From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 6 Aug 2016 15:58:15 -0400 Subject: [refpolicy] [PATCH] getattr on unlabeled blk devs In-Reply-To: <20160803054819.c6x6xgzdcwjscfww@athena.coker.com.au> References: <20160803054819.c6x6xgzdcwjscfww@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/03/16 01:48, Russell Coker wrote: > The following has been in my tree for a few years. It allows initrc_t to stat > devices early in the boot process. > > >>From ad46ce856a1a780cf6c3a0bb741794019e03edc2 Mon Sep 17 00:00:00 2001 > From: Dominick Grift > Date: Sat, 9 Nov 2013 10:45:09 +0100 > Subject: [PATCH] init: startpar (initrc_t) gets attributes of /dev/dm-0 > (device_t) early on boot, soon later the node context is properly reset > (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file > > Signed-off-by: Dominick Grift > --- > policy/modules/system/init.te | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > Index: refpolicy/policy/modules/system/init.te > =================================================================== > --- refpolicy.orig/policy/modules/system/init.te > +++ refpolicy/policy/modules/system/init.te > @@ -563,6 +563,9 @@ userdom_read_user_home_content_files(ini > userdom_use_user_terminals(initrc_t) > > ifdef(`distro_debian',` > + kernel_getattr_core_if(initrc_t) > + > + dev_getattr_generic_blk_files(initrc_t) > dev_setattr_generic_dirs(initrc_t) > > fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir) Merged. -- Chris PeBenito