From: dac.override@gmail.com (Dominick Grift) Date: Mon, 13 Apr 2015 18:20:16 +0200 Subject: [refpolicy] [PATCH] fstools: add in filetrans for /run dir In-Reply-To: <20150413160959.GA32570@x131e> References: <1428939695-20296-1-git-send-email-jason@perfinion.com> <20150413160959.GA32570@x131e> Message-ID: <20150413162015.GB32570@x131e> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Apr 13, 2015 at 06:09:59PM +0200, Dominick Grift wrote: > > The transition should only be needed on "dir" (/var/run/blkid and /var/run/fsck) > > files_pid_filetrans(fsadm_t, fsadm_run_t, dir) > > I think it is important do this properly since it makes it sensible. Adding rules that do not make > sense only make it harder to understand what is going on and it needlessly inflates the policy. > But i think i know what is going on here since you have no avc denials of the event where /var/run/blkid dir is created. blkid is probably run by some process that is allowed to run all executable files and that has permissions to create generic var_run_t dirs I would probably instead identity what creates /var/run/blkid dir and why it creates it with the generic var_run_t type then act accordingly by either making it run blkid with a domain transition or by making it create /var/run/blkid with a object type transition What you have currently is inconsistent and is bound be cause issues later on. Because in some instances /var/run/blkid may be created with var_run_t and in other instances with fsadm_var_run_t. Then youll end up allowing processes that need to manage fsadm_var_run_t files to write/del_entry/add_entry of both var_run_t as well as fsadm_var_run_t dirs Add a rule: auditallow domain var_run_t:dir create; then keep an eye on any event showing up where /var/run/blkid is created then deal with it accordingly -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/0e607140/attachment.bin