From: pebenito@gentoo.org (Chris PeBenito) Date: Sat, 13 Mar 2010 18:38:08 -0500 Subject: [refpolicy] kernel_filesystem.patch In-Reply-To: <20100313181743.GA5024@localhost.localdomain> References: <4B845230.90902@redhat.com> <1268412065.23411.177.camel@gorn.columbia.tresys.com> <4B9AA2F1.8030704@redhat.com> <1268427122.23411.201.camel@gorn.columbia.tresys.com> <20100313181743.GA5024@localhost.localdomain> Message-ID: <1268523488.6161.2.camel@defiant> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 2010-03-13 at 19:17 +0100, Dominick Grift wrote: > in Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote: > > On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote: > > > On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote: > > > > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote: > > > >> devtmpfs file system > > > >> > > > > I'm thinking that perhaps devtmpfs should be moved to devices and use > > > > device_t, since thats its only purpose. > > > > > > > > > > > Sounds good to me. > > > > > > Will this work? > > > > > > fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); > > > > I don't have a system with devtmpfs, so I can't be sure, but I would > > think it would work. That line would go in the devices module. > > Although we might get some of these: > > allow devlog_t device_t:filesystem associate; > allow tty_device_t device_t:filesystem associate; Thats easy enough to fix, just put this in devices.te: allow device_node device_t:filesystem associate; along with something similar in dev_filetrans(). Thanks for testing it out. -- Chris PeBenito Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243