From: dac.override@gmail.com (Dominick Grift) Date: Sun, 4 Jun 2017 18:03:17 +0200 Subject: [refpolicy] [PATCH] filesystem: introduce fs_cgroup_filetrans interface In-Reply-To: <20170604155251.GB27878@meriadoc.perfinion.com> References: <20170604152008.23980-1-jason@perfinion.com> <20170604152543.GA10639@julius.enp8s0.d30> <20170604155251.GB27878@meriadoc.perfinion.com> Message-ID: <20170604160317.GB10639@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, Jun 04, 2017 at 11:52:51PM +0800, Jason Zaman via refpolicy wrote: > On Sun, Jun 04, 2017 at 05:25:43PM +0200, Dominick Grift via refpolicy wrote: > > On Sun, Jun 04, 2017 at 11:20:08PM +0800, Jason Zaman via refpolicy wrote: > > > --- > > > policy/modules/kernel/filesystem.if | 35 +++++++++++++++++++++++++++++++++++ > > > 1 file changed, 35 insertions(+) > > > > > > diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if > > > index 42ab95c0..20461505 100644 > > > --- a/policy/modules/kernel/filesystem.if > > > +++ b/policy/modules/kernel/filesystem.if > > > @@ -944,6 +944,41 @@ interface(`fs_mounton_cgroup', ` > > > > > > ######################################## > > > ##

> > > +## Create an object in a cgroup tmpfs filesystem, with a private > > > +## type using a type transition. > > > +##

> > > +## > > > +##

> > > +## Domain allowed access. > > > +##

> > > +## > > > +## > > > +##

> > > +## The type of the object to be created. > > > +##

> > > +## > > > +## > > > +##

> > > +## The object class of the object being created. > > > +##

> > > +## > > > +## > > > +##

> > > +## The name of the object being created. > > > +##

> > > +## > > > +# > > > +interface(`fs_cgroup_filetrans',` > > > + gen_require(` > > > + type cgroup_t; > > > + ') > > > + > > > + allow $2 tmpfs_t:filesystem associate; > > > > youre referencing tmpfs_t without requiring it, but i think that this is probably not the right place to deal with this in the first place > > > > what i probably would add instead however is: fs_search_sysfs($1) > > Hmm > I could add fs_associate_tmpfs(cgmanager_cgroup_t) to cgmanager.te > instead, but cgroup_t is a tmpfs underneath so this assoc needs to be > there, and fs_tmpfs_filetrans has the fs assoc perm too which is why i > kept it. Okay yes then I suppose for the sake of consistency you might add it here as well. side note though: the situation in /sys/fs got quite messy. I got an headache just looking at your cgmanager patch, but that is not your fault. It's probably actually my fault because we should have never added an fc spec for /sys/fs/cgroup (instead we should have just relied on contexts of file system mounts and getfscon) Because having to add rules that allow the creation of sock files on cgroup filesystem type filesystems doesnt make sense (its actually probably creating that stuff on tmpfs but that tmpfs fs gets labeled cgroupfs due to the fc spec .... anyhow ce'st la vie > > fs_search_sysfs isnt strictly required because cgmanager mounts things > in a mount namespace in /run instead. but adding it makes sense so i can > do it anyway. > > # cat /proc/`pidof cgmanager`/mounts > proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 > binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0 > cgmfs /run/cgmanager/fs tmpfs rw,seclabel,relatime,size=100k,mode=755 0 0 > blkio /run/cgmanager/fs/blkio cgroup rw,relatime,blkio 0 0 > cpu /run/cgmanager/fs/cpu cgroup rw,relatime,cpu 0 0 > cpuacct /run/cgmanager/fs/cpuacct cgroup rw,relatime,cpuacct 0 0 > cpuset /run/cgmanager/fs/cpuset cgroup rw,relatime,cpuset,clone_children 0 0 > devices /run/cgmanager/fs/devices cgroup rw,relatime,devices 0 0 > freezer /run/cgmanager/fs/freezer cgroup rw,relatime,freezer 0 0 > memory /run/cgmanager/fs/memory cgroup rw,relatime,memory 0 0 > net_prio /run/cgmanager/fs/net_prio cgroup rw,relatime,net_prio 0 0 > none,name=openrc /run/cgmanager/fs/none,name=openrc cgroup rw,relatime,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc 0 0 > pids /run/cgmanager/fs/pids cgroup rw,relatime,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids 0 0 > none,name=systemd /run/cgmanager/fs/none,name=systemd cgroup rw,relatime,release_agent=/run/cgmanager/agents/cgm-release-agent.systemd,name=systemd 0 0 > zmeriadoc/root / zfs rw,seclabel,relatime,xattr,posixacl 0 0 > tmpfs /run tmpfs rw,rootcontext=system_u:object_r:var_run_t:s0,seclabel,nosuid,nodev,noexec,relatime,size=131072k,mode=755 0 0 > root /root tmpfs rw,seclabel,relatime,size=12k 0 0 > > > > > > + filetrans_pattern($1, cgroup_t, $2, $3, $4) > > > +') > > > + > > > +######################################## > > > +##

> > > ## Do not audit attempts to read > > > ## dirs on a CIFS or SMB filesystem. > > > ##

> > > -- > > > 2.13.0 > > > > > > _______________________________________________ > > > refpolicy mailing list > > > refpolicy at oss.tresys.com > > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > -- > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > Dominick Grift > > > > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170604/19e6c906/attachment.bin