From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Sat, 23 Aug 2014 13:35:48 +0200 Subject: [refpolicy] [PATCH 4/7] Add attribute file_type to pseudo filesystem types In-Reply-To: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org> References: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org> Message-ID: <1408793751-11289-5-git-send-email-nicolas.iooss@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Files in /sys/kernel/config are labeled configfs_t so this type needs attribute "file_type". Without this attribute, these denials happen when using collectd with "df" plugin (this plugin enumerate mountpoints and collect disk usage stats): avc: denied { getattr } for pid=872 comm="collectd" path="/sys/kernel/config" dev="configfs" ino=10234 scontext=system_u:system_r:collectd_t tcontext=system_u:object_r:configfs_t tclass=dir As collectd.te already contains files_getattr_all_dirs(collectd_t), adding file_type to configfs_t is enough to allow this access. Moreover, similar filesystems such as debugfs_t already has file_type: $ seinfo -xtdebugfs_t debugfs_t file_type filesystem_type non_security_file_type mountpoint non_auth_file_type $ seinfo -xtconfigfs_t configfs_t filesystem_type This is because kernel.te contains files_mountpoint(debugfs_t), which uses files_type(debugfs_t). This patch adds files_type() to every pseudo filesystem type that doesn't have file_type yet. --- policy/modules/kernel/filesystem.te | 11 +++++++++++ policy/modules/kernel/kernel.te | 1 + 2 files changed, 12 insertions(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index cf04fb76dc66..083756999432 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -58,6 +58,7 @@ genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) type bdev_t; fs_type(bdev_t) +files_type(bdev_t) genfscon bdev / gen_context(system_u:object_r:bdev_t,s0) type binfmt_misc_fs_t; @@ -78,10 +79,12 @@ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) type configfs_t; fs_type(configfs_t) +files_type(configfs_t) genfscon configfs / gen_context(system_u:object_r:configfs_t,s0) type cpusetfs_t; fs_type(cpusetfs_t) +files_type(cpusetfs_t) allow cpusetfs_t self:filesystem associate; genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0) @@ -92,6 +95,7 @@ genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) type futexfs_t; fs_type(futexfs_t) +files_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) type hugetlbfs_t; @@ -102,29 +106,35 @@ fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); type ibmasmfs_t; fs_type(ibmasmfs_t) +files_type(ibmasmfs_t) allow ibmasmfs_t self:filesystem associate; genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0) type infinibandeventfs_t; fs_type(infinibandeventfs_t) +files_type(infinibandeventfs_t) allow infinibandeventfs_t self:filesystem associate; genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0) type inotifyfs_t; fs_type(inotifyfs_t) +files_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) type mvfs_t; fs_noxattr_type(mvfs_t) +files_type(mvfs_t) allow mvfs_t self:filesystem associate; genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) +files_type(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) type oprofilefs_t; fs_type(oprofilefs_t) +files_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) type pstore_t; @@ -140,6 +150,7 @@ genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0) type romfs_t; fs_type(romfs_t) +files_type(romfs_t) genfscon romfs / gen_context(system_u:object_r:romfs_t,s0) genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 3fc6a56d41f0..f6cd41b70135 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -66,6 +66,7 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) # type kvmfs_t; +files_type(kvmfs_t) fs_type(kvmfs_t) genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0) -- 2.0.4