From: dac.override@gmail.com (Dominick Grift)
Date: Sun, 4 Jun 2017 17:25:43 +0200
Subject: [refpolicy] [PATCH] filesystem: introduce fs_cgroup_filetrans
 interface
In-Reply-To: <20170604152008.23980-1-jason@perfinion.com>
References: <20170604152008.23980-1-jason@perfinion.com>
Message-ID: <20170604152543.GA10639@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, Jun 04, 2017 at 11:20:08PM +0800, Jason Zaman via refpolicy wrote:
> ---
>  policy/modules/kernel/filesystem.if | 35 +++++++++++++++++++++++++++++++++++
>  1 file changed, 35 insertions(+)
> 
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 42ab95c0..20461505 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -944,6 +944,41 @@ interface(`fs_mounton_cgroup', `
>  
>  ########################################
>  ## <summary>
> +##	Create an object in a cgroup tmpfs filesystem, with a private
> +##	type using a type transition.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="private type">
> +##	<summary>
> +##	The type of the object to be created.
> +##	</summary>
> +## </param>
> +## <param name="object">
> +##	<summary>
> +##	The object class of the object being created.
> +##	</summary>
> +## </param>
> +## <param name="name" optional="true">
> +##	<summary>
> +##	The name of the object being created.
> +##	</summary>
> +## </param>
> +#
> +interface(`fs_cgroup_filetrans',`
> +	gen_require(`
> +		type cgroup_t;
> +	')
> +
> +	allow $2 tmpfs_t:filesystem associate;

youre referencing tmpfs_t without requiring it, but i think that this is probably not the right place to deal with this in the first place

what i probably would add instead however is: fs_search_sysfs($1)

> +	filetrans_pattern($1, cgroup_t, $2, $3, $4)
> +')
> +
> +########################################
> +## <summary>
>  ##	Do not audit attempts to read
>  ##	dirs on a CIFS or SMB filesystem.
>  ## </summary>
> -- 
> 2.13.0
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170604/7ed623c2/attachment.bin