It seems that a couple of interfaces in kernel/files.if are calling kernel_* interfaces that don't exist yet.
Let's play safe and introduce them.
Sven Vermeulen (5):
Introduce kernel_delete_unlabeled_symlinks
Introduce kernel_delete_unlabeled_pipes
Introduce kernel_delete_unlabeled_sockets
Introduce kernel_delete_unlabeled_blk_files
Introduce kernel_delete_unlabeled_chr_files
policy/modules/kernel/kernel.if | 90 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
--
1.8.5.5
The kernel_delete_unlabeled_symlinks interface is called by the
files_delete_isid_type_symlinks interface (in kernel/files.if). This
interface is deprecated (and calls kernel_delete_unlabeled_symlinks).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index dbb3552..9097352 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2538,6 +2538,24 @@ interface(`kernel_dontaudit_read_unlabeled_files',`
########################################
## <summary>
+## Delete unlabeled symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_symlinks',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete unlabeled symbolic links.
## </summary>
## <param name="domain">
--
1.8.5.5
The kernel_delete_unlabeled_pipes interface is called by the
(deprecated) files_delete_isid_type_fifo_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 9097352..e6da637 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2817,6 +2817,24 @@ interface(`kernel_relabelfrom_unlabeled_pipes',`
########################################
## <summary>
+## Delete unlabeled named pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_pipes',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
## Allow caller to relabel unlabeled named sockets.
## </summary>
## <param name="domain">
--
1.8.5.5
The kernel_delete_unlabeled_sockets interface is called by the
(deprecated) files_delete_isid_type_sock_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/kernel.if | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index e6da637..13635c9 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2854,6 +2854,23 @@ interface(`kernel_relabelfrom_unlabeled_sockets',`
########################################
## <summary>
+## Delete unlabeled named sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_sockets',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ delete_sock_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+########################################
+## <summary>
## Send and receive messages from an
## unlabeled IPSEC association.
## </summary>
--
1.8.5.5
The kernel_delete_unlabeled_blk_files interface is called by the
(deprecated) files_delete_isid_type_blk_files in kernel/files.if.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 13635c9..a8f71ff 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2668,6 +2668,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
## <summary>
+## Delete unlabeled block device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_blk_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ delete_blk_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete unlabeled block device nodes.
## </summary>
## <param name="domain">
--
1.8.5.5
The kernel_delete_unlabeled_chr_files interface is called by the
(deprecated) files_delete_isid_type_chr_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/kernel.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index a8f71ff..8722c76 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2742,6 +2742,25 @@ interface(`kernel_dontaudit_write_unlabeled_chr_files',`
########################################
## <summary>
+## Delete unlabeled character device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_delete_unlabeled_chr_files',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ delete_chr_files_pattern($1, unlabeled_t, unlabeled_t)
+')
+
+
+########################################
+## <summary>
## Create, read, write, and delete unlabeled character device nodes.
## </summary>
## <param name="domain">
--
1.8.5.5
On 8/8/2014 8:33 AM, Sven Vermeulen wrote:
> It seems that a couple of interfaces in kernel/files.if are calling kernel_* interfaces that don't exist yet.
>
> Let's play safe and introduce them.
>
> Sven Vermeulen (5):
> Introduce kernel_delete_unlabeled_symlinks
> Introduce kernel_delete_unlabeled_pipes
> Introduce kernel_delete_unlabeled_sockets
> Introduce kernel_delete_unlabeled_blk_files
> Introduce kernel_delete_unlabeled_chr_files
>
> policy/modules/kernel/kernel.if | 90 +++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 90 insertions(+)
I do several combinations of builds, so its strange that I didn't hit
these. The interfaces in the files module must not be used.
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com