From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=)
Date: Sun, 10 Sep 2017 17:21:58 +0200
Subject: [refpolicy] [PATCH] dphysswapfile: fix first version
Message-ID: <20170910152158.7134-1-cgzones@googlemail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
The first version only works when the swapfile already exists.
During creation swapfile_t is hard coded and needs to be used.
---
dphysswapfile.fc | 6 ++++--
dphysswapfile.if | 22 ++--------------------
dphysswapfile.te | 14 +++++++++++++-
3 files changed, 19 insertions(+), 23 deletions(-)
diff --git a/dphysswapfile.fc b/dphysswapfile.fc
index 70b0ee3..9c4ff04 100644
--- a/dphysswapfile.fc
+++ b/dphysswapfile.fc
@@ -2,8 +2,10 @@
/etc/rc\.d/init\.d/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)
-/usr/bin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+/usr/bin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+
+/usr/lib/systemd/system/dphys-swapfile\.service -- gen_context(system_u:object_r:dphysswapfile_unit_t,s0)
/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
-/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
+/var/swap -- gen_context(system_u:object_r:swapfile_t,s0)
diff --git a/dphysswapfile.if b/dphysswapfile.if
index 7dda955..f7bb8a0 100644
--- a/dphysswapfile.if
+++ b/dphysswapfile.if
@@ -1,23 +1,5 @@
## Set up, mount/unmount, and delete an swap file.
-########################################
-##
-## Dontaudit acces to the swap file.
-##
-##
-##
-## Domain to not audit.
-##
-##
-#
-interface(`dphysswapfile_dontaudit_read_swap',`
- gen_require(`
- type dphysswapfile_swap_t;
- ')
-
- dontaudit $1 dphysswapfile_swap_t:file read_file_perms;
-')
-
########################################
##
## All of the rules required to
@@ -38,12 +20,12 @@ interface(`dphysswapfile_dontaudit_read_swap',`
interface(`dphysswapfile_admin',`
gen_require(`
type dphysswapfile_t, dphysswapfile_conf_t;
- type dphysswapfile_initrc_exec_t;
+ type dphysswapfile_initrc_exec_t, dphysswapfile_unit_t;
')
admin_process_pattern($1, dphysswapfile_t)
- init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t)
+ init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t, dphysswapfile_unit_t)
files_search_etc($1)
admin_pattern($1, dphysswapfile_conf_t)
diff --git a/dphysswapfile.te b/dphysswapfile.te
index dfd04e3..4bfe782 100644
--- a/dphysswapfile.te
+++ b/dphysswapfile.te
@@ -18,6 +18,9 @@ init_script_file(dphysswapfile_initrc_exec_t)
type dphysswapfile_swap_t;
files_type(dphysswapfile_swap_t)
+type dphysswapfile_unit_t;
+init_unit_file(dphysswapfile_unit_t)
+
########################################
#
# Policy
@@ -32,20 +35,29 @@ allow dphysswapfile_t dphysswapfile_conf_t:file read_file_perms;
allow dphysswapfile_t dphysswapfile_exec_t:file execute_no_trans;
-allow dphysswapfile_t dphysswapfile_swap_t:file manage_file_perms;
+allow dphysswapfile_t dphysswapfile_swap_t:file { manage_file_perms relabelfrom };
kernel_read_system_state(dphysswapfile_t)
corecmd_exec_bin(dphysswapfile_t)
corecmd_exec_shell(dphysswapfile_t)
+dev_read_rand(dphysswapfile_t)
+dev_read_urand(dphysswapfile_t)
+
# ignore ls -l /var/swap noise
files_dontaudit_getattr_pid_dirs(dphysswapfile_t)
files_read_etc_files(dphysswapfile_t)
files_search_var(dphysswapfile_t)
+files_var_filetrans(dphysswapfile_t, dphysswapfile_swap_t, file)
fstools_exec(dphysswapfile_t)
+# swapfile_t is hardcoded in mkswap
+fstools_manage_swap_files(dphysswapfile_t)
+fstools_relabelto_swap_files(dphysswapfile_t)
miscfiles_read_localization(dphysswapfile_t)
+storage_getattr_removable_dev(dphysswapfile_t)
+
userdom_dontaudit_search_user_home_dirs(dphysswapfile_t)
--
2.14.1