Signed-off-by: Matthew Thode <[email protected]>
---
policy/modules/kernel/storage.fc | 5 +++++
policy/modules/system/fstools.fc | 6 ++++++
policy/modules/system/mount.fc | 4 ++++
3 files changed, 15 insertions(+)
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 54f1827..4315bd5 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
+/dev/zfs -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zpios -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zvol(/.*)? -l gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 948ce2a..39e6c25 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -36,6 +36,12 @@
/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index a38605e..807ceef 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -1,6 +1,10 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
+
/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
--
1.8.3.2
On 12/20/13 12:31, Matthew Thode wrote:
> Signed-off-by: Matthew Thode <[email protected]>
> ---
> policy/modules/kernel/storage.fc | 5 +++++
> policy/modules/system/fstools.fc | 6 ++++++
> policy/modules/system/mount.fc | 4 ++++
> 3 files changed, 15 insertions(+)
>
> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
> index 54f1827..4315bd5 100644
> --- a/policy/modules/kernel/storage.fc
> +++ b/policy/modules/kernel/storage.fc
> @@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
>
> /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
>
> +/dev/zfs -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/zpios -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/zvol(/.*)? -l gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
Normally we leave the symlinks stay the generic type, in this case device_t. That type is sufficiently protected and the symlink isn't sensitive, so it doesn't merit having a different type. Otherwise the patch looks ok.
> +/dev/zd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +
> /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
> index 948ce2a..39e6c25 100644
> --- a/policy/modules/system/fstools.fc
> +++ b/policy/modules/system/fstools.fc
> @@ -36,6 +36,12 @@
> /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>
> /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
> index a38605e..807ceef 100644
> --- a/policy/modules/system/mount.fc
> +++ b/policy/modules/system/mount.fc
> @@ -1,6 +1,10 @@
> /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
> /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
>
> +/sbin/mount.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
> +/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
> +/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
> +
> /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
>
> /var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 12/20/2013 02:07 PM, Christopher J. PeBenito wrote:
> On 12/20/13 12:31, Matthew Thode wrote:
>> Signed-off-by: Matthew Thode <[email protected]>
>> ---
>> policy/modules/kernel/storage.fc | 5 +++++
>> policy/modules/system/fstools.fc | 6 ++++++
>> policy/modules/system/mount.fc | 4 ++++
>> 3 files changed, 15 insertions(+)
>>
>> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
>> index 54f1827..4315bd5 100644
>> --- a/policy/modules/kernel/storage.fc
>> +++ b/policy/modules/kernel/storage.fc
>> @@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
>>
>> /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
>>
>> +/dev/zfs -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +/dev/zpios -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +/dev/zvol(/.*)? -l gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>
> Normally we leave the symlinks stay the generic type, in this case device_t. That type is sufficiently protected and the symlink isn't sensitive, so it doesn't merit having a different type. Otherwise the patch looks ok.
>
>
>> +/dev/zd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +
>> /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
>> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
>> index 948ce2a..39e6c25 100644
>> --- a/policy/modules/system/fstools.fc
>> +++ b/policy/modules/system/fstools.fc
>> @@ -36,6 +36,12 @@
>> /sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>> /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>> /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>>
>> /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>> /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
>> index a38605e..807ceef 100644
>> --- a/policy/modules/system/mount.fc
>> +++ b/policy/modules/system/mount.fc
>> @@ -1,6 +1,10 @@
>> /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
>> /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
>>
>> +/sbin/mount.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
>> +/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
>> +/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
>> +
>> /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
>>
>> /var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
>>
>
>
Would you like me to resubmit?
--
-- Matthew Thode
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131220/03cab114/attachment.bin
On 12/20/13 15:14, Matthew Thode wrote:
> On 12/20/2013 02:07 PM, Christopher J. PeBenito wrote:
>> On 12/20/13 12:31, Matthew Thode wrote:
>>> Signed-off-by: Matthew Thode <[email protected]>
>>> ---
>>> policy/modules/kernel/storage.fc | 5 +++++
>>> policy/modules/system/fstools.fc | 6 ++++++
>>> policy/modules/system/mount.fc | 4 ++++
>>> 3 files changed, 15 insertions(+)
>>>
>>> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
>>> index 54f1827..4315bd5 100644
>>> --- a/policy/modules/kernel/storage.fc
>>> +++ b/policy/modules/kernel/storage.fc
>>> @@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
>>>
>>> /dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
>>>
>>> +/dev/zfs -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>>> +/dev/zpios -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>>> +/dev/zvol(/.*)? -l gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>>
>> Normally we leave the symlinks stay the generic type, in this case device_t. That type is sufficiently protected and the symlink isn't sensitive, so it doesn't merit having a different type. Otherwise the patch looks ok.
> Would you like me to resubmit?
Please do. I was going to apply it and then fix it, but it fails to apply; looks like a conflict from something I just merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com