From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 11 Sep 2013 10:55:42 +0200 Subject: [refpolicy] [PATCH] [V2] Initial pstore support In-Reply-To: <1378889588-1766-1-git-send-email-dominick.grift@gmail.com> References: <1378889588-1766-1-git-send-email-dominick.grift@gmail.com> Message-ID: <1378889742.17108.1.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2013-09-11 at 10:53 +0200, Dominick Grift wrote: > Generic interface to platform dependent persistent storage > https://www.kernel.org/doc/Documentation/ABI/testing/pstore > > This basically works pretty much the same as cgroup file systems from a > SELinux perspective > > Make sure that the installed /sys/fs/pstore directory is labeled > properly so that the pstore file system can be mounted on that > > I also removed the files_type() calls as they are duplicate (it is > already called in files_mountpoint) > > Signed-off-by: Dominick Grift We need an explicit fc spec for the /sys/fs/pstore, and /sys/fs/cgroup directories because those directory are already there and we want to be able to mount on these directories to see need to be labeled properly > diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc > index 3d67e80..d7c11a0 100644 > --- a/policy/modules/kernel/filesystem.fc > +++ b/policy/modules/kernel/filesystem.fc > @@ -11,9 +11,11 @@ > /lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) > /lib/udev/devices/shm/.* <> > > -# for systemd systems: > -/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) > -/sys/fs/cgroup/.* <> > +/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) > +/sys/fs/cgroup/.* <> > + > +/sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0) > +/sys/fs/pstore/.* <> > > ifdef(`distro_debian',` > /var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0) > diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te > index 1c66416..8f1fc04 100644 > --- a/policy/modules/kernel/filesystem.te > +++ b/policy/modules/kernel/filesystem.te > @@ -70,9 +70,8 @@ > > type cgroup_t; > fs_type(cgroup_t) > -files_type(cgroup_t) > files_mountpoint(cgroup_t) > -dev_associate_sysfs(cgroup_t) # only for systemd systems > +dev_associate_sysfs(cgroup_t) > genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) > > type configfs_t; > @@ -125,6 +124,12 @@ > fs_type(oprofilefs_t) > genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) > > +type pstore_t; > +fs_type(pstore_t) > +files_mountpoint(pstore_t) > +dev_associate_sysfs(pstore_t) > +genfscon pstore / gen_context(system_u:object_r:pstore_t,s0) > + > type ramfs_t; > fs_type(ramfs_t) > files_mountpoint(ramfs_t)