[selinux-policy: 1783/3172] trunk: filesystem patch from dan
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:39:05 UTC 2010
commit 3d6e962dfa0d16c0d525a25d51def6645d91f839
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Aug 8 20:04:28 2007 +0000
trunk: filesystem patch from dan
policy/modules/kernel/filesystem.if | 57 +++++++++++++++++++++++++++++++++++
policy/modules/kernel/filesystem.te | 9 +++++-
2 files changed, 65 insertions(+), 1 deletions(-)
---
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index dc1bd81..37fef67 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -271,6 +271,45 @@ interface(`fs_set_xattr_fs_quotas',`
########################################
## <summary>
+## Read files on anon_inodefs file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_anon_inodefs_files',`
+ gen_require(`
+ type anon_inodefs_t;
+
+ ')
+
+ read_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
+')
+
+########################################
+## <summary>
+## Read and write files on anon_inodefs
+## file systems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_anon_inodefs_files',`
+ gen_require(`
+ type anon_inodefs_t;
+
+ ')
+
+ rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
+')
+
+########################################
+## <summary>
## Mount an automount pseudo filesystem.
## </summary>
## <param name="domain">
@@ -1192,6 +1231,24 @@ interface(`fs_mount_fusefs',`
########################################
## <summary>
+## Unmount a FUSE filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_unmount_fusefs',`
+ gen_require(`
+ type fusefs_t;
+ ')
+
+ allow $1 fusefs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
## Search inotifyfs filesystem.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index c297fcf..94b0b0d 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
-policy_module(filesystem,1.7.0)
+policy_module(filesystem,1.7.1)
########################################
#
@@ -43,6 +43,12 @@ fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
#
# Non-persistent/pseudo filesystems
#
+
+type anon_inodefs_t;
+fs_type(anon_inodefs_t)
+files_mountpoint(anon_inodefs_t)
+genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
+
type bdev_t;
fs_type(bdev_t)
genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
@@ -139,6 +145,7 @@ type tmpfs_t;
fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
+files_poly_parent(tmpfs_t)
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
More information about the scm-commits
mailing list