From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=)
Date: Sun, 10 Sep 2017 17:20:09 +0200
Subject: [refpolicy] [PATCH] dphysswapfile: add predepends and sysadm access
Message-ID: <20170910152009.6886-1-cgzones@googlemail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
---
policy/modules/roles/sysadm.te | 4 +++
policy/modules/system/fstools.if | 54 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 58 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index c5522533..396900dc 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -378,6 +378,10 @@ optional_policy(`
dovecot_admin(sysadm_t, sysadm_r)
')
+optional_policy(`
+ dphysswapfile_admin(sysadm_t, sysadm_r)
+')
+
optional_policy(`
dpkg_run(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index f04d843c..6ebe3800 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -209,3 +209,57 @@ interface(`fstools_getattr_swap_files',`
allow $1 swapfile_t:file getattr;
')
+
+########################################
+##
+## Ignore access to a swapfile.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`fstools_dontaudit_getattr_swap_files',`
+ gen_require(`
+ type swapfile_t;
+ ')
+
+ dontaudit $1 swapfile_t:file getattr;
+')
+
+########################################
+##
+## Relabel to swapfile.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fstools_relabelto_swap_files',`
+ gen_require(`
+ type swapfile_t;
+ ')
+
+ allow $1 swapfile_t:file relabelto;
+')
+
+########################################
+##
+## Manage swapfile.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fstools_manage_swap_files',`
+ gen_require(`
+ type swapfile_t;
+ ')
+
+ allow $1 swapfile_t:file manage_file_perms;
+')
--
2.14.1