From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 26 Aug 2014 08:20:36 -0400 Subject: [refpolicy] [PATCH 4/7] Add attribute file_type to pseudo filesystem types In-Reply-To: <1408793751-11289-5-git-send-email-nicolas.iooss@m4x.org> References: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org> <1408793751-11289-5-git-send-email-nicolas.iooss@m4x.org> Message-ID: <53FC7B94.3000001@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 8/23/2014 7:35 AM, Nicolas Iooss wrote: > Files in /sys/kernel/config are labeled configfs_t so this type needs > attribute "file_type". Without this attribute, these denials happen > when using collectd with "df" plugin (this plugin enumerate mountpoints > and collect disk usage stats): > > avc: denied { getattr } for pid=872 comm="collectd" > path="/sys/kernel/config" dev="configfs" ino=10234 > scontext=system_u:system_r:collectd_t > tcontext=system_u:object_r:configfs_t tclass=dir > > As collectd.te already contains files_getattr_all_dirs(collectd_t), > adding file_type to configfs_t is enough to allow this access. > > Moreover, similar filesystems such as debugfs_t already has file_type: > > $ seinfo -xtdebugfs_t > debugfs_t > file_type > filesystem_type > non_security_file_type > mountpoint > non_auth_file_type > $ seinfo -xtconfigfs_t > configfs_t > filesystem_type > > This is because kernel.te contains files_mountpoint(debugfs_t), which > uses files_type(debugfs_t). > > This patch adds files_type() to every pseudo filesystem type that > doesn't have file_type yet. I don't think debugfs_t is a good example. Looking at the file contexts, I don't see why it needs to be a mount point. I also don't think that these pseudo filesystems should be file types either since they aren't regular files. It seems like the best choice would be to use fs_getattr_all_dirs(collectd_t). > --- > policy/modules/kernel/filesystem.te | 11 +++++++++++ > policy/modules/kernel/kernel.te | 1 + > 2 files changed, 12 insertions(+) > > diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te > index cf04fb76dc66..083756999432 100644 > --- a/policy/modules/kernel/filesystem.te > +++ b/policy/modules/kernel/filesystem.te > @@ -58,6 +58,7 @@ genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) > > type bdev_t; > fs_type(bdev_t) > +files_type(bdev_t) > genfscon bdev / gen_context(system_u:object_r:bdev_t,s0) > > type binfmt_misc_fs_t; > @@ -78,10 +79,12 @@ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) > > type configfs_t; > fs_type(configfs_t) > +files_type(configfs_t) > genfscon configfs / gen_context(system_u:object_r:configfs_t,s0) > > type cpusetfs_t; > fs_type(cpusetfs_t) > +files_type(cpusetfs_t) > allow cpusetfs_t self:filesystem associate; > genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0) > > @@ -92,6 +95,7 @@ genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) > > type futexfs_t; > fs_type(futexfs_t) > +files_type(futexfs_t) > genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) > > type hugetlbfs_t; > @@ -102,29 +106,35 @@ fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); > > type ibmasmfs_t; > fs_type(ibmasmfs_t) > +files_type(ibmasmfs_t) > allow ibmasmfs_t self:filesystem associate; > genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0) > > type infinibandeventfs_t; > fs_type(infinibandeventfs_t) > +files_type(infinibandeventfs_t) > allow infinibandeventfs_t self:filesystem associate; > genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0) > > type inotifyfs_t; > fs_type(inotifyfs_t) > +files_type(inotifyfs_t) > genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) > > type mvfs_t; > fs_noxattr_type(mvfs_t) > +files_type(mvfs_t) > allow mvfs_t self:filesystem associate; > genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) > > type nfsd_fs_t; > fs_type(nfsd_fs_t) > +files_type(nfsd_fs_t) > genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) > > type oprofilefs_t; > fs_type(oprofilefs_t) > +files_type(oprofilefs_t) > genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) > > type pstore_t; > @@ -140,6 +150,7 @@ genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0) > > type romfs_t; > fs_type(romfs_t) > +files_type(romfs_t) > genfscon romfs / gen_context(system_u:object_r:romfs_t,s0) > genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0) > > diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te > index 3fc6a56d41f0..f6cd41b70135 100644 > --- a/policy/modules/kernel/kernel.te > +++ b/policy/modules/kernel/kernel.te > @@ -66,6 +66,7 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) > # > > type kvmfs_t; > +files_type(kvmfs_t) > fs_type(kvmfs_t) > genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0) > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com