[selinux-policy: 250/3172] move fs_use and isids to respective modules

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:26:32 UTC 2010 

commit cabfa520aa7d7595cb4a96717d7760878af3e592
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jun 2 15:39:10 2005 +0000

    move fs_use and isids to respective modules

 refpolicy/Makefile                             |    8 ++++++--
 refpolicy/policy/modules/kernel/corenetwork.te |    4 +++-
 refpolicy/policy/modules/kernel/devices.te     |    1 +
 refpolicy/policy/modules/kernel/filesystem.te  |   24 ++++++++++++++++++++++++
 refpolicy/policy/modules/kernel/kernel.te      |   23 +++++++++++++++++++++++
 refpolicy/policy/modules/kernel/terminal.te    |    1 +
 refpolicy/policy/modules/system/files.te       |    1 +
 7 files changed, 59 insertions(+), 3 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 38e603c..631a2e3 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -102,7 +102,7 @@ ALL_LAYERS := $(filter-out tmp CVS $(APPCONF) $(FLASKDIR),$(DETECTED_DIRS))
 PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) mls
 ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if))
 ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))
-POST_TE_FILES := users constraints initial_sid_contexts fs_use
+POST_TE_FILES := users constraints
 
 ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc))
 
@@ -213,8 +213,12 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
 	$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
 	$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
 	$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
+	$(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
+	$(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
 	$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
-	$(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf
+	$(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
+			-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
+			< tmp/all_te_files.conf > tmp/only_te_rules.conf
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te b/refpolicy/policy/modules/kernel/corenetwork.te
index c53416e..57e90d9 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te
+++ b/refpolicy/policy/modules/kernel/corenetwork.te
@@ -24,6 +24,7 @@ devices_make_device_node(tun_tap_device_t)
 # port_t is the default type of INET port numbers.
 #
 type port_t, port_type;
+sid port context_template(system_u:object_r:port_t,s0)
 
 #
 # reserved_port_t is the type of INET port numbers below 1024.
@@ -94,6 +95,7 @@ portcon udp 1-1023 context_template(system_u:object_r:reserved_port_t, s0)
 # nodes in net_contexts or net_contexts.mls.
 #
 type node_t, node_type;
+sid node context_template(system_u:object_r:node_t,s0)
 
 network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
 network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
@@ -105,7 +107,6 @@ network_node(multicast, s0, ff00::, ff00::)
 network_node(site_local, s0, fec0::, ffc0::)
 network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
 
-
 ########################################
 #
 # Network Interfaces:
@@ -115,6 +116,7 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
 # netif_t is the default type of network interfaces.
 #
 type netif_t, netif_type;
+sid netif context_template(system_u:object_r:netif_t,s0)
 
 network_interface(lo, s0)
 network_interface(eth0, s0)
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index b1d442e..aece234 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -112,6 +112,7 @@ genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0)
 type null_device_t, device_node;
 filesystem_associate(null_device_t)
 filesystem_tmpfs_associate(null_device_t)
+sid devnull context_template(system_u:object_r:null_device_t,s0)
 
 #
 # Type for /dev/pmu 
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index f690ede..49a1893 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -9,6 +9,22 @@ attribute fs_type;
 # filesystems with extended attributes
 #
 type fs_t, fs_type;
+sid fs context_template(system_u:object_r:fs_t,s0)
+
+# Use xattrs for the following filesystem types.
+# Requires that a security xattr handler exist for the filesystem.
+fs_use_xattr ext2 context_template(system_u:object_r:fs_t,s0);
+fs_use_xattr ext3 context_template(system_u:object_r:fs_t,s0);
+fs_use_xattr jfs context_template(system_u:object_r:fs_t,s0);
+fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0);
+
+# Use the allocating task SID to label inodes in the following filesystem
+# types, and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems that represent objects
+# like pipes and sockets, so that these objects are labeled with the same
+# type as the creating task.  
+fs_use_task pipefs context_template(system_u:object_r:fs_t,s0);
+fs_use_task sockfs context_template(system_u:object_r:fs_t,s0);
 
 ########################################
 #
@@ -47,6 +63,14 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
 type tmpfs_t, fs_type;
 files_make_file(tmpfs_t)
 
+# Use a transition SID based on the allocating task SID and the
+# filesystem SID to label inodes in the following filesystem types,
+# and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems like devpts and tmpfs
+# where we want to label objects with a derived type.
+fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
+fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
+
 allow tmpfs_t self:filesystem associate;
 allow tmpfs_t autofs_t:filesystem associate;
 allow tmpfs_t cifs_t:filesystem associate;
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 5d9cca6..915a4d9 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -20,6 +20,7 @@ attribute can_change_object_identity;
 type kernel_t, can_load_kernmodule, can_load_policy;
 role system_r types kernel_t;
 domain_make_domain(kernel_t)
+sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
 
 #
 # unlabeled_t is the type of unlabeled objects.
@@ -27,6 +28,26 @@ domain_make_domain(kernel_t)
 # have labels that are no longer valid are treated as having this type.
 #
 type unlabeled_t;
+sid unlabeled context_template(system_u:object_r:unlabeled_t,s0)
+
+# These initial sids are no longer used, and can be removed:
+sid any_socket		context_template(system_u:object_r:unlabeled_t,s0)
+sid file_labels		context_template(system_u:object_r:unlabeled_t,s0)
+sid icmp_socket		context_template(system_u:object_r:unlabeled_t,s0)
+sid igmp_packet		context_template(system_u:object_r:unlabeled_t,s0)
+sid init		context_template(system_u:object_r:unlabeled_t,s0)
+sid kmod		context_template(system_u:object_r:unlabeled_t,s0)
+sid netmsg		context_template(system_u:object_r:unlabeled_t,s0)
+sid policy		context_template(system_u:object_r:unlabeled_t,s0)
+sid scmp_packet		context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_modprobe 	context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_fs		context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_kernel	context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_net		context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_net_unix	context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_vm		context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_dev		context_template(system_u:object_r:unlabeled_t,s0)
+sid tcp_socket		context_template(system_u:object_r:unlabeled_t,s0)
 
 # 
 # security_t is the target type when checking
@@ -35,6 +56,7 @@ type unlabeled_t;
 #
 type security_t;
 filesystem_make_filesystem(security_t)
+sid security context_template(system_u:object_r:security_t,s0)
 genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
 
 #
@@ -95,6 +117,7 @@ genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0)
 # /proc/sys directory, base directory of sysctls
 type sysctl_t;
 files_make_mountpoint(sysctl_t)
+sid sysctl context_template(system_u:object_r:sysctl_t,s0)
 genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0)
 
 # /proc/sys/fs directory and files
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index 34d8433..7f6654b 100644
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -23,6 +23,7 @@ devices_make_device_node(console_device_t)
 type devpts_t;
 files_make_mountpoint(devpts_t)
 filesystem_make_filesystem(devpts_t)
+fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0);
 
 #
 # devtty_t is the type of /dev/tty.
diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te
index 9bd3e6f..b22386d 100644
--- a/refpolicy/policy/modules/system/files.te
+++ b/refpolicy/policy/modules/system/files.te
@@ -40,6 +40,7 @@ type file_t, file_type, mountpoint;
 filesystem_associate(file_t)
 filesystem_noxattr_associate(file_t)
 kernel_make_root_filesystem_mountpoint(file_t)
+sid file context_template(system_u:object_r:file_t,s0)
 
 #
 # home_root_t is the type for the directory where user home directories

More information about the scm-commits mailing list