From: jsolt@tresys.com (Jeremy Solt)
Date: Wed, 18 Aug 2010 11:36:34 -0400
Subject: [refpolicy] [PATCH 1/2] Move devtmpfs to devices from filesystem
Message-ID: <1282145795-13551-1-git-send-email-jsolt@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Move devtmpfs to devices module (remove from filesystem module)
Make device_t a filesystem
Add interface for associating types with device_t filesystem (dev_associate)
Call dev_associate from dev_filetrans
Allow all device nodes associate with device_t filesystem
Remove dev_tmpfs_filetrans_dev from kernel_t
Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate
Mounton interface, to allow the kernel to mounton device_t

Signed-off-by: Jeremy Solt <jsolt@tresys.com>
---
 policy/modules/kernel/corecommands.te |    1 +
 policy/modules/kernel/devices.if      |   39 ++++++++++++++++++++++++++++++++-
 policy/modules/kernel/devices.te      |    4 +++
 policy/modules/kernel/filesystem.te   |    1 -
 policy/modules/kernel/kernel.te       |    3 +-
 policy/modules/system/init.te         |    1 -
 6 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 5e99b33..39a4e97 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -15,6 +15,7 @@ attribute exec_type;
 #
 type bin_t alias { ls_exec_t sbin_t };
 corecmd_executable_file(bin_t)
+dev_associate(bin_t)	#For /dev/MAKEDEV
 
 #
 # shell_exec_t is the type of user shells such as /bin/bash.
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index f13a505..075a91b 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -73,6 +73,43 @@ interface(`dev_node',`
 
 ########################################
 ## <summary>
+##	Associate the specified file type with device filesystem.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	The type of the file to be associated.
+##	</summary>
+## </param>
+#
+interface(`dev_associate',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:filesystem associate;
+	fs_associate_tmpfs($1)	#For backwards compatibility
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on /dev
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allow access.
+##	</summary>
+## </param>
+#
+interface(`dev_mounton',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:dir mounton;
+')
+
+########################################
+## <summary>
 ##	Allow full relabeling (to and from) of all device nodes.
 ## </summary>
 ## <param name="domain">
@@ -759,7 +796,7 @@ interface(`dev_filetrans',`
 
 	filetrans_pattern($1, device_t, $2, $3)
 
-	fs_associate_tmpfs($2)
+	dev_associate($2)
 	files_associate_tmp($2)
 ')
 
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 102d130..c4c843b 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -18,6 +18,8 @@ fs_associate_tmpfs(device_t)
 files_type(device_t)
 files_mountpoint(device_t)
 files_associate_tmp(device_t)
+fs_type(device_t)
+fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 
 #
 # Type for /dev/agpgart
@@ -294,6 +296,8 @@ fs_associate_tmpfs(device_node)
 
 files_associate_tmp(device_node)
 
+allow device_node device_t:filesystem associate;
+
 ########################################
 #
 # Unconfined access to this module
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index fb63c3a..22dc0f3 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -174,7 +174,6 @@ files_poly_parent(tmpfs_t)
 # and label the filesystem itself with the specified context.
 # This is appropriate for pseudo filesystems like devpts and tmpfs
 # where we want to label objects with a derived type.
-fs_use_trans devtmpfs gen_context(system_u:object_r:tmpfs_t,s0);
 fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
 fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
 fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 6fa55f2..f87946f 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -245,8 +245,7 @@ dev_create_generic_blk_files(kernel_t)
 dev_delete_generic_blk_files(kernel_t)
 dev_create_generic_chr_files(kernel_t)
 dev_delete_generic_chr_files(kernel_t)
-# work around until devtmpfs has device_t type
-dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
+dev_mounton(kernel_t)
 
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 29f9757..a2f3b96 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -108,7 +108,6 @@ files_pid_filetrans(init_t, init_var_run_t, file)
 
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
-fs_associate_tmpfs(initctl_t)
 
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };
-- 
1.7.2