From: dominick.grift@gmail.com (Dominick Grift) Date: Sat, 9 Nov 2013 10:45:15 +0100 Subject: [refpolicy] [PATCH 34/39] kernel: Edited the dev_(create|setattr)_all_(chr|blk)_files() interfaces: In-Reply-To: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com> References: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com> Message-ID: <1383990320-3340-34-git-send-email-dominick.grift@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 1. device_t type was used but not required 2. the interface name suggest all dev files and that includes device_t chr/blk files as well. If the interface name would say all_dev_nodes then it would have been a different story In debian kernel needs to set attributes of generic device_t blk files (/dev/dm-.*) Some how theyre created with generic device_t In debian kernel needs to create, and set attributes of atleast the chr files that i added named file transtion rules for but i added permissions to kernel to create and set attributes of any chr file in /dev ( that includes generic device_t type chr files Signed-off-by: Dominick Grift --- policy/modules/kernel/devices.if | 12 ++++++++---- policy/modules/kernel/kernel.te | 4 ++++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 147170a..afcc522 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -1072,9 +1072,10 @@ interface(`dev_dontaudit_getattr_all_chr_files',` interface(`dev_setattr_all_blk_files',` gen_require(` attribute device_node; + type device_t; ') - setattr_blk_files_pattern($1, device_t, device_node) + setattr_blk_files_pattern($1, device_t, { device_node device_t }) ') ######################################## @@ -1091,9 +1092,10 @@ interface(`dev_setattr_all_blk_files',` interface(`dev_setattr_all_chr_files',` gen_require(` attribute device_node; + type device_t; ') - setattr_chr_files_pattern($1, device_t, device_node) + setattr_chr_files_pattern($1, device_t, { device_node device_t }) ') ######################################## @@ -1181,9 +1183,10 @@ interface(`dev_dontaudit_write_all_chr_files',` interface(`dev_create_all_blk_files',` gen_require(` attribute device_node; + type device_t; ') - create_blk_files_pattern($1, device_t, device_node) + create_blk_files_pattern($1, device_t, { device_node device_t }) ') ######################################## @@ -1199,9 +1202,10 @@ interface(`dev_create_all_blk_files',` interface(`dev_create_all_chr_files',` gen_require(` attribute device_node; + type device_t; ') - create_chr_files_pattern($1, device_t, device_node) + create_chr_files_pattern($1, device_t, { device_node device_t }) ') ######################################## diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index d7a9b47..b9d6a3a 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -288,6 +288,10 @@ mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) ifdef(`distro_debian',` + dev_create_all_chr_files(kernel_t) + dev_setattr_all_blk_files(kernel_t) + dev_setattr_all_chr_files(kernel_t) + dev_filetrans_input(kernel_t, "event0") dev_filetrans_input(kernel_t, "event1") dev_filetrans_input(kernel_t, "event2") -- 1.8.3.1