2017-12-13 18:15:35

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] userdomain: Allow public content access

All are allowed read access to readonly files.
unpriv and admin users are allowed rw access to public rw files.
---
policy/modules/system/userdomain.if | 3 +++
1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 11b15dbb..a284067a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -868,6 +868,7 @@ template(`userdom_login_user_template', `
miscfiles_read_man_pages($1_t)
# map is needed for man-dbs apropos program
miscfiles_map_man_cache($1_t)
+ miscfiles_read_public_files($1_t)
# for running TeX programs
miscfiles_read_tetex_data($1_t)
miscfiles_exec_tetex_data($1_t)
@@ -1067,6 +1068,8 @@ template(`userdom_unpriv_user_template', `

files_exec_usr_files($1_t)

+ miscfiles_manage_public_files($1_t)
+
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
',`
--
2.13.6


2017-12-13 18:15:36

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/2] storage: Add fcontexts for NVMe disks

NVMe has several dev nodes for each device:
/dev/nvme0 is a char device for communicating with the controller
/dev/nvme0n1 is the block device that stores the data.
/dev/nvme0n1p1 is the first partition
---
policy/modules/kernel/storage.fc | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 375b10bc..c7e3ac0d 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -33,6 +33,8 @@
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/nvme[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/nvme[0-9]n[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
--
2.13.6

2017-12-13 23:15:58

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] userdomain: Allow public content access

On 12/13/2017 01:15 PM, Jason Zaman wrote:
> All are allowed read access to readonly files.
> unpriv and admin users are allowed rw access to public rw files.
> ---
> policy/modules/system/userdomain.if | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 11b15dbb..a284067a 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -868,6 +868,7 @@ template(`userdom_login_user_template', `
> miscfiles_read_man_pages($1_t)
> # map is needed for man-dbs apropos program
> miscfiles_map_man_cache($1_t)
> + miscfiles_read_public_files($1_t)
> # for running TeX programs
> miscfiles_read_tetex_data($1_t)
> miscfiles_exec_tetex_data($1_t)
> @@ -1067,6 +1068,8 @@ template(`userdom_unpriv_user_template', `
>
> files_exec_usr_files($1_t)
>
> + miscfiles_manage_public_files($1_t)
> +
> tunable_policy(`user_dmesg',`
> kernel_read_ring_buffer($1_t)
> ',`

Merged.

--
Chris PeBenito

2017-12-13 23:16:19

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/2] storage: Add fcontexts for NVMe disks

On 12/13/2017 01:15 PM, Jason Zaman wrote:
> NVMe has several dev nodes for each device:
> /dev/nvme0 is a char device for communicating with the controller
> /dev/nvme0n1 is the block device that stores the data.
> /dev/nvme0n1p1 is the first partition
> ---
> policy/modules/kernel/storage.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
> index 375b10bc..c7e3ac0d 100644
> --- a/policy/modules/kernel/storage.fc
> +++ b/policy/modules/kernel/storage.fc
> @@ -33,6 +33,8 @@
> /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
> /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/nvme[0-9]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/nvme[0-9]n[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
> /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
> /dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)

Merged.

--
Chris PeBenito