From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 22 Mar 2010 09:49:22 -0400 Subject: [refpolicy] kernel_filesystem.patch In-Reply-To: <20100320155953.GA4050@localhost.localdomain> References: <4B845230.90902@redhat.com> <1268412065.23411.177.camel@gorn.columbia.tresys.com> <4B9AA2F1.8030704@redhat.com> <1268427122.23411.201.camel@gorn.columbia.tresys.com> <20100313181743.GA5024@localhost.localdomain> <1268523488.6161.2.camel@defiant> <20100320155953.GA4050@localhost.localdomain> Message-ID: <4BA77562.2080700@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/20/2010 11:59 AM, Dominick Grift wrote: > On Sat, Mar 13, 2010 at 06:38:08PM -0500, Chris PeBenito wrote: > >> On Sat, 2010-03-13 at 19:17 +0100, Dominick Grift wrote: >> >>> in Fri, Mar 12, 2010 at 03:52:02PM -0500, Christopher J. PeBenito wrote: >>> >>>> On Fri, 2010-03-12 at 15:24 -0500, Daniel J Walsh wrote: >>>> >>>>> On 03/12/2010 11:41 AM, Christopher J. PeBenito wrote: >>>>> >>>>>> On Tue, 2010-02-23 at 17:09 -0500, Daniel J Walsh wrote: >>>>>> >>>>>>> devtmpfs file system >>>>>>> >>>>>>> >>>>>> I'm thinking that perhaps devtmpfs should be moved to devices and use >>>>>> device_t, since thats its only purpose. >>>>>> >>>>>> >>>>>> >>>>> Sounds good to me. >>>>> >>>>> Will this work? >>>>> >>>>> fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); >>>>> >>>> I don't have a system with devtmpfs, so I can't be sure, but I would >>>> think it would work. That line would go in the devices module. >>>> >>> Although we might get some of these: >>> >>> allow devlog_t device_t:filesystem associate; >>> allow tty_device_t device_t:filesystem associate; >>> >> Thats easy enough to fix, just put this in devices.te: >> >> allow device_node device_t:filesystem associate; >> >> along with something similar in dev_filetrans(). Thanks for testing it >> out. >> > I was wrong. It works in permissive mode but as soon as i boot in enforcing mode things stop working and i have no clue as to why. > > I started on this but pulled back when I had too many problems. I think we can work on this in F14, We need to identify what kind of files can be associated with a device_t file system. And then set up the rules.