Generic interface to platform dependent persistent storage
https://www.kernel.org/doc/Documentation/ABI/testing/pstore
This basically works pretty much the same as cgroup file systems from a
SELinux perspective
Make sure that the installed /sys/fs/pstore directory is labeled
properly so that the pstore file system can be mounted on that
I also removed the files_type() calls as they are duplicate (it is
already called in files_mountpoint)
Signed-off-by: Dominick Grift <[email protected]>
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index 3d67e80..d7c11a0 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -11,9 +11,11 @@
/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
/lib/udev/devices/shm/.* <<none>>
-# for systemd systems:
-/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
-/sys/fs/cgroup/.* <<none>>
+/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+/sys/fs/cgroup/.* <<none>>
+
+/sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0)
+/sys/fs/pstore/.* <<none>>
ifdef(`distro_debian',`
/var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 1c66416..8f1fc04 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -70,9 +70,8 @@
type cgroup_t;
fs_type(cgroup_t)
-files_type(cgroup_t)
files_mountpoint(cgroup_t)
-dev_associate_sysfs(cgroup_t) # only for systemd systems
+dev_associate_sysfs(cgroup_t)
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
type configfs_t;
@@ -125,6 +124,12 @@
fs_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
+type pstore_t;
+fs_type(pstore_t)
+files_mountpoint(pstore_t)
+dev_associate_sysfs(pstore_t)
+genfscon pstore / gen_context(system_u:object_r:pstore_t,s0)
+
type ramfs_t;
fs_type(ramfs_t)
files_mountpoint(ramfs_t)
On Wed, 2013-09-11 at 10:53 +0200, Dominick Grift wrote:
> Generic interface to platform dependent persistent storage
> https://www.kernel.org/doc/Documentation/ABI/testing/pstore
>
> This basically works pretty much the same as cgroup file systems from a
> SELinux perspective
>
> Make sure that the installed /sys/fs/pstore directory is labeled
> properly so that the pstore file system can be mounted on that
>
> I also removed the files_type() calls as they are duplicate (it is
> already called in files_mountpoint)
>
> Signed-off-by: Dominick Grift <[email protected]>
We need an explicit fc spec for the /sys/fs/pstore, and /sys/fs/cgroup
directories because those directory are already there and we want to be
able to mount on these directories to see need to be labeled properly
> diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
> index 3d67e80..d7c11a0 100644
> --- a/policy/modules/kernel/filesystem.fc
> +++ b/policy/modules/kernel/filesystem.fc
> @@ -11,9 +11,11 @@
> /lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
> /lib/udev/devices/shm/.* <<none>>
>
> -# for systemd systems:
> -/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
> -/sys/fs/cgroup/.* <<none>>
> +/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
> +/sys/fs/cgroup/.* <<none>>
> +
> +/sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0)
> +/sys/fs/pstore/.* <<none>>
>
> ifdef(`distro_debian',`
> /var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index 1c66416..8f1fc04 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -70,9 +70,8 @@
>
> type cgroup_t;
> fs_type(cgroup_t)
> -files_type(cgroup_t)
> files_mountpoint(cgroup_t)
> -dev_associate_sysfs(cgroup_t) # only for systemd systems
> +dev_associate_sysfs(cgroup_t)
> genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
>
> type configfs_t;
> @@ -125,6 +124,12 @@
> fs_type(oprofilefs_t)
> genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
>
> +type pstore_t;
> +fs_type(pstore_t)
> +files_mountpoint(pstore_t)
> +dev_associate_sysfs(pstore_t)
> +genfscon pstore / gen_context(system_u:object_r:pstore_t,s0)
> +
> type ramfs_t;
> fs_type(ramfs_t)
> files_mountpoint(ramfs_t)
On 09/11/2013 04:53 AM, Dominick Grift wrote:
>
> Generic interface to platform dependent persistent storage
> https://www.kernel.org/doc/Documentation/ABI/testing/pstore
>
> This basically works pretty much the same as cgroup file systems from a
> SELinux perspective
>
> Make sure that the installed /sys/fs/pstore directory is labeled
> properly so that the pstore file system can be mounted on that
>
> I also removed the files_type() calls as they are duplicate (it is
> already called in files_mountpoint)
Merged.
> Signed-off-by: Dominick Grift <[email protected]>
> diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
> index 3d67e80..d7c11a0 100644
> --- a/policy/modules/kernel/filesystem.fc
> +++ b/policy/modules/kernel/filesystem.fc
> @@ -11,9 +11,11 @@
> /lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
> /lib/udev/devices/shm/.* <<none>>
>
> -# for systemd systems:
> -/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
> -/sys/fs/cgroup/.* <<none>>
> +/sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
> +/sys/fs/cgroup/.* <<none>>
> +
> +/sys/fs/pstore -d gen_context(system_u:object_r:pstore_t,s0)
> +/sys/fs/pstore/.* <<none>>
>
> ifdef(`distro_debian',`
> /var/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index 1c66416..8f1fc04 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -70,9 +70,8 @@
>
> type cgroup_t;
> fs_type(cgroup_t)
> -files_type(cgroup_t)
> files_mountpoint(cgroup_t)
> -dev_associate_sysfs(cgroup_t) # only for systemd systems
> +dev_associate_sysfs(cgroup_t)
> genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
>
> type configfs_t;
> @@ -125,6 +124,12 @@
> fs_type(oprofilefs_t)
> genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
>
> +type pstore_t;
> +fs_type(pstore_t)
> +files_mountpoint(pstore_t)
> +dev_associate_sysfs(pstore_t)
> +genfscon pstore / gen_context(system_u:object_r:pstore_t,s0)
> +
> type ramfs_t;
> fs_type(ramfs_t)
> files_mountpoint(ramfs_t)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com