[selinux-policy: 1783/3172] trunk: filesystem patch from dan

[Daniel J Walsh]

commit 3d6e962dfa0d16c0d525a25d51def6645d91f839
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Aug 8 20:04:28 2007 +0000

    trunk: filesystem patch from dan

 policy/modules/kernel/filesystem.if |   57 +++++++++++++++++++++++++++++++++++
 policy/modules/kernel/filesystem.te |    9 +++++-
 2 files changed, 65 insertions(+), 1 deletions(-)
---
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index dc1bd81..37fef67 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -271,6 +271,45 @@ interface(`fs_set_xattr_fs_quotas',`
 
 ########################################
 ## <summary>
+##	Read files on anon_inodefs file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_anon_inodefs_files',`
+	gen_require(`
+		type anon_inodefs_t;
+
+	')
+
+	read_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
+')
+
+########################################
+## <summary>
+##	Read and write files on anon_inodefs
+##	file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_anon_inodefs_files',`
+	gen_require(`
+		type anon_inodefs_t;
+
+	')
+
+	rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
+')
+
+########################################
+## <summary>
 ##	Mount an automount pseudo filesystem.
 ## </summary>
 ## <param name="domain">
@@ -1192,6 +1231,24 @@ interface(`fs_mount_fusefs',`
 
 ########################################
 ## <summary>
+##      Unmount a FUSE filesystem.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_unmount_fusefs',`
+        gen_require(`
+                type fusefs_t;
+        ')
+
+        allow $1 fusefs_t:filesystem unmount;
+')
+
+########################################
+## <summary>
 ##	Search inotifyfs filesystem. 
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index c297fcf..94b0b0d 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.7.0)
+policy_module(filesystem,1.7.1)
 
 ########################################
 #
@@ -43,6 +43,12 @@ fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
 #
 # Non-persistent/pseudo filesystems
 #
+
+type anon_inodefs_t;
+fs_type(anon_inodefs_t)
+files_mountpoint(anon_inodefs_t)
+genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
+
 type bdev_t;
 fs_type(bdev_t)
 genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
@@ -139,6 +145,7 @@ type tmpfs_t;
 fs_type(tmpfs_t)
 files_type(tmpfs_t)
 files_mountpoint(tmpfs_t)
+files_poly_parent(tmpfs_t)
 
 # Use a transition SID based on the allocating task SID and the
 # filesystem SID to label inodes in the following filesystem types,