File context definition maintenance patch (udev).
At present, udev file contexts are defined under /lib/udev but
unfortunately this is not the standard location, so it might
work for some distributions but not for others and it might
become difficult to maintain sooner or later.
http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev/udev.html
The following patch aims to create the file contexts for the
standard locations currently being used by udev (and to add
a few comments for easier future maintenance).
Because most of the additional file contexts that are going
to be introduced by this patch will result in duplicate
definitions appearing both for the standard location
/usr/lib/udev and for the alternative non-standard location
/lib/udev, it is recommended that either each distributor
subsequently introduces the ifdef distro conditionals for
its own distribution (according to its own customizations and
needs) or otherwise that all duplicate /lib/udev contexts are
removed and the "file_contexts.subs_dist" policy configuration
file is separately used by each distributor in its own build
tree for distribution-specific alternative locations.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/cups.fc | 10 ++-
policy/modules/kernel/corecommands.fc | 3 +
policy/modules/kernel/corenetwork.fc | 9 ++-
policy/modules/kernel/devices.fc | 12 +++-
policy/modules/kernel/filesystem.fc | 11 +++
policy/modules/kernel/storage.fc | 9 ++-
policy/modules/kernel/terminal.fc | 8 ++
policy/modules/system/udev.fc | 99
++++++++++++++++++++++++----------
8 files changed, 123 insertions(+), 38 deletions(-)
diff -pruN refpolicy-25082012/policy/modules/contrib/cups.fc
refpolicy-25082012-udev-standard-fc/policy/modules/contrib/cups.fc
--- refpolicy-25082012/policy/modules/contrib/cups.fc 2012-06-18
18:09:00.651780292 +0200
+++ refpolicy-25082012-udev-standard-fc/policy/modules/contrib/cups.fc
2012-08-26 01:47:40.001310683 +0200
@@ -1,4 +1,3 @@
-
/etc/alchemist/namespace/printconf(/.*)?
gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
@@ -19,7 +18,14 @@
/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/lib/udev/udev-configure-printer --
gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+# standard location for system-config-printer USB printer configuration
+# tool
+/etc/udev/udev-add-printer --
gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/etc/udev/udev-configure-printer --
gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+# commonly-used alternative location for system-config-printer USB
printer configuration
+# tool (ifdef distro would be nice here or otherwise
file_contexts.subs_dist)
+/lib/udev/udev-configure-printer --
gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/opt/gutenprint/ppds(/.*)?
gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff -pruN refpolicy-25082012/policy/modules/kernel/corecommands.fc
refpolicy-25082012-udev-standard-fc/policy/modules/kernel/corecommands.fc
--- refpolicy-25082012/policy/modules/kernel/corecommands.fc 2012-08-25
17:52:10.037296340 +0200
+++
refpolicy-25082012-udev-standard-fc/policy/modules/kernel/corecommands.fc 2012-08-26
01:13:27.740776735 +0200
@@ -135,8 +135,11 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp --
gen_context(system_u:object_r:bin_t,s0)
/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
+
+# commonly-used alternative location for udev executables (ifdef distro
would be nice here)
/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
+
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo',`
diff -pruN refpolicy-25082012/policy/modules/kernel/corenetwork.fc
refpolicy-25082012-udev-standard-fc/policy/modules/kernel/corenetwork.fc
--- refpolicy-25082012/policy/modules/kernel/corenetwork.fc 2011-06-10
04:42:40.395875000 +0200
+++
refpolicy-25082012-udev-standard-fc/policy/modules/kernel/corenetwork.fc 2012-08-26
01:13:27.747776802 +0200
@@ -6,5 +6,10 @@
/dev/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
-/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
-/lib/udev/devices/net/.* -c
gen_context(system_u:object_r:tun_tap_device_t,s0)
+# commonly-used alternative location for udev devices (ifdef distro
would be nice here)
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c
gen_context(system_u:object_r:tun_tap_device_t,s0)
+
+# standard location for udev devices
+/usr/lib/udev/devices/ppp -c
gen_context(system_u:object_r:ppp_device_t,s0)
+/usr/lib/udev/devices/net/.* -c
gen_context(system_u:object_r:tun_tap_device_t,s0)
diff -pruN refpolicy-25082012/policy/modules/kernel/devices.fc
refpolicy-25082012-udev-standard-fc/policy/modules/kernel/devices.fc
--- refpolicy-25082012/policy/modules/kernel/devices.fc 2012-08-25
17:52:10.037296340 +0200
+++
refpolicy-25082012-udev-standard-fc/policy/modules/kernel/devices.fc
2012-08-26 01:13:27.748776811 +0200
@@ -188,14 +188,24 @@ ifdef(`distro_debian',`
/dev/\.static/dev/(.*)? <<none>>
')
+# commonly-used alternative location for udev devices (ifdef distro
would be nice here)
/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
-# used by init scripts to initally populate udev /dev
+# used by init scripts to initally populate udev /dev (commonly-used
alternative location, ifdef distro would be nice here)
/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
/lib/udev/devices/lp.* -c
gen_context(system_u:object_r:printer_device_t,s0)
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+# standard location for udev devices
+/usr/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+
+# used by init scripts to initally populate udev /dev (standard location)
+/usr/libexec/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
+/usr/lib/udev/devices/lp.* -c
gen_context(system_u:object_r:printer_device_t,s0)
+/usr/lib/udev/devices/null -c
gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c
gen_context(system_u:object_r:zero_device_t,s0)
+
/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
ifdef(`distro_redhat',`
diff -pruN refpolicy-25082012/policy/modules/kernel/filesystem.fc
refpolicy-25082012-udev-standard-fc/policy/modules/kernel/filesystem.fc
--- refpolicy-25082012/policy/modules/kernel/filesystem.fc 2011-06-10
04:42:40.397874965 +0200
+++
refpolicy-25082012-udev-standard-fc/policy/modules/kernel/filesystem.fc
2012-08-26 01:13:27.749776821 +0200
@@ -6,11 +6,18 @@
/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
/dev/shm/.* <<none>>
-/lib/udev/devices/hugepages -d
gen_context(system_u:object_r:hugetlbfs_t,s0)
+# commonly-used alternative location for udev filesystem devices (ifdef
distro would be nice here)
+/lib/udev/devices/hugepages -d
gen_context(system_u:object_r:hugetlbfs_t,s0)
/lib/udev/devices/hugepages/.* <<none>>
-/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
/lib/udev/devices/shm/.* <<none>>
+# standard location for udev filesystem devices
+/usr/lib/udev/devices/hugepages -d
gen_context(system_u:object_r:hugetlbfs_t,s0)
+/usr/lib/udev/devices/hugepages/.* <<none>>
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
+
# for systemd systems:
/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
/sys/fs/cgroup/.* <<none>>
diff -pruN refpolicy-25082012/policy/modules/kernel/storage.fc
refpolicy-25082012-udev-standard-fc/policy/modules/kernel/storage.fc
--- refpolicy-25082012/policy/modules/kernel/storage.fc 2012-02-24
16:02:37.533862660 +0100
+++
refpolicy-25082012-udev-standard-fc/policy/modules/kernel/storage.fc
2012-08-26 01:13:27.750776831 +0200
@@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
-/lib/udev/devices/loop.* -b
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
+# commonly-used alternative location for udev data storage devices
(ifdef distro would be nice here)
+/lib/udev/devices/loop.* -b
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
+
+# commonly-used alternative location for udev data storage devices
+/usr/lib/udev/devices/loop.* -b
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c
gen_context(system_u:object_r:fuse_device_t,s0)
diff -pruN refpolicy-25082012/policy/modules/kernel/terminal.fc
refpolicy-25082012-udev-standard-fc/policy/modules/kernel/terminal.fc
--- refpolicy-25082012/policy/modules/kernel/terminal.fc 2011-06-10
04:42:40.399874931 +0200
+++
refpolicy-25082012-udev-standard-fc/policy/modules/kernel/terminal.fc
2012-08-26 01:13:27.750776831 +0200
@@ -38,6 +38,10 @@
ifdef(`distro_gentoo',`
/dev/tts/[0-9]* -c gen_context(system_u:object_r:tty_device_t,s0)
-# used by init scripts to initally populate udev /dev
-/lib/udev/devices/console -c
gen_context(system_u:object_r:console_device_t,s0)
+# used by init scripts to initally populate udev /dev (commonly-used
alternative location, ifdef distro would be nice here)
+/lib/udev/devices/console -c
gen_context(system_u:object_r:console_device_t,s0)
+')
+
+# used by init scripts to initally populate udev /dev (standard location)
+/usr/lib/udev/devices/console -c
gen_context(system_u:object_r:console_device_t,s0)
')
diff -pruN refpolicy-25082012/policy/modules/system/udev.fc
refpolicy-25082012-udev-standard-fc/policy/modules/system/udev.fc
--- refpolicy-25082012/policy/modules/system/udev.fc 2012-08-25
17:52:10.042296385 +0200
+++ refpolicy-25082012-udev-standard-fc/policy/modules/system/udev.fc
2012-08-26 02:26:39.773585940 +0200
@@ -1,38 +1,83 @@
-/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
-
-/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
-/etc/hotplug\.d/default/udev.* --
gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
-/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
-/etc/udev/scripts/.+ --
gen_context(system_u:object_r:udev_helper_exec_t,s0)
-
-/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+#
+# /etc
+#
+
+# commonly-used alternative helper scripts locations (ifdef distro
would be nice here)
+/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+# commonly-used alternative helper scripts locations (ifdef distro
would be nice
+# here)
+/etc/hotplug\.d/default/udev.* --
gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+# user-defined udev rules standard directory
+/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
+
+# commonly-used udev helper scripts directory (ifdef distro would be
nice here)
+/etc/udev/scripts/.+ --
gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+#
+# /dev
+#
+
+# the /dev structure for udev is currently obsolete...
+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
+
+#
+# /lib
+#
+
+# commonly-used alternative executable locations: udev-acl obsoleted
with version
+# 182 (ifdef distro would be nice here or otherwise
file_contexts.subs_dist)
+/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
ifdef(`distro_debian',`
-/lib/udev/create_static_nodes --
gen_context(system_u:object_r:udev_exec_t,s0)
+/lib/udev/create_static_nodes --
gen_context(system_u:object_r:udev_exec_t,s0)
')
-/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
-/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
-/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
+#
+# /sbin
+#
+
+# commonly-used alternative executable locations (ifdef distro would be
nice here)
+/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
ifdef(`distro_redhat',`
-/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
')
-/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
-
-/usr/lib/systemd/systemd-udevd --
gen_context(system_u:object_r:udev_exec_t,s0)
-
-/var/run/PackageKit/udev(/.*)?
gen_context(system_u:object_r:udev_var_run_t,s0)
-/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
+#
+# /usr
+#
+
+# udevd standard location (after version 182, udev ships with systemd
versions
+# greater than 44)
+/usr/lib/systemd/systemd-udevd --
gen_context(system_u:object_r:udev_exec_t,s0)
+
+# udevd standard location (up to version 182)
+/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+# udev-acl standard location (udev-acl is obsoleted with version 182)
+/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+# system-wide udev rules standard directory
+/usr/lib/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
+
+# standard location for udevadm
+/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+#
+# /var
+#
+/var/run/PackageKit/udev(/.*)?
gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
ifdef(`distro_debian',`
-/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
')