From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 08 Oct 2010 14:33:47 -0400 Subject: [refpolicy] [ patch 36/44] sudo: wants to get attributes of device_t filesystems. In-Reply-To: <1286216636-28449-38-git-send-email-domg472@gmail.com> References: <1286216636-28449-1-git-send-email-domg472@gmail.com> <1286216636-28449-38-git-send-email-domg472@gmail.com> Message-ID: <4CAF640B.4060003@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/04/10 14:23, Dominick Grift wrote: > > Signed-off-by: Dominick Grift > --- > :100644 100644 5f44f1b... ca36b15... M policy/modules/admin/sudo.if > :100644 100644 8b09281... f1f6809... M policy/modules/kernel/devices.if > policy/modules/admin/sudo.if | 1 + > policy/modules/kernel/devices.if | 18 ++++++++++++++++++ > 2 files changed, 19 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if > index 5f44f1b..ca36b15 100644 > --- a/policy/modules/admin/sudo.if > +++ b/policy/modules/admin/sudo.if > @@ -87,6 +87,7 @@ template(`sudo_role_template',` > corecmd_read_bin_symlinks($1_sudo_t) > corecmd_exec_all_executables($1_sudo_t) > > + dev_getattr_device_fs($1_sudo_t) > dev_read_urand($1_sudo_t) > dev_rw_generic_usb_dev($1_sudo_t) > dev_read_sysfs($1_sudo_t) > diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if > index 8b09281..f1f6809 100644 > --- a/policy/modules/kernel/devices.if > +++ b/policy/modules/kernel/devices.if > @@ -92,6 +92,24 @@ interface(`dev_associate',` > > ######################################## > ## > +## Get attributes of device filesystems. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_getattr_device_fs',` > + gen_require(` > + type device_t; > + ') > + > + allow $1 device_t:filesystem getattr; > +') > + > +######################################## > +## > ## Mount a filesystem on /dev > ## > ## Merged, though I renamed the interface. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com