From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 26 Aug 2014 08:20:36 -0400
Subject: [refpolicy] [PATCH 4/7] Add attribute file_type to pseudo
 filesystem types
In-Reply-To: <1408793751-11289-5-git-send-email-nicolas.iooss@m4x.org>
References: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org>
	<1408793751-11289-5-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <53FC7B94.3000001@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 8/23/2014 7:35 AM, Nicolas Iooss wrote:
> Files in /sys/kernel/config are labeled configfs_t so this type needs
> attribute "file_type".  Without this attribute, these denials happen
> when using collectd with "df" plugin (this plugin enumerate mountpoints
> and collect disk usage stats):
> 
>     avc:  denied  { getattr } for pid=872 comm="collectd"
>     path="/sys/kernel/config" dev="configfs" ino=10234
>     scontext=system_u:system_r:collectd_t
>     tcontext=system_u:object_r:configfs_t tclass=dir
> 
> As collectd.te already contains files_getattr_all_dirs(collectd_t),
> adding file_type to configfs_t is enough to allow this access.
> 
> Moreover, similar filesystems such as debugfs_t already has file_type:
> 
>     $ seinfo -xtdebugfs_t
>        debugfs_t
>           file_type
>           filesystem_type
>           non_security_file_type
>           mountpoint
>           non_auth_file_type
>     $ seinfo -xtconfigfs_t
>        configfs_t
>           filesystem_type
> 
> This is because kernel.te contains files_mountpoint(debugfs_t), which
> uses files_type(debugfs_t).
> 
> This patch adds files_type() to every pseudo filesystem type that
> doesn't have file_type yet.

I don't think debugfs_t is a good example.  Looking at the file
contexts, I don't see why it needs to be a mount point.  I also don't
think that these pseudo filesystems should be file types either since
they aren't regular files.  It seems like the best choice would be to
use fs_getattr_all_dirs(collectd_t).



> ---
>  policy/modules/kernel/filesystem.te | 11 +++++++++++
>  policy/modules/kernel/kernel.te     |  1 +
>  2 files changed, 12 insertions(+)
> 
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index cf04fb76dc66..083756999432 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -58,6 +58,7 @@ genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
>  
>  type bdev_t;
>  fs_type(bdev_t)
> +files_type(bdev_t)
>  genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
>  
>  type binfmt_misc_fs_t;
> @@ -78,10 +79,12 @@ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
>  
>  type configfs_t;
>  fs_type(configfs_t)
> +files_type(configfs_t)
>  genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
>  
>  type cpusetfs_t;
>  fs_type(cpusetfs_t)
> +files_type(cpusetfs_t)
>  allow cpusetfs_t self:filesystem associate;
>  genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
>  
> @@ -92,6 +95,7 @@ genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
>  
>  type futexfs_t;
>  fs_type(futexfs_t)
> +files_type(futexfs_t)
>  genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
>  
>  type hugetlbfs_t;
> @@ -102,29 +106,35 @@ fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
>  
>  type ibmasmfs_t;
>  fs_type(ibmasmfs_t)
> +files_type(ibmasmfs_t)
>  allow ibmasmfs_t self:filesystem associate;
>  genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
>  
>  type infinibandeventfs_t;
>  fs_type(infinibandeventfs_t)
> +files_type(infinibandeventfs_t)
>  allow infinibandeventfs_t self:filesystem associate;
>  genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
>  
>  type inotifyfs_t;
>  fs_type(inotifyfs_t)
> +files_type(inotifyfs_t)
>  genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
>  
>  type mvfs_t;
>  fs_noxattr_type(mvfs_t)
> +files_type(mvfs_t)
>  allow mvfs_t self:filesystem associate;
>  genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
>  
>  type nfsd_fs_t;
>  fs_type(nfsd_fs_t)
> +files_type(nfsd_fs_t)
>  genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
>  
>  type oprofilefs_t;
>  fs_type(oprofilefs_t)
> +files_type(oprofilefs_t)
>  genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
>  
>  type pstore_t;
> @@ -140,6 +150,7 @@ genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
>  
>  type romfs_t;
>  fs_type(romfs_t)
> +files_type(romfs_t)
>  genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)
>  genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
>  
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 3fc6a56d41f0..f6cd41b70135 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -66,6 +66,7 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
>  #
>  
>  type kvmfs_t;
> +files_type(kvmfs_t)
>  fs_type(kvmfs_t)
>  genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0)
>  
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com