[selinux-policy: 250/3172] move fs_use and isids to respective modules
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:26:32 UTC 2010
commit cabfa520aa7d7595cb4a96717d7760878af3e592
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jun 2 15:39:10 2005 +0000
move fs_use and isids to respective modules
refpolicy/Makefile | 8 ++++++--
refpolicy/policy/modules/kernel/corenetwork.te | 4 +++-
refpolicy/policy/modules/kernel/devices.te | 1 +
refpolicy/policy/modules/kernel/filesystem.te | 24 ++++++++++++++++++++++++
refpolicy/policy/modules/kernel/kernel.te | 23 +++++++++++++++++++++++
refpolicy/policy/modules/kernel/terminal.te | 1 +
refpolicy/policy/modules/system/files.te | 1 +
7 files changed, 59 insertions(+), 3 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 38e603c..631a2e3 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -102,7 +102,7 @@ ALL_LAYERS := $(filter-out tmp CVS $(APPCONF) $(FLASKDIR),$(DETECTED_DIRS))
PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) mls
ALL_INTERFACES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.if))
ALL_TE_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.te))
-POST_TE_FILES := users constraints initial_sid_contexts fs_use
+POST_TE_FILES := users constraints
ALL_FC_FILES := $(foreach dir,$(ALL_LAYERS),$(wildcard $(dir)/*.fc))
@@ -213,8 +213,12 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
$(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
$(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
$(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
+ $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
+ $(QUIET) egrep '^fs_use_(xattr|task|trans)' tmp/all_te_files.conf >> tmp/all_post.conf || true
$(QUIET) grep ^genfscon tmp/all_te_files.conf >> tmp/all_post.conf || true
- $(QUIET) sed -e /^attribute/d -e '/^type /d' -e /^genfscon/d < tmp/all_te_files.conf > tmp/only_te_rules.conf
+ $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e /^genfscon/d \
+ -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
+ < tmp/all_te_files.conf > tmp/only_te_rules.conf
########################################
#
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te b/refpolicy/policy/modules/kernel/corenetwork.te
index c53416e..57e90d9 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te
+++ b/refpolicy/policy/modules/kernel/corenetwork.te
@@ -24,6 +24,7 @@ devices_make_device_node(tun_tap_device_t)
# port_t is the default type of INET port numbers.
#
type port_t, port_type;
+sid port context_template(system_u:object_r:port_t,s0)
#
# reserved_port_t is the type of INET port numbers below 1024.
@@ -94,6 +95,7 @@ portcon udp 1-1023 context_template(system_u:object_r:reserved_port_t, s0)
# nodes in net_contexts or net_contexts.mls.
#
type node_t, node_type;
+sid node context_template(system_u:object_r:node_t,s0)
network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
@@ -105,7 +107,6 @@ network_node(multicast, s0, ff00::, ff00::)
network_node(site_local, s0, fec0::, ffc0::)
network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
-
########################################
#
# Network Interfaces:
@@ -115,6 +116,7 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
# netif_t is the default type of network interfaces.
#
type netif_t, netif_type;
+sid netif context_template(system_u:object_r:netif_t,s0)
network_interface(lo, s0)
network_interface(eth0, s0)
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index b1d442e..aece234 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -112,6 +112,7 @@ genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0)
type null_device_t, device_node;
filesystem_associate(null_device_t)
filesystem_tmpfs_associate(null_device_t)
+sid devnull context_template(system_u:object_r:null_device_t,s0)
#
# Type for /dev/pmu
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index f690ede..49a1893 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -9,6 +9,22 @@ attribute fs_type;
# filesystems with extended attributes
#
type fs_t, fs_type;
+sid fs context_template(system_u:object_r:fs_t,s0)
+
+# Use xattrs for the following filesystem types.
+# Requires that a security xattr handler exist for the filesystem.
+fs_use_xattr ext2 context_template(system_u:object_r:fs_t,s0);
+fs_use_xattr ext3 context_template(system_u:object_r:fs_t,s0);
+fs_use_xattr jfs context_template(system_u:object_r:fs_t,s0);
+fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0);
+
+# Use the allocating task SID to label inodes in the following filesystem
+# types, and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems that represent objects
+# like pipes and sockets, so that these objects are labeled with the same
+# type as the creating task.
+fs_use_task pipefs context_template(system_u:object_r:fs_t,s0);
+fs_use_task sockfs context_template(system_u:object_r:fs_t,s0);
########################################
#
@@ -47,6 +63,14 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
type tmpfs_t, fs_type;
files_make_file(tmpfs_t)
+# Use a transition SID based on the allocating task SID and the
+# filesystem SID to label inodes in the following filesystem types,
+# and label the filesystem itself with the specified context.
+# This is appropriate for pseudo filesystems like devpts and tmpfs
+# where we want to label objects with a derived type.
+fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
+fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
+
allow tmpfs_t self:filesystem associate;
allow tmpfs_t autofs_t:filesystem associate;
allow tmpfs_t cifs_t:filesystem associate;
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 5d9cca6..915a4d9 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -20,6 +20,7 @@ attribute can_change_object_identity;
type kernel_t, can_load_kernmodule, can_load_policy;
role system_r types kernel_t;
domain_make_domain(kernel_t)
+sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
#
# unlabeled_t is the type of unlabeled objects.
@@ -27,6 +28,26 @@ domain_make_domain(kernel_t)
# have labels that are no longer valid are treated as having this type.
#
type unlabeled_t;
+sid unlabeled context_template(system_u:object_r:unlabeled_t,s0)
+
+# These initial sids are no longer used, and can be removed:
+sid any_socket context_template(system_u:object_r:unlabeled_t,s0)
+sid file_labels context_template(system_u:object_r:unlabeled_t,s0)
+sid icmp_socket context_template(system_u:object_r:unlabeled_t,s0)
+sid igmp_packet context_template(system_u:object_r:unlabeled_t,s0)
+sid init context_template(system_u:object_r:unlabeled_t,s0)
+sid kmod context_template(system_u:object_r:unlabeled_t,s0)
+sid netmsg context_template(system_u:object_r:unlabeled_t,s0)
+sid policy context_template(system_u:object_r:unlabeled_t,s0)
+sid scmp_packet context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_modprobe context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_fs context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_kernel context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_net context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_net_unix context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_vm context_template(system_u:object_r:unlabeled_t,s0)
+sid sysctl_dev context_template(system_u:object_r:unlabeled_t,s0)
+sid tcp_socket context_template(system_u:object_r:unlabeled_t,s0)
#
# security_t is the target type when checking
@@ -35,6 +56,7 @@ type unlabeled_t;
#
type security_t;
filesystem_make_filesystem(security_t)
+sid security context_template(system_u:object_r:security_t,s0)
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
#
@@ -95,6 +117,7 @@ genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0)
# /proc/sys directory, base directory of sysctls
type sysctl_t;
files_make_mountpoint(sysctl_t)
+sid sysctl context_template(system_u:object_r:sysctl_t,s0)
genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0)
# /proc/sys/fs directory and files
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index 34d8433..7f6654b 100644
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -23,6 +23,7 @@ devices_make_device_node(console_device_t)
type devpts_t;
files_make_mountpoint(devpts_t)
filesystem_make_filesystem(devpts_t)
+fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0);
#
# devtty_t is the type of /dev/tty.
diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te
index 9bd3e6f..b22386d 100644
--- a/refpolicy/policy/modules/system/files.te
+++ b/refpolicy/policy/modules/system/files.te
@@ -40,6 +40,7 @@ type file_t, file_type, mountpoint;
filesystem_associate(file_t)
filesystem_noxattr_associate(file_t)
kernel_make_root_filesystem_mountpoint(file_t)
+sid file context_template(system_u:object_r:file_t,s0)
#
# home_root_t is the type for the directory where user home directories
More information about the scm-commits
mailing list