From: bigon@debian.org (Laurent Bigoville) Date: Wed, 5 Mar 2014 21:12:06 +0100 Subject: [refpolicy] [RFC] Create xattrfs attribute and use it instead of fs_t Message-ID: <1394050326-11869-1-git-send-email-bigon@bigon.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Laurent Bigonville Create xattrfs attribute and use it instead of fs_t for the file systems that support extended file attributes. This patch add a new fs_xattr_type() interface. --- policy/modules/kernel/devices.te | 4 +-- policy/modules/kernel/filesystem.if | 55 ++++++++++++++++++++++++++----------- policy/modules/kernel/filesystem.te | 43 +++++++++++++++-------------- policy/modules/kernel/kernel.te | 6 ++-- policy/modules/kernel/selinux.te | 2 +- policy/modules/kernel/terminal.te | 2 +- 6 files changed, 68 insertions(+), 44 deletions(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 8af85d3..9a18dda 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -18,7 +18,7 @@ fs_associate_tmpfs(device_t) files_type(device_t) files_mountpoint(device_t) files_associate_tmp(device_t) -fs_type(device_t) +fs_xattr_type(device_t) fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0); # @@ -224,7 +224,7 @@ dev_node(sound_device_t) # type sysfs_t; files_mountpoint(sysfs_t) -fs_type(sysfs_t) +fs_xattr_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 8416beb..fe7dc95 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -106,6 +106,29 @@ interface(`fs_exec_noxattr',` can_exec($1, noxattrfs) ') + +######################################## +## +## Transform specified type into a filesystem +## type which has extended attribute +## support. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_xattr_type',` + gen_require(` + attribute xattrfs; + ') + + fs_type($1) + + typeattribute $1 xattrfs; +') + ######################################## ## ## Mount a persistent filesystem which @@ -120,10 +143,10 @@ interface(`fs_exec_noxattr',` # interface(`fs_mount_xattr_fs',` gen_require(` - type fs_t; + attribute xattrfs; ') - allow $1 fs_t:filesystem mount; + allow $1 xattrfs:filesystem mount; ') ######################################## @@ -141,10 +164,10 @@ interface(`fs_mount_xattr_fs',` # interface(`fs_remount_xattr_fs',` gen_require(` - type fs_t; + attribute xattrfs; ') - allow $1 fs_t:filesystem remount; + allow $1 xattrfs:filesystem remount; ') ######################################## @@ -161,10 +184,10 @@ interface(`fs_remount_xattr_fs',` # interface(`fs_unmount_xattr_fs',` gen_require(` - type fs_t; + attribute xattrfs; ') - allow $1 fs_t:filesystem unmount; + allow $1 xattrfs:filesystem unmount; ') ######################################## @@ -197,10 +220,10 @@ interface(`fs_unmount_xattr_fs',` # interface(`fs_getattr_xattr_fs',` gen_require(` - type fs_t; + attribute xattrfs; ') - allow $1 fs_t:filesystem getattr; + allow $1 xattrfs:filesystem getattr; ') ######################################## @@ -218,10 +241,10 @@ interface(`fs_getattr_xattr_fs',` # interface(`fs_dontaudit_getattr_xattr_fs',` gen_require(` - type fs_t; + attribute xattrfs; ') - dontaudit $1 fs_t:filesystem getattr; + dontaudit $1 xattrfs:filesystem getattr; ') ######################################## @@ -238,10 +261,10 @@ interface(`fs_dontaudit_getattr_xattr_fs',` # interface(`fs_relabelfrom_xattr_fs',` gen_require(` - type fs_t; + attribute xattrfs; ') - allow $1 fs_t:filesystem relabelfrom; + allow $1 xattrfs:filesystem relabelfrom; ') ######################################## @@ -258,10 +281,10 @@ interface(`fs_relabelfrom_xattr_fs',` # interface(`fs_get_xattr_fs_quotas',` gen_require(` - type fs_t; + attribute xattrfs; ') - allow $1 fs_t:filesystem quotaget; + allow $1 xattrfs:filesystem quotaget; ') ######################################## @@ -278,10 +301,10 @@ interface(`fs_get_xattr_fs_quotas',` # interface(`fs_set_xattr_fs_quotas',` gen_require(` - type fs_t; + attribute xattrfs; ') - allow $1 fs_t:filesystem quotamod; + allow $1 xattrfs:filesystem quotamod; ') ######################################## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index aaf0506..3c95bfc 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -8,6 +8,7 @@ policy_module(filesystem, 1.17.3) attribute filesystem_type; attribute filesystem_unconfined_type; attribute noxattrfs; +attribute xattrfs; ############################## # @@ -15,7 +16,7 @@ attribute noxattrfs; # filesystems with extended attributes # type fs_t; -fs_type(fs_t) +fs_xattr_type(fs_t) sid fs gen_context(system_u:object_r:fs_t,s0) # Use xattrs for the following filesystem types. @@ -51,36 +52,36 @@ fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0); # type anon_inodefs_t; -fs_type(anon_inodefs_t) +fs_xattr_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) type bdev_t; -fs_type(bdev_t) +fs_xattr_type(bdev_t) genfscon bdev / gen_context(system_u:object_r:bdev_t,s0) type binfmt_misc_fs_t; -fs_type(binfmt_misc_fs_t) +fs_xattr_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) type capifs_t; -fs_type(capifs_t) +fs_xattr_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) type cgroup_t; -fs_type(cgroup_t) +fs_xattr_type(cgroup_t) files_mountpoint(cgroup_t) dev_associate_sysfs(cgroup_t) genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) type configfs_t; -fs_type(configfs_t) +fs_xattr_type(configfs_t) genfscon configfs / gen_context(system_u:object_r:configfs_t,s0) type cpusetfs_t; -fs_type(cpusetfs_t) +fs_xattr_type(cpusetfs_t) allow cpusetfs_t self:filesystem associate; genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0) @@ -90,26 +91,26 @@ files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) type futexfs_t; -fs_type(futexfs_t) +fs_xattr_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) type hugetlbfs_t; -fs_type(hugetlbfs_t) +fs_xattr_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); type ibmasmfs_t; -fs_type(ibmasmfs_t) +fs_xattr_type(ibmasmfs_t) allow ibmasmfs_t self:filesystem associate; genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0) type infinibandeventfs_t; -fs_type(infinibandeventfs_t) +fs_xattr_type(infinibandeventfs_t) allow infinibandeventfs_t self:filesystem associate; genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0) type inotifyfs_t; -fs_type(inotifyfs_t) +fs_xattr_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) type mvfs_t; @@ -118,36 +119,36 @@ allow mvfs_t self:filesystem associate; genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; -fs_type(nfsd_fs_t) +fs_xattr_type(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) type oprofilefs_t; -fs_type(oprofilefs_t) +fs_xattr_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) type pstore_t; -fs_type(pstore_t) +fs_xattr_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) genfscon pstore / gen_context(system_u:object_r:pstore_t,s0) type ramfs_t; -fs_type(ramfs_t) +fs_xattr_type(ramfs_t) files_mountpoint(ramfs_t) genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0) type romfs_t; -fs_type(romfs_t) +fs_xattr_type(romfs_t) genfscon romfs / gen_context(system_u:object_r:romfs_t,s0) genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0) type rpc_pipefs_t; -fs_type(rpc_pipefs_t) +fs_xattr_type(rpc_pipefs_t) genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0) files_mountpoint(rpc_pipefs_t) type spufs_t; -fs_type(spufs_t) +fs_xattr_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -174,7 +175,7 @@ genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) # type tmpfs_t; dev_associate(tmpfs_t) -fs_type(tmpfs_t) +fs_xattr_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 7f7372f..633b63c 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -57,7 +57,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) type debugfs_t; files_mountpoint(debugfs_t) -fs_type(debugfs_t) +fs_xattr_type(debugfs_t) allow debugfs_t self:filesystem associate; genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -66,7 +66,7 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) # type kvmfs_t; -fs_type(kvmfs_t) +fs_xattr_type(kvmfs_t) genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0) # @@ -75,7 +75,7 @@ genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0) type proc_t, proc_type; files_mountpoint(proc_t) -fs_type(proc_t) +fs_xattr_type(proc_t) genfscon proc / gen_context(system_u:object_r:proc_t,s0) genfscon proc /sysvipc gen_context(system_u:object_r:proc_t,s0) diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index e0a973b..5cf625d 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -30,7 +30,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload) # type security_t, boolean_type; files_mountpoint(security_t) -fs_type(security_t) +fs_xattr_type(security_t) mls_trusted_object(security_t) sid security gen_context(system_u:object_r:security_t,mls_systemhigh) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index 66e116a..c59df22 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -27,7 +27,7 @@ dev_node(console_device_t) type devpts_t; files_mountpoint(devpts_t) fs_associate_tmpfs(devpts_t) -fs_type(devpts_t) +fs_xattr_type(devpts_t) fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0); # -- 1.9.0