From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 12 Sep 2014 14:09:21 -0400
Subject: [refpolicy] [PATCH] Add file_type attribute to configfs_t
In-Reply-To: <1410126451-5781-1-git-send-email-nicolas.iooss@m4x.org>
References: <1410126451-5781-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <541336D1.1030903@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 9/7/2014 5:47 PM, Nicolas Iooss wrote:
> /sys/kernel/config filesystem can be used to configure some kernel
> components such as netconsole [1].  Hence configfs_t can be used to
> label files and directories and should be file_type.

I don't think configfs_t labels any files but those in the configfs
pseudo filesystem, which is consistent with the following denial.  I
don't think it should be a file type.



> Moreover this fixes the following AVC denial from collectd:
> 
>     avc:  denied  { getattr } for pid=872 comm="collectd"
>     path="/sys/kernel/config" dev="configfs" ino=10234
>     scontext=system_u:system_r:collectd_t
>     tcontext=system_u:object_r:configfs_t tclass=dir
> 
> [1] https://www.kernel.org/doc/Documentation/networking/netconsole.txt
> ---
>  policy/modules/kernel/filesystem.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index cf04fb76dc66..fab828f00f97 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -78,6 +78,7 @@ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
>  
>  type configfs_t;
>  fs_type(configfs_t)
> +files_type(configfs_t)
>  genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
>  
>  type cpusetfs_t;
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com