From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 20 Dec 2013 14:56:53 -0500 Subject: [refpolicy] [PATCH 34/39] kernel: Edited the dev_(create|setattr)_all_(chr|blk)_files() interfaces: In-Reply-To: <1383990320-3340-34-git-send-email-dominick.grift@gmail.com> References: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com> <1383990320-3340-34-git-send-email-dominick.grift@gmail.com> Message-ID: <52B4A105.2090503@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/09/13 04:45, Dominick Grift wrote: > 1. device_t type was used but not required > 2. the interface name suggest all dev files and that includes device_t > chr/blk files as well. If the interface name would say all_dev_nodes > then it would have been a different story > > In debian kernel needs to set attributes of generic device_t blk files > (/dev/dm-.*) Some how theyre created with generic device_t > > In debian kernel needs to create, and set attributes of atleast the chr > files that i added named file transtion rules for but i added > permissions to kernel to create and set attributes of any chr file in > /dev ( that includes generic device_t type chr files Fails to apply for me. > Signed-off-by: Dominick Grift > --- > policy/modules/kernel/devices.if | 12 ++++++++---- > policy/modules/kernel/kernel.te | 4 ++++ > 2 files changed, 12 insertions(+), 4 deletions(-) > > diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if > index 147170a..afcc522 100644 > --- a/policy/modules/kernel/devices.if > +++ b/policy/modules/kernel/devices.if > @@ -1072,9 +1072,10 @@ interface(`dev_dontaudit_getattr_all_chr_files',` > interface(`dev_setattr_all_blk_files',` > gen_require(` > attribute device_node; > + type device_t; > ') > > - setattr_blk_files_pattern($1, device_t, device_node) > + setattr_blk_files_pattern($1, device_t, { device_node device_t }) > ') > > ######################################## > @@ -1091,9 +1092,10 @@ interface(`dev_setattr_all_blk_files',` > interface(`dev_setattr_all_chr_files',` > gen_require(` > attribute device_node; > + type device_t; > ') > > - setattr_chr_files_pattern($1, device_t, device_node) > + setattr_chr_files_pattern($1, device_t, { device_node device_t }) > ') > > ######################################## > @@ -1181,9 +1183,10 @@ interface(`dev_dontaudit_write_all_chr_files',` > interface(`dev_create_all_blk_files',` > gen_require(` > attribute device_node; > + type device_t; > ') > > - create_blk_files_pattern($1, device_t, device_node) > + create_blk_files_pattern($1, device_t, { device_node device_t }) > ') > > ######################################## > @@ -1199,9 +1202,10 @@ interface(`dev_create_all_blk_files',` > interface(`dev_create_all_chr_files',` > gen_require(` > attribute device_node; > + type device_t; > ') > > - create_chr_files_pattern($1, device_t, device_node) > + create_chr_files_pattern($1, device_t, { device_node device_t }) > ') > > ######################################## > diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te > index d7a9b47..b9d6a3a 100644 > --- a/policy/modules/kernel/kernel.te > +++ b/policy/modules/kernel/kernel.te > @@ -288,6 +288,10 @@ mls_file_write_all_levels(kernel_t) > mls_file_read_all_levels(kernel_t) > > ifdef(`distro_debian',` > + dev_create_all_chr_files(kernel_t) > + dev_setattr_all_blk_files(kernel_t) > + dev_setattr_all_chr_files(kernel_t) > + > dev_filetrans_input(kernel_t, "event0") > dev_filetrans_input(kernel_t, "event1") > dev_filetrans_input(kernel_t, "event2") > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com