From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 8 Feb 2012 15:43:44 -0500 Subject: [refpolicy] [PATCH 1/1] Mark temporary block device as fixed_disk_device_t In-Reply-To: <20111115094545.GA3052@siphos.be> References: <20111115094545.GA3052@siphos.be> Message-ID: <4F32DE80.1010302@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/15/11 04:45, Sven Vermeulen wrote: > When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they > get by default marked as device_t. However, in case of software raid devices, > the mdadm application (running in mdadm_t) does not hold the proper privileges > to access this for its auto-assembly of the raids. > > Other block device applications, like blkid (running in fsadm_t) use these > temporary block devices as well, but already hold the necessary privileges on > device_t to continue their work. > > By marking the temporary block device as a fixed_disk_device_t, all these block > device handling applications (such as blkid, but also mdadm) now hold the proper > privileges. Since udev is selinux-aware, the created files are immediately > restorecon'ed before the rules are applied. I'm conflicted on this. On one hand, I obviously want udev to apply the correct label, but I also don't want a restorecon/setfiles at a later date to change the label of what is clearly a temp file. > Signed-off-by: Sven Vermeulen > --- > policy/modules/kernel/storage.fc | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc > index 57c4a6a..54f1827 100644 > --- a/policy/modules/kernel/storage.fc > +++ b/policy/modules/kernel/storage.fc > @@ -1,4 +1,4 @@ > - > +/dev/\.tmp-block-.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > /dev/n?(raw)?[qr]ft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0) > /dev/n?[hs]t[0-9].* -c gen_context(system_u:object_r:tape_device_t,s0) > /dev/n?z?qft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com