From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 14 Sep 2017 17:21:00 -0400
Subject: [refpolicy] [PATCH] dphysswapfile: add interfaces and sysadm
access
In-Reply-To: <20170914114604.4025-1-cgzones@googlemail.com>
References: <20170914114604.4025-1-cgzones@googlemail.com>
Message-ID: <81b7cbdc-507d-5add-c9dd-9dcdfbd225ae@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 09/14/2017 07:46 AM, Christian G?ttsche via refpolicy wrote:
> v2:
>
> add swapfile file context
> ---
> policy/modules/roles/sysadm.te | 4 +++
> policy/modules/system/fstools.fc | 2 ++
> policy/modules/system/fstools.if | 54 ++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 60 insertions(+)
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index c5522533..396900dc 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -378,6 +378,10 @@ optional_policy(`
> dovecot_admin(sysadm_t, sysadm_r)
> ')
>
> +optional_policy(`
> + dphysswapfile_admin(sysadm_t, sysadm_r)
> +')
> +
> optional_policy(`
> dpkg_run(sysadm_t, sysadm_r)
> ')
> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
> index 70fb0b47..d4219a18 100644
> --- a/policy/modules/system/fstools.fc
> +++ b/policy/modules/system/fstools.fc
> @@ -106,6 +106,8 @@
> /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
> /usr/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
>
> +/var/swap -- gen_context(system_u:object_r:swapfile_t,s0)
> +
> /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
>
> /run/blkid(/.*)? gen_context(system_u:object_r:fsadm_run_t,s0)
> diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
> index f04d843c..6ebe3800 100644
> --- a/policy/modules/system/fstools.if
> +++ b/policy/modules/system/fstools.if
> @@ -209,3 +209,57 @@ interface(`fstools_getattr_swap_files',`
>
> allow $1 swapfile_t:file getattr;
> ')
> +
> +########################################
> +##
> +## Ignore access to a swapfile.
> +##
> +##
> +##
> +## Domain to not audit.
> +##
> +##
> +#
> +interface(`fstools_dontaudit_getattr_swap_files',`
> + gen_require(`
> + type swapfile_t;
> + ')
> +
> + dontaudit $1 swapfile_t:file getattr;
> +')
> +
> +########################################
> +##
> +## Relabel to swapfile.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`fstools_relabelto_swap_files',`
> + gen_require(`
> + type swapfile_t;
> + ')
> +
> + allow $1 swapfile_t:file relabelto;
> +')
> +
> +########################################
> +##
> +## Manage swapfile.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`fstools_manage_swap_files',`
> + gen_require(`
> + type swapfile_t;
> + ')
> +
> + allow $1 swapfile_t:file manage_file_perms;
> +')
Merged.
--
Chris PeBenito