From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Sun,  7 Sep 2014 23:47:31 +0200
Subject: [refpolicy] [PATCH] Add file_type attribute to configfs_t
Message-ID: <1410126451-5781-1-git-send-email-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

/sys/kernel/config filesystem can be used to configure some kernel
components such as netconsole [1].  Hence configfs_t can be used to
label files and directories and should be file_type.

Moreover this fixes the following AVC denial from collectd:

    avc:  denied  { getattr } for pid=872 comm="collectd"
    path="/sys/kernel/config" dev="configfs" ino=10234
    scontext=system_u:system_r:collectd_t
    tcontext=system_u:object_r:configfs_t tclass=dir

[1] https://www.kernel.org/doc/Documentation/networking/netconsole.txt
---
 policy/modules/kernel/filesystem.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index cf04fb76dc66..fab828f00f97 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -78,6 +78,7 @@ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
 
 type configfs_t;
 fs_type(configfs_t)
+files_type(configfs_t)
 genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
 
 type cpusetfs_t;
-- 
2.1.0