---
changes from v1:
add require tmpfs_t
add fs_search_sysfs
no changes are required in the patches for contrib
---
policy/modules/kernel/filesystem.if | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 42ab95c0..35b17a2a 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -944,6 +944,42 @@ interface(`fs_mounton_cgroup', `
########################################
## <summary>
+## Create an object in a cgroup tmpfs filesystem, with a private
+## type using a type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private type">
+## <summary>
+## The type of the object to be created.
+## </summary>
+## </param>
+## <param name="object">
+## <summary>
+## The object class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`fs_cgroup_filetrans',`
+ gen_require(`
+ type cgroup_t, tmpfs_t;
+ ')
+
+ allow $2 tmpfs_t:filesystem associate;
+ filetrans_pattern($1, cgroup_t, $2, $3, $4)
+ fs_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read
## dirs on a CIFS or SMB filesystem.
## </summary>
--
2.13.0
On 06/04/2017 12:33 PM, Jason Zaman wrote:
> ---
> changes from v1:
> add require tmpfs_t
> add fs_search_sysfs
>
> no changes are required in the patches for contrib
> ---
> policy/modules/kernel/filesystem.if | 36 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 36 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 42ab95c0..35b17a2a 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -944,6 +944,42 @@ interface(`fs_mounton_cgroup', `
>
> ########################################
> ## <summary>
> +## Create an object in a cgroup tmpfs filesystem, with a private
> +## type using a type transition.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="private type">
> +## <summary>
> +## The type of the object to be created.
> +## </summary>
> +## </param>
> +## <param name="object">
> +## <summary>
> +## The object class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_cgroup_filetrans',`
> + gen_require(`
> + type cgroup_t, tmpfs_t;
> + ')
> +
> + allow $2 tmpfs_t:filesystem associate;
> + filetrans_pattern($1, cgroup_t, $2, $3, $4)
> + fs_search_sysfs($1)
It's actually dev_search_sysfs(). I merged it along with the fix.
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to read
> ## dirs on a CIFS or SMB filesystem.
> ## </summary>
>
--
Chris PeBenito