From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 4 Jun 2017 20:37:16 -0400 Subject: [refpolicy] [PATCH v2] filesystem: introduce fs_cgroup_filetrans interface In-Reply-To: <20170604163344.11358-1-jason@perfinion.com> References: <20170604163344.11358-1-jason@perfinion.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/04/2017 12:33 PM, Jason Zaman wrote: > --- > changes from v1: > add require tmpfs_t > add fs_search_sysfs > > no changes are required in the patches for contrib > --- > policy/modules/kernel/filesystem.if | 36 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 36 insertions(+) > > diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if > index 42ab95c0..35b17a2a 100644 > --- a/policy/modules/kernel/filesystem.if > +++ b/policy/modules/kernel/filesystem.if > @@ -944,6 +944,42 @@ interface(`fs_mounton_cgroup', ` > > ######################################## > ## > +## Create an object in a cgroup tmpfs filesystem, with a private > +## type using a type transition. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of the object to be created. > +## > +## > +## > +## > +## The object class of the object being created. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`fs_cgroup_filetrans',` > + gen_require(` > + type cgroup_t, tmpfs_t; > + ') > + > + allow $2 tmpfs_t:filesystem associate; > + filetrans_pattern($1, cgroup_t, $2, $3, $4) > + fs_search_sysfs($1) It's actually dev_search_sysfs(). I merged it along with the fix. > +') > + > +######################################## > +## > ## Do not audit attempts to read > ## dirs on a CIFS or SMB filesystem. > ## > -- Chris PeBenito