From: domg472@gmail.com (Dominick Grift)
Date: Sat, 20 Mar 2010 16:59:55 +0100
Subject: [refpolicy] kernel_filesystem.patch
In-Reply-To: <1268523488.6161.2.camel@defiant>
References: <4B845230.90902@redhat.com>
	<1268412065.23411.177.camel@gorn.columbia.tresys.com>
	<4B9AA2F1.8030704@redhat.com>
	<1268427122.23411.201.camel@gorn.columbia.tresys.com>
	<20100313181743.GA5024@localhost.localdomain>
	<1268523488.6161.2.camel@defiant>
Message-ID: <20100320155953.GA4050@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, Mar 13, 2010 at 06:38:08PM -0500, Chris PeBenito wrote:
> On Sat, 2010-03-13 at 19:17 +0100, Dominick Grift wrote:
> > in Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote:
> > > On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote:
> > > > On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote:
> > > > > On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote:
> > > > >> devtmpfs file system
> > > > >>      
> > > > > I'm thinking that perhaps devtmpfs should be moved to devices and use
> > > > > device_t, since thats its only purpose.
> > > > >
> > > > >    
> > > > Sounds good to me.
> > > > 
> > > > Will this work?
> > > > 
> > > > fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
> > > 
> > > I don't have a system with devtmpfs, so I can't be sure, but I would
> > > think it would work.  That line would go in the devices module.
> > 
> > Although we might get some of these:
> > 
> > allow devlog_t device_t:filesystem associate;
> > allow tty_device_t device_t:filesystem associate;
> 
> Thats easy enough to fix, just put this in devices.te:
> 
> allow device_node device_t:filesystem associate;
> 
> along with something similar in dev_filetrans().  Thanks for testing it
> out.

I was wrong. It works in permissive mode but as soon as i boot in enforcing mode things stop working and i have no clue as to why.

> 
> -- 
> Chris PeBenito
> <pebenito@gentoo.org>
> Developer,
> Hardened Gentoo Linux
>  
> Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
> Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100320/8b27e069/attachment.bin