From: dac.override@gmail.com (Dominick Grift)
Date: Sun, 4 Jun 2017 17:25:43 +0200
Subject: [refpolicy] [PATCH] filesystem: introduce fs_cgroup_filetrans
interface
In-Reply-To: <20170604152008.23980-1-jason@perfinion.com>
References: <20170604152008.23980-1-jason@perfinion.com>
Message-ID: <20170604152543.GA10639@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Sun, Jun 04, 2017 at 11:20:08PM +0800, Jason Zaman via refpolicy wrote:
> ---
> policy/modules/kernel/filesystem.if | 35 +++++++++++++++++++++++++++++++++++
> 1 file changed, 35 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 42ab95c0..20461505 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -944,6 +944,41 @@ interface(`fs_mounton_cgroup', `
>
> ########################################
> ##
> +## Create an object in a cgroup tmpfs filesystem, with a private
> +## type using a type transition.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +##
> +## The type of the object to be created.
> +##
> +##
> +##
> +##
> +## The object class of the object being created.
> +##
> +##
> +##
> +##
> +## The name of the object being created.
> +##
> +##
> +#
> +interface(`fs_cgroup_filetrans',`
> + gen_require(`
> + type cgroup_t;
> + ')
> +
> + allow $2 tmpfs_t:filesystem associate;
youre referencing tmpfs_t without requiring it, but i think that this is probably not the right place to deal with this in the first place
what i probably would add instead however is: fs_search_sysfs($1)
> + filetrans_pattern($1, cgroup_t, $2, $3, $4)
> +')
> +
> +########################################
> +##
> ## Do not audit attempts to read
> ## dirs on a CIFS or SMB filesystem.
> ##
> --
> 2.13.0
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170604/7ed623c2/attachment.bin