From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 11 Sep 2017 19:15:07 -0400
Subject: [refpolicy] [PATCH] dphysswapfile: fix first version
In-Reply-To: <20170910152158.7134-1-cgzones@googlemail.com>
References: <20170910152158.7134-1-cgzones@googlemail.com>
Message-ID: <8a21b42b-7212-53bc-39eb-12b3d1b35bda@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/10/2017 11:21 AM, Christian G?ttsche via refpolicy wrote:
> The first version only works when the swapfile already exists.
> During creation swapfile_t is hard coded and needs to be used.

I'm confused by the subject.  Is this instead of the previous patch?


> ---
>   dphysswapfile.fc |  6 ++++--
>   dphysswapfile.if | 22 ++--------------------
>   dphysswapfile.te | 14 +++++++++++++-
>   3 files changed, 19 insertions(+), 23 deletions(-)
> 
> diff --git a/dphysswapfile.fc b/dphysswapfile.fc
> index 70b0ee3..9c4ff04 100644
> --- a/dphysswapfile.fc
> +++ b/dphysswapfile.fc
> @@ -2,8 +2,10 @@
>   
>   /etc/rc\.d/init\.d/dphys-swapfile	--	gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)
>   
> -/usr/bin/dphys-swapfile		--	gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
> +/usr/bin/dphys-swapfile			--	gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
> +
> +/usr/lib/systemd/system/dphys-swapfile\.service -- gen_context(system_u:object_r:dphysswapfile_unit_t,s0)
>   
>   /usr/sbin/dphys-swapfile		--	gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
>   
> -/var/swap				--	gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
> +/var/swap				--	gen_context(system_u:object_r:swapfile_t,s0)
> diff --git a/dphysswapfile.if b/dphysswapfile.if
> index 7dda955..f7bb8a0 100644
> --- a/dphysswapfile.if
> +++ b/dphysswapfile.if
> @@ -1,23 +1,5 @@
>   ## <summary>Set up, mount/unmount, and delete an swap file.</summary>
>   
> -########################################
> -## <summary>
> -##	Dontaudit acces to the swap file.
> -## </summary>
> -## <param name="domain">
> -##	<summary>
> -##	Domain to not audit.
> -##	</summary>
> -## </param>
> -#
> -interface(`dphysswapfile_dontaudit_read_swap',`
> -	gen_require(`
> -		type dphysswapfile_swap_t;
> -	')
> -
> -	dontaudit $1 dphysswapfile_swap_t:file read_file_perms;
> -')
> -
>   ########################################
>   ## <summary>
>   ##	All of the rules required to
> @@ -38,12 +20,12 @@ interface(`dphysswapfile_dontaudit_read_swap',`
>   interface(`dphysswapfile_admin',`
>   	gen_require(`
>   		type dphysswapfile_t, dphysswapfile_conf_t;
> -		type dphysswapfile_initrc_exec_t;
> +		type dphysswapfile_initrc_exec_t, dphysswapfile_unit_t;
>   	')
>   
>   	admin_process_pattern($1, dphysswapfile_t)
>   
> -	init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t)
> +	init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t, dphysswapfile_unit_t)
>   
>   	files_search_etc($1)
>   	admin_pattern($1, dphysswapfile_conf_t)
> diff --git a/dphysswapfile.te b/dphysswapfile.te
> index dfd04e3..4bfe782 100644
> --- a/dphysswapfile.te
> +++ b/dphysswapfile.te
> @@ -18,6 +18,9 @@ init_script_file(dphysswapfile_initrc_exec_t)
>   type dphysswapfile_swap_t;
>   files_type(dphysswapfile_swap_t)
>   
> +type dphysswapfile_unit_t;
> +init_unit_file(dphysswapfile_unit_t)
> +
>   ########################################
>   #
>   # Policy
> @@ -32,20 +35,29 @@ allow dphysswapfile_t dphysswapfile_conf_t:file read_file_perms;
>   
>   allow dphysswapfile_t dphysswapfile_exec_t:file execute_no_trans;
>   
> -allow dphysswapfile_t dphysswapfile_swap_t:file manage_file_perms;
> +allow dphysswapfile_t dphysswapfile_swap_t:file { manage_file_perms relabelfrom };
>   
>   kernel_read_system_state(dphysswapfile_t)
>   
>   corecmd_exec_bin(dphysswapfile_t)
>   corecmd_exec_shell(dphysswapfile_t)
>   
> +dev_read_rand(dphysswapfile_t)
> +dev_read_urand(dphysswapfile_t)
> +
>   # ignore ls -l /var/swap noise
>   files_dontaudit_getattr_pid_dirs(dphysswapfile_t)
>   files_read_etc_files(dphysswapfile_t)
>   files_search_var(dphysswapfile_t)
> +files_var_filetrans(dphysswapfile_t, dphysswapfile_swap_t, file)
>   
>   fstools_exec(dphysswapfile_t)
> +# swapfile_t is hardcoded in mkswap
> +fstools_manage_swap_files(dphysswapfile_t)
> +fstools_relabelto_swap_files(dphysswapfile_t)
>   
>   miscfiles_read_localization(dphysswapfile_t)
>   
> +storage_getattr_removable_dev(dphysswapfile_t)
> +
>   userdom_dontaudit_search_user_home_dirs(dphysswapfile_t)
> 


-- 
Chris PeBenito