > ## dirs on a CIFS or SMB filesystem.
> > > ## </summary>
> > > --
> > > 2.13.0
> > >
> > > _______________________________________________
> > > refpolicy mailing list
> > > refpolicy at oss.tresys.com
> > > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> > --
> > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > Dominick Grift
>
>
>
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170604/19e6c906/attachment.bin
On Sun, Jun 04, 2017 at 06:03:17PM +0200, Dominick Grift via refpolicy wrote:
> On Sun, Jun 04, 2017 at 11:52:51PM +0800, Jason Zaman via refpolicy wrote:
> > On Sun, Jun 04, 2017 at 05:25:43PM +0200, Dominick Grift via refpolicy wrote:
> > > On Sun, Jun 04, 2017 at 11:20:08PM +0800, Jason Zaman via refpolicy wrote:
> > > > ---
> > > > policy/modules/kernel/filesystem.if | 35 +++++++++++++++++++++++++++++++++++
> > > > 1 file changed, 35 insertions(+)
> > > >
> > > > diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> > > > index 42ab95c0..20461505 100644
> > > > --- a/policy/modules/kernel/filesystem.if
> > > > +++ b/policy/modules/kernel/filesystem.if
> > > > @@ -944,6 +944,41 @@ interface(`fs_mounton_cgroup', `
> > > >
> > > > ########################################
> > > > ## <summary>
> > > > +## Create an object in a cgroup tmpfs filesystem, with a private
> > > > +## type using a type transition.
> > > > +## </summary>
> > > > +## <param name="domain">
> > > > +## <summary>
> > > > +## Domain allowed access.
> > > > +## </summary>
> > > > +## </param>
> > > > +## <param name="private type">
> > > > +## <summary>
> > > > +## The type of the object to be created.
> > > > +## </summary>
> > > > +## </param>
> > > > +## <param name="object">
> > > > +## <summary>
> > > > +## The object class of the object being created.
> > > > +## </summary>
> > > > +## </param>
> > > > +## <param name="name" optional="true">
> > > > +## <summary>
> > > > +## The name of the object being created.
> > > > +## </summary>
> > > > +## </param>
> > > > +#
> > > > +interface(`fs_cgroup_filetrans',`
> > > > + gen_require(`
> > > > + type cgroup_t;
> > > > + ')
> > > > +
> > > > + allow $2 tmpfs_t:filesystem associate;
> > >
> > > youre referencing tmpfs_t without requiring it, but i think that this is probably not the right place to deal with this in the first place
> > >
> > > what i probably would add instead however is: fs_search_sysfs($1)
> >
> > Hmm
> > I could add fs_associate_tmpfs(cgmanager_cgroup_t) to cgmanager.te
> > instead, but cgroup_t is a tmpfs underneath so this assoc needs to be
> > there, and fs_tmpfs_filetrans has the fs assoc perm too which is why i
> > kept it.
>
> Okay yes then I suppose for the sake of consistency you might add it here as well.
okay then i'll just send a patch with the search_cgroups and add tmpfs_t
to the require
>
> side note though: the situation in /sys/fs got quite messy. I got an headache just looking at your cgmanager patch, but that is
> not your fault. It's probably actually my fault because we should have never added an fc spec for /sys/fs/cgroup (instead we should have just relied on contexts of file system mounts and getfscon)
> Because having to add rules that allow the creation of sock files on cgroup filesystem type filesystems doesnt make sense (its actually probably creating that stuff on tmpfs but that tmpfs fs gets labeled cgroupfs due to the fc spec ....
Yeah its a bit complicated. It took me a while to figure it out when i
first wrote the policy. it basically makes its own mount namespace and
then does basically:
mkdir /run/cgmanager/fs/
mount --move /sys/fs/cgroup /run/cgmanager/fs
and moves all the cgroup fses in there then umounts every single other
FS within its mount namespace (eg i have /home separate normally but in
that /proc/pidof cgmanager/mounts output below it doesnt show up.
Thanks for reviewing :)
-- Jason
>
> anyhow ce'st la vie
>
> >
> > fs_search_sysfs isnt strictly required because cgmanager mounts things
> > in a mount namespace in /run instead. but adding it makes sense so i can
> > do it anyway.
> >
> > # cat /proc/`pidof cgmanager`/mounts
> > proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
> > binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0
> > cgmfs /run/cgmanager/fs tmpfs rw,seclabel,relatime,size=100k,mode=755 0 0
> > blkio /run/cgmanager/fs/blkio cgroup rw,relatime,blkio 0 0
> > cpu /run/cgmanager/fs/cpu cgroup rw,relatime,cpu 0 0
> > cpuacct /run/cgmanager/fs/cpuacct cgroup rw,relatime,cpuacct 0 0
> > cpuset /run/cgmanager/fs/cpuset cgroup rw,relatime,cpuset,clone_children 0 0
> > devices /run/cgmanager/fs/devices cgroup rw,relatime,devices 0 0
> > freezer /run/cgmanager/fs/freezer cgroup rw,relatime,freezer 0 0
> > memory /run/cgmanager/fs/memory cgroup rw,relatime,memory 0 0
> > net_prio /run/cgmanager/fs/net_prio cgroup rw,relatime,net_prio 0 0
> > none,name=openrc /run/cgmanager/fs/none,name=openrc cgroup rw,relatime,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc 0 0
> > pids /run/cgmanager/fs/pids cgroup rw,relatime,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids 0 0
> > none,name=systemd /run/cgmanager/fs/none,name=systemd cgroup rw,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0
> > zmeriadoc/root / zfs rw,seclabel,relatime,xattr,posixacl 0 0
> > tmpfs /run tmpfs rw,rootcontext=system_u:object_r:var_run_t:s0,seclabel,nosuid,nodev,noexec,relatime,size=131072k,mode=755 0 0
> > root /root tmpfs rw,seclabel,relatime,size=12k 0 0
> >
> > >
> > > > + filetrans_pattern($1, cgroup_t, $2, $3, $4)
> > > > +')
> > > > +
> > > > +########################################
> > > > +## <summary>
> > > > ## Do not audit attempts to read
> > > > ## dirs on a CIFS or SMB filesystem.
> > > > ## </summary>
> > > > --
> > > > 2.13.0
> > > >
> > > > _______________________________________________
> > > > refpolicy mailing list
> > > > refpolicy at oss.tresys.com
> > > > http://oss.tresys.com/mailman/listinfo/refpolicy
> > >
> > > --
> > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > > Dominick Grift
> >
> >
> >
> > > _______________________________________________
> > > refpolicy mailing list
> > > refpolicy at oss.tresys.com
> > > http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy