From: jsolt@tresys.com (Jeremy Solt) Date: Wed, 18 Aug 2010 11:36:35 -0400 Subject: [refpolicy] [PATCH 2/2] Early devtmpfs access In-Reply-To: <1282145795-13551-1-git-send-email-jsolt@tresys.com> References: <1282145795-13551-1-git-send-email-jsolt@tresys.com> Message-ID: <1282145795-13551-2-git-send-email-jsolt@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com dontaudit attempts to read/write device_t chr files occurring before udev relabel allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined) Signed-off-by: Jeremy Solt --- policy/modules/admin/readahead.te | 2 ++ policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/system/hostname.te | 2 ++ policy/modules/system/init.te | 4 ++++ policy/modules/system/mount.te | 3 +++ 5 files changed, 29 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te index c5c7852..f7d3b90 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te @@ -45,6 +45,8 @@ dev_getattr_all_blk_files(readahead_t) dev_dontaudit_read_all_blk_files(readahead_t) dev_dontaudit_getattr_memory_dev(readahead_t) dev_dontaudit_getattr_nvram_dev(readahead_t) +# Early devtmpfs, before udev relabel +dev_dontaudit_rw_generic_chr_files(readahead_t) domain_use_interactive_fds(readahead_t) domain_read_all_domains_state(readahead_t) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 075a91b..2adb830 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -552,6 +552,24 @@ interface(`dev_rw_generic_chr_files',` ######################################## ## +## Dontaudit attempts to read/write generic character device files. +## +## +## +## Domain to dontaudit access. +## +## +# +interface(`dev_dontaudit_rw_generic_chr_files',` + gen_require(` + type device_t; + ') + + dontaudit $1 device_t:chr_file rw_chr_file_perms; +') + +######################################## +## ## Create generic character device files. ## ## diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index b9efd1b..e384dcd 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -25,6 +25,8 @@ kernel_list_proc(hostname_t) kernel_read_proc_symlinks(hostname_t) dev_read_sysfs(hostname_t) +# Early devtmpfs, before udev relabel +dev_dontaudit_rw_generic_chr_files(hostname_t) domain_use_interactive_fds(hostname_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a2f3b96..53db1a0 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -119,6 +119,8 @@ corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) dev_read_sysfs(init_t) +# Early devtmpfs +dev_rw_generic_chr_files(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) @@ -296,6 +298,8 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) +# Early devtmpfs +dev_rw_generic_chr_files(initrc_t) domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index ee6520c..280a534 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -60,6 +60,9 @@ dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) dev_getattr_sound_dev(mount_t) +# Early devtmpfs, before udev relabel +dev_dontaudit_rw_generic_chr_files(mount_t) + domain_use_interactive_fds(mount_t) files_search_all(mount_t) -- 1.7.2