kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
This patch was mostly taken from the fedora policy.
---
policy/modules/system/modutils.fc | 2 ++
policy/modules/system/modutils.te | 7 +++++++
2 files changed, 9 insertions(+)
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 9933677..744a49a 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -23,3 +23,5 @@ ifdef(`distro_gentoo',`
/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
/usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
+
+/var/run/tmpfiles.d(/.*)? gen_context(system_u:object_r:insmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 59ecb2b..945b318 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,6 +18,9 @@ application_domain(insmod_t, insmod_exec_t)
mls_file_write_all_levels(insmod_t)
role system_r types insmod_t;
+type insmod_var_run_t;
+files_pid_file(insmod_var_run_t)
+
# module loading config
type modules_conf_t;
files_type(modules_conf_t)
@@ -115,6 +118,10 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+manage_dirs_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
+manage_files_pattern(insmod_t, insmod_var_run_t, insmod_var_run_t)
+files_pid_filetrans(insmod_t, insmod_var_run_t, { dir file })
+
can_exec(insmod_t, insmod_exec_t)
kernel_load_module(insmod_t)
--
1.8.5.5
Le Thu, 24 Jul 2014 00:45:40 +0400,
Jason Zaman <[email protected]> a ?crit :
> kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
> This patch was mostly taken from the fedora policy.
/run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be
labeled as part of this (still inexistant in refpolicy) module if we
wants a dedicated context for this directory.
Cheers,
Laurent Bigonville
On 24 Jul 2014 13:47, "Laurent Bigonville" <[email protected]> wrote:
>
> Le Thu, 24 Jul 2014 00:45:40 +0400,
> Jason Zaman <[email protected]> a ?crit :
>
> > kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
> > This patch was mostly taken from the fedora policy.
>
> /run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be
> labeled as part of this (still inexistant in refpolicy) module if we
> wants a dedicated context for this directory.
Having a tmpfiles module for this is doable (where would it go in the tree?
I'm assuming not contrib/?)
I need this for OpenRC too since it also uses tmpfiles so it is not
necessarily "systemd". The labels should definitely be in sync for both
tho.
Should it be tmpfiles_var_run_t and tmpfiles_etc_t?
Alternatively I could keep it in the Gentoo policy till the systemd stuff
is done but I would rather get the labels in sync first.
-- Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140724/e01d951c/attachment.html
On 07/24/2014 06:36 AM, Jason Zaman wrote:
>
>
> On 24 Jul 2014 13:47, "Laurent Bigonville" <[email protected]
> <mailto:[email protected]>> wrote:
> >
> > Le Thu, 24 Jul 2014 00:45:40 +0400,
> > Jason Zaman <jason at perfinion.com <mailto:[email protected]>> a ?crit :
> >
> > > kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
> > > This patch was mostly taken from the fedora policy.
> >
> > /run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be
> > labeled as part of this (still inexistant in refpolicy) module if we
> > wants a dedicated context for this directory.
>
> Having a tmpfiles module for this is doable (where would it go in the
> tree? I'm assuming not contrib/?)
>
> I need this for OpenRC too since it also uses tmpfiles so it is not
> necessarily "systemd". The labels should definitely be in sync for
> both tho.
>
> Should it be tmpfiles_var_run_t and tmpfiles_etc_t?
>
> Alternatively I could keep it in the Gentoo policy till the systemd
> stuff is done but I would rather get the labels in sync first.
>
> -- Jason
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Currently Fedora has
/var/run/tmpfiles.d/kmod.conf -- system_u:object_r:insmod_var_run_t:s0
If we add a label for /var/run/tmpfiles.d/ it needs a named file trans
rule for any process that creates content under it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140724/4ad12b74/attachment.html
On 7/24/2014 8:51 AM, Daniel J Walsh wrote:
>
> On 07/24/2014 06:36 AM, Jason Zaman wrote:
>>
>>
>> On 24 Jul 2014 13:47, "Laurent Bigonville" <[email protected]
>> <mailto:[email protected]>> wrote:
>> >
>> > Le Thu, 24 Jul 2014 00:45:40 +0400,
>> > Jason Zaman <jason at perfinion.com <mailto:[email protected]>> a ?crit :
>> >
>> > > kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
>> > > This patch was mostly taken from the fedora policy.
>> >
>> > /run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be
>> > labeled as part of this (still inexistant in refpolicy) module if we
>> > wants a dedicated context for this directory.
>>
>> Having a tmpfiles module for this is doable (where would it go in the
>> tree? I'm assuming not contrib/?)
>>
>> I need this for OpenRC too since it also uses tmpfiles so it is not
>> necessarily "systemd". The labels should definitely be in sync for
>> both tho.
>>
>> Should it be tmpfiles_var_run_t and tmpfiles_etc_t?
>>
>> Alternatively I could keep it in the Gentoo policy till the systemd
>> stuff is done but I would rather get the labels in sync first.
>>
> Currently Fedora has
> /var/run/tmpfiles.d/kmod.conf -- system_u:object_r:insmod_var_run_t:s0
>
> If we add a label for /var/run/tmpfiles.d/ it needs a named file trans
> rule for any process that creates content under it.
The transitions require names? Do individual domains create files in
there that necessitate different types?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Fri, Jul 25, 2014 at 08:22:03AM -0400, Christopher J. PeBenito wrote:
> On 7/24/2014 8:51 AM, Daniel J Walsh wrote:
> >
> > On 07/24/2014 06:36 AM, Jason Zaman wrote:
> >>
> >>
> >> On 24 Jul 2014 13:47, "Laurent Bigonville" <[email protected]
> >> <mailto:[email protected]>> wrote:
> >> >
> >> > Le Thu, 24 Jul 2014 00:45:40 +0400,
> >> > Jason Zaman <jason at perfinion.com <mailto:[email protected]>> a ?crit :
> >> >
> >> > > kmod puts a file in /run/tmpfiles.d which then gets used by tmpfiles.
> >> > > This patch was mostly taken from the fedora policy.
> >> >
> >> > /run/tmpfiles.d is owned by systemd-tmpfiles so it should probably be
> >> > labeled as part of this (still inexistant in refpolicy) module if we
> >> > wants a dedicated context for this directory.
> >>
> >> Having a tmpfiles module for this is doable (where would it go in the
> >> tree? I'm assuming not contrib/?)
> >>
> >> I need this for OpenRC too since it also uses tmpfiles so it is not
> >> necessarily "systemd". The labels should definitely be in sync for
> >> both tho.
> >>
> >> Should it be tmpfiles_var_run_t and tmpfiles_etc_t?
> >>
> >> Alternatively I could keep it in the Gentoo policy till the systemd
> >> stuff is done but I would rather get the labels in sync first.
> >>
> > Currently Fedora has
> > /var/run/tmpfiles.d/kmod.conf -- system_u:object_r:insmod_var_run_t:s0
> >
> > If we add a label for /var/run/tmpfiles.d/ it needs a named file trans
> > rule for any process that creates content under it.
>
> The transitions require names? Do individual domains create files in
> there that necessitate different types?
kmod just needs to be able to create the file, it doesnt use it after
creating. systemd-tmpfiles is the one that reads the file later. I think
having everything labelled tmpfiles_var_run_t and letting insmod_t
create a file in the dir is fine too.
-- Jason