I am currently trying to get refpolicy to work in a nobase text
kvm-guest, to see if i can come up with a better policy for systemd.
In the process is stumbled upon some unlabeled character device nodes.
Dominick Grift (2):
Declare a loop control device node type and label /dev/loop-control
accordingly
Declare a virtio port device type and label /dev/vport.* accordingly
policy/modules/kernel/devices.fc | 2 ++
policy/modules/kernel/devices.te | 6 ++++++
2 files changed, 8 insertions(+)
--
1.7.11.4
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.te | 3 +++
2 files changed, 4 insertions(+)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 84e7337..5214c08 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -57,6 +57,7 @@
/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
/dev/mei -c gen_context(system_u:object_r:mei_device_t,s0)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 17e0915..99fe460 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -115,6 +115,9 @@ dev_node(kvm_device_t)
type lirc_device_t;
dev_node(lirc_device_t)
+type loop_control_device_t;
+dev_node(loop_control_device_t)
+
#
# Type for /dev/mapper/control
#
--
1.7.11.4
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/devices.fc | 1 +
policy/modules/kernel/devices.te | 3 +++
2 files changed, 4 insertions(+)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 5214c08..94505c4 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -124,6 +124,7 @@ ifdef(`distro_suse', `
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0)
/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 99fe460..52c535d 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -272,6 +272,9 @@ dev_node(v4l_device_t)
type vhost_device_t;
dev_node(vhost_device_t)
+type virtio_device_t;
+dev_node(virtio_device_t)
+
# Type for vmware devices.
type vmware_device_t;
dev_node(vmware_device_t)
--
1.7.11.4
On 08/31/2012 07:38 PM, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/kernel/devices.fc | 1 +
> policy/modules/kernel/devices.te | 3 +++
> 2 files changed, 4 insertions(+)
>
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index 5214c08..94505c4 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -124,6 +124,7 @@ ifdef(`distro_suse', `
> /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
> /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
> /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
> +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0)
> /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
> /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
> /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 99fe460..52c535d 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -272,6 +272,9 @@ dev_node(v4l_device_t)
> type vhost_device_t;
> dev_node(vhost_device_t)
>
> +type virtio_device_t;
> +dev_node(virtio_device_t)
> +
> # Type for vmware devices.
> type vmware_device_t;
> dev_node(vmware_device_t)
We declare it in terminal.* policy files.
Also I think base access interfaces should be part of this patch?
On Tue, 2012-09-04 at 12:28 +0200, Miroslav Grepl wrote:
> On 08/31/2012 07:38 PM, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > policy/modules/kernel/devices.fc | 1 +
> > policy/modules/kernel/devices.te | 3 +++
> > 2 files changed, 4 insertions(+)
> >
> > diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> > index 5214c08..94505c4 100644
> > --- a/policy/modules/kernel/devices.fc
> > +++ b/policy/modules/kernel/devices.fc
> > @@ -124,6 +124,7 @@ ifdef(`distro_suse', `
> > /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
> > /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
> > /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
> > +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0)
> > /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
> > /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
> > /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
> > diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> > index 99fe460..52c535d 100644
> > --- a/policy/modules/kernel/devices.te
> > +++ b/policy/modules/kernel/devices.te
> > @@ -272,6 +272,9 @@ dev_node(v4l_device_t)
> > type vhost_device_t;
> > dev_node(vhost_device_t)
> >
> > +type virtio_device_t;
> > +dev_node(virtio_device_t)
> > +
> > # Type for vmware devices.
> > type vmware_device_t;
> > dev_node(vmware_device_t)
> We declare it in terminal.* policy files.
must be new then, last time i tried (a week ago on f18?) it was still
mislabeled (device_t)
> Also I think base access interfaces should be part of this patch?
i don't see that requirement. i also haven't encountered any process
trying to access it yet.
On 09/04/2012 02:50 PM, Dominick Grift wrote:
>
> On Tue, 2012-09-04 at 12:28 +0200, Miroslav Grepl wrote:
>> On 08/31/2012 07:38 PM, Dominick Grift wrote:
>>> Signed-off-by: Dominick Grift <[email protected]>
>>> ---
>>> policy/modules/kernel/devices.fc | 1 +
>>> policy/modules/kernel/devices.te | 3 +++
>>> 2 files changed, 4 insertions(+)
>>>
>>> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
>>> index 5214c08..94505c4 100644
>>> --- a/policy/modules/kernel/devices.fc
>>> +++ b/policy/modules/kernel/devices.fc
>>> @@ -124,6 +124,7 @@ ifdef(`distro_suse', `
>>> /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
>>> /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
>>> /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
>>> +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0)
>>> /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
>>> /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
>>> /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
>>> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
>>> index 99fe460..52c535d 100644
>>> --- a/policy/modules/kernel/devices.te
>>> +++ b/policy/modules/kernel/devices.te
>>> @@ -272,6 +272,9 @@ dev_node(v4l_device_t)
>>> type vhost_device_t;
>>> dev_node(vhost_device_t)
>>>
>>> +type virtio_device_t;
>>> +dev_node(virtio_device_t)
>>> +
>>> # Type for vmware devices.
>>> type vmware_device_t;
>>> dev_node(vmware_device_t)
>> We declare it in terminal.* policy files.
> must be new then, last time i tried (a week ago on f18?) it was still
> mislabeled (device_t)
We have
/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
maybe it needs to be fixed.
And then
rhev.te:term_use_virtio_console(rhev_agentd_t)
rhev.te: term_use_virtio_console(rhev_agentd_consolehelper_t)
vdagent.te:term_use_virtio_console(vdagent_t)
>
>> Also I think base access interfaces should be part of this patch?
> i don't see that requirement. i also haven't encountered any process
> trying to access it yet.
>
On Tue, 2012-09-04 at 20:31 +0200, Miroslav Grepl wrote:
>
> /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
>
> maybe it needs to be fixed.
>
> And then
>
> rhev.te:term_use_virtio_console(rhev_agentd_t)
> rhev.te: term_use_virtio_console(rhev_agentd_consolehelper_t)
> vdagent.te:term_use_virtio_console(vdagent_t)
could you please create a patch for refpolicy that fixes this issue? I
would do it but i screwed up my refpolicy repository and cant undo it
right now because i am in the middle of a project.
But if you do , please double check the file context spec becuase i
suspect that it may not catch the interface. (i submitted this patch
because the device was mislabeled)
> >
> >> Also I think base access interfaces should be part of this patch?
> > i don't see that requirement. i also haven't encountered any process
> > trying to access it yet.
> >
>
On Tue, 2012-09-04 at 20:31 +0200, Miroslav Grepl wrote:
> On 09/04/2012 02:50 PM, Dominick Grift wrote:
> >
> > On Tue, 2012-09-04 at 12:28 +0200, Miroslav Grepl wrote:
> >> On 08/31/2012 07:38 PM, Dominick Grift wrote:
> >>> Signed-off-by: Dominick Grift <[email protected]>
> >>> ---
> >>> policy/modules/kernel/devices.fc | 1 +
> >>> policy/modules/kernel/devices.te | 3 +++
> >>> 2 files changed, 4 insertions(+)
> >>>
> >>> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> >>> index 5214c08..94505c4 100644
> >>> --- a/policy/modules/kernel/devices.fc
> >>> +++ b/policy/modules/kernel/devices.fc
> >>> @@ -124,6 +124,7 @@ ifdef(`distro_suse', `
> >>> /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
> >>> /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
> >>> /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
> >>> +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0)
> >>> /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0)
> >>> /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
> >>> /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
> >>> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> >>> index 99fe460..52c535d 100644
> >>> --- a/policy/modules/kernel/devices.te
> >>> +++ b/policy/modules/kernel/devices.te
> >>> @@ -272,6 +272,9 @@ dev_node(v4l_device_t)
> >>> type vhost_device_t;
> >>> dev_node(vhost_device_t)
> >>>
> >>> +type virtio_device_t;
> >>> +dev_node(virtio_device_t)
> >>> +
> >>> # Type for vmware devices.
> >>> type vmware_device_t;
> >>> dev_node(vmware_device_t)
> >> We declare it in terminal.* policy files.
> > must be new then, last time i tried (a week ago on f18?) it was still
> > mislabeled (device_t)
> We have
>
> /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
>
> maybe it needs to be fixed.
>
> And then
>
> rhev.te:term_use_virtio_console(rhev_agentd_t)
> rhev.te: term_use_virtio_console(rhev_agentd_consolehelper_t)
> vdagent.te:term_use_virtio_console(vdagent_t)
>
> >
> >> Also I think base access interfaces should be part of this patch?
> > i don't see that requirement. i also haven't encountered any process
> > trying to access it yet.
> >
>
never mind, this patch was not merged.
so just ignore this patch
On 08/31/12 13:38, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/kernel/devices.fc | 1 +
> policy/modules/kernel/devices.te | 3 +++
> 2 files changed, 4 insertions(+)
>
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index 84e7337..5214c08 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -57,6 +57,7 @@
> /dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
> /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
> /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
> +/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
> /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
> /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
> /dev/mei -c gen_context(system_u:object_r:mei_device_t,s0)
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 17e0915..99fe460 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -115,6 +115,9 @@ dev_node(kvm_device_t)
> type lirc_device_t;
> dev_node(lirc_device_t)
>
> +type loop_control_device_t;
> +dev_node(loop_control_device_t)
> +
> #
> # Type for /dev/mapper/control
> #
>
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com