The first version only works when the swapfile already exists.
During creation swapfile_t is hard coded and needs to be used.
---
dphysswapfile.fc | 6 ++++--
dphysswapfile.if | 22 ++--------------------
dphysswapfile.te | 14 +++++++++++++-
3 files changed, 19 insertions(+), 23 deletions(-)
diff --git a/dphysswapfile.fc b/dphysswapfile.fc
index 70b0ee3..9c4ff04 100644
--- a/dphysswapfile.fc
+++ b/dphysswapfile.fc
@@ -2,8 +2,10 @@
/etc/rc\.d/init\.d/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)
-/usr/bin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+/usr/bin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+
+/usr/lib/systemd/system/dphys-swapfile\.service -- gen_context(system_u:object_r:dphysswapfile_unit_t,s0)
/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
-/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
+/var/swap -- gen_context(system_u:object_r:swapfile_t,s0)
diff --git a/dphysswapfile.if b/dphysswapfile.if
index 7dda955..f7bb8a0 100644
--- a/dphysswapfile.if
+++ b/dphysswapfile.if
@@ -1,23 +1,5 @@
## <summary>Set up, mount/unmount, and delete an swap file.</summary>
-########################################
-## <summary>
-## Dontaudit acces to the swap file.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`dphysswapfile_dontaudit_read_swap',`
- gen_require(`
- type dphysswapfile_swap_t;
- ')
-
- dontaudit $1 dphysswapfile_swap_t:file read_file_perms;
-')
-
########################################
## <summary>
## All of the rules required to
@@ -38,12 +20,12 @@ interface(`dphysswapfile_dontaudit_read_swap',`
interface(`dphysswapfile_admin',`
gen_require(`
type dphysswapfile_t, dphysswapfile_conf_t;
- type dphysswapfile_initrc_exec_t;
+ type dphysswapfile_initrc_exec_t, dphysswapfile_unit_t;
')
admin_process_pattern($1, dphysswapfile_t)
- init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t)
+ init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t, dphysswapfile_unit_t)
files_search_etc($1)
admin_pattern($1, dphysswapfile_conf_t)
diff --git a/dphysswapfile.te b/dphysswapfile.te
index dfd04e3..4bfe782 100644
--- a/dphysswapfile.te
+++ b/dphysswapfile.te
@@ -18,6 +18,9 @@ init_script_file(dphysswapfile_initrc_exec_t)
type dphysswapfile_swap_t;
files_type(dphysswapfile_swap_t)
+type dphysswapfile_unit_t;
+init_unit_file(dphysswapfile_unit_t)
+
########################################
#
# Policy
@@ -32,20 +35,29 @@ allow dphysswapfile_t dphysswapfile_conf_t:file read_file_perms;
allow dphysswapfile_t dphysswapfile_exec_t:file execute_no_trans;
-allow dphysswapfile_t dphysswapfile_swap_t:file manage_file_perms;
+allow dphysswapfile_t dphysswapfile_swap_t:file { manage_file_perms relabelfrom };
kernel_read_system_state(dphysswapfile_t)
corecmd_exec_bin(dphysswapfile_t)
corecmd_exec_shell(dphysswapfile_t)
+dev_read_rand(dphysswapfile_t)
+dev_read_urand(dphysswapfile_t)
+
# ignore ls -l /var/swap noise
files_dontaudit_getattr_pid_dirs(dphysswapfile_t)
files_read_etc_files(dphysswapfile_t)
files_search_var(dphysswapfile_t)
+files_var_filetrans(dphysswapfile_t, dphysswapfile_swap_t, file)
fstools_exec(dphysswapfile_t)
+# swapfile_t is hardcoded in mkswap
+fstools_manage_swap_files(dphysswapfile_t)
+fstools_relabelto_swap_files(dphysswapfile_t)
miscfiles_read_localization(dphysswapfile_t)
+storage_getattr_removable_dev(dphysswapfile_t)
+
userdom_dontaudit_search_user_home_dirs(dphysswapfile_t)
--
2.14.1
On 09/10/2017 11:21 AM, Christian G?ttsche via refpolicy wrote:
> The first version only works when the swapfile already exists.
> During creation swapfile_t is hard coded and needs to be used.
I'm confused by the subject. Is this instead of the previous patch?
> ---
> dphysswapfile.fc | 6 ++++--
> dphysswapfile.if | 22 ++--------------------
> dphysswapfile.te | 14 +++++++++++++-
> 3 files changed, 19 insertions(+), 23 deletions(-)
>
> diff --git a/dphysswapfile.fc b/dphysswapfile.fc
> index 70b0ee3..9c4ff04 100644
> --- a/dphysswapfile.fc
> +++ b/dphysswapfile.fc
> @@ -2,8 +2,10 @@
>
> /etc/rc\.d/init\.d/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)
>
> -/usr/bin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
> +/usr/bin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
> +
> +/usr/lib/systemd/system/dphys-swapfile\.service -- gen_context(system_u:object_r:dphysswapfile_unit_t,s0)
>
> /usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
>
> -/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
> +/var/swap -- gen_context(system_u:object_r:swapfile_t,s0)
> diff --git a/dphysswapfile.if b/dphysswapfile.if
> index 7dda955..f7bb8a0 100644
> --- a/dphysswapfile.if
> +++ b/dphysswapfile.if
> @@ -1,23 +1,5 @@
> ## <summary>Set up, mount/unmount, and delete an swap file.</summary>
>
> -########################################
> -## <summary>
> -## Dontaudit acces to the swap file.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain to not audit.
> -## </summary>
> -## </param>
> -#
> -interface(`dphysswapfile_dontaudit_read_swap',`
> - gen_require(`
> - type dphysswapfile_swap_t;
> - ')
> -
> - dontaudit $1 dphysswapfile_swap_t:file read_file_perms;
> -')
> -
> ########################################
> ## <summary>
> ## All of the rules required to
> @@ -38,12 +20,12 @@ interface(`dphysswapfile_dontaudit_read_swap',`
> interface(`dphysswapfile_admin',`
> gen_require(`
> type dphysswapfile_t, dphysswapfile_conf_t;
> - type dphysswapfile_initrc_exec_t;
> + type dphysswapfile_initrc_exec_t, dphysswapfile_unit_t;
> ')
>
> admin_process_pattern($1, dphysswapfile_t)
>
> - init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t)
> + init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t, dphysswapfile_unit_t)
>
> files_search_etc($1)
> admin_pattern($1, dphysswapfile_conf_t)
> diff --git a/dphysswapfile.te b/dphysswapfile.te
> index dfd04e3..4bfe782 100644
> --- a/dphysswapfile.te
> +++ b/dphysswapfile.te
> @@ -18,6 +18,9 @@ init_script_file(dphysswapfile_initrc_exec_t)
> type dphysswapfile_swap_t;
> files_type(dphysswapfile_swap_t)
>
> +type dphysswapfile_unit_t;
> +init_unit_file(dphysswapfile_unit_t)
> +
> ########################################
> #
> # Policy
> @@ -32,20 +35,29 @@ allow dphysswapfile_t dphysswapfile_conf_t:file read_file_perms;
>
> allow dphysswapfile_t dphysswapfile_exec_t:file execute_no_trans;
>
> -allow dphysswapfile_t dphysswapfile_swap_t:file manage_file_perms;
> +allow dphysswapfile_t dphysswapfile_swap_t:file { manage_file_perms relabelfrom };
>
> kernel_read_system_state(dphysswapfile_t)
>
> corecmd_exec_bin(dphysswapfile_t)
> corecmd_exec_shell(dphysswapfile_t)
>
> +dev_read_rand(dphysswapfile_t)
> +dev_read_urand(dphysswapfile_t)
> +
> # ignore ls -l /var/swap noise
> files_dontaudit_getattr_pid_dirs(dphysswapfile_t)
> files_read_etc_files(dphysswapfile_t)
> files_search_var(dphysswapfile_t)
> +files_var_filetrans(dphysswapfile_t, dphysswapfile_swap_t, file)
>
> fstools_exec(dphysswapfile_t)
> +# swapfile_t is hardcoded in mkswap
> +fstools_manage_swap_files(dphysswapfile_t)
> +fstools_relabelto_swap_files(dphysswapfile_t)
>
> miscfiles_read_localization(dphysswapfile_t)
>
> +storage_getattr_removable_dev(dphysswapfile_t)
> +
> userdom_dontaudit_search_user_home_dirs(dphysswapfile_t)
>
--
Chris PeBenito
> I'm confused by the subject. Is this instead of the previous patch?
No, it should fix the current upstream policy version.
Should I resend the patch with a better description?
On 09/12/2017 05:22 AM, Christian G?ttsche wrote:
>> I'm confused by the subject. Is this instead of the previous patch?
>
> No, it should fix the current upstream policy version.
> Should I resend the patch with a better description?
Yes, please.
--
Chris PeBenito