[selinux-policy: 2309/3172] Filesystem patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:25:00 UTC 2010 

commit f4b9dc3b00f7106852fe745a48b9cf9218e0d5e3
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Nov 23 13:16:28 2009 -0500

    Filesystem patch from Dan Walsh.

 policy/modules/kernel/filesystem.fc |    2 +-
 policy/modules/kernel/filesystem.if |  224 +++++++++++++++++++++++++++++++++-
 policy/modules/kernel/filesystem.te |   14 ++-
 3 files changed, 227 insertions(+), 13 deletions(-)
---
diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
index 7be4ddf..b029773 100644
--- a/policy/modules/kernel/filesystem.fc
+++ b/policy/modules/kernel/filesystem.fc
@@ -1 +1 @@
-# This module currently does not have any file contexts.
+/dev/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index b2c058a..eb723b4 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -310,6 +310,26 @@ interface(`fs_rw_anon_inodefs_files',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read or write files on
+##	anon_inodefs file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_rw_anon_inodefs_files',`
+	gen_require(`
+		type anon_inodefs_t;
+
+	')
+
+	dontaudit $1 anon_inodefs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Mount an automount pseudo filesystem.
 ## </summary>
 ## <param name="domain">
@@ -462,7 +482,7 @@ interface(`fs_manage_autofs_symlinks',`
 ########################################
 ## <summary>
 ##	Get the attributes of directories on
-##	binfmt_misc filesystems. 
+##	binfmt_misc filesystems.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1149,6 +1169,44 @@ interface(`fs_cifs_domtrans',`
 	domain_auto_transition_pattern($1, cifs_t, $2)
 ')
 
+#######################################
+## <summary>
+##	Create, read, write, and delete dirs
+##	on a configfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_configfs_dirs',`
+	gen_require(`
+		type configfs_t;
+	')
+
+	manage_dirs_pattern($1, configfs_t, configfs_t)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a configfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_configfs_files',`
+	gen_require(`
+		type configfs_t;
+	')
+
+	manage_files_pattern($1, configfs_t, configfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Mount a DOS filesystem, such as
@@ -1248,7 +1306,7 @@ interface(`fs_relabelfrom_dos_fs',`
 
 ########################################
 ## <summary>
-##	Search dosfs filesystem. 
+##	Search dosfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1537,7 +1595,25 @@ interface(`fs_rw_hugetlbfs_files',`
 
 ########################################
 ## <summary>
-##	Search inotifyfs filesystem. 
+##	Allow the type to associate to hugetlbfs filesystems.
+## </summary>
+## <param name="type">
+##	<summary>
+##	The type of the object to be associated.
+##	</summary>
+## </param>
+#
+interface(`fs_associate_hugetlbfs',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $1 hugetlbfs_t:filesystem associate;
+')
+
+########################################
+## <summary>
+##	Search inotifyfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1555,7 +1631,7 @@ interface(`fs_search_inotifyfs',`
 
 ########################################
 ## <summary>
-##	List inotifyfs filesystem. 
+##	List inotifyfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2542,6 +2618,42 @@ interface(`fs_search_nfsd_fs',`
 
 ########################################
 ## <summary>
+##	List NFS server directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	allow $1 nfsd_fs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Getattr files on an nfsd filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_nfsd_files',`
+	gen_require(`
+		type nfsd_fs_t;
+	')
+
+	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+')
+
+########################################
+## <summary>
 ##	Read and write NFS server files.
 ## </summary>
 ## <param name="domain">
@@ -2687,7 +2799,7 @@ interface(`fs_dontaudit_search_ramfs',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete 
+##	Create, read, write, and delete
 ##	directories on a ramfs.
 ## </summary>
 ## <param name="domain">
@@ -2779,7 +2891,7 @@ interface(`fs_write_ramfs_pipes',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to write to named 
+##	Do not audit attempts to write to named
 ##	pipes on a ramfs filesystem.
 ## </summary>
 ## <param name="domain">
@@ -2816,7 +2928,7 @@ interface(`fs_rw_ramfs_pipes',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete 
+##	Create, read, write, and delete
 ##	named pipes on a ramfs filesystem.
 ## </summary>
 ## <param name="domain">
@@ -3572,6 +3684,104 @@ interface(`fs_manage_tmpfs_blk_files',`
 
 ########################################
 ## <summary>
+##	Mount a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_xenfs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	allow $1 xenfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete directories
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_xenfs_dirs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	allow $1 xenfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create, read,
+##	write, and delete directories
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_xenfs_dirs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	dontaudit $1 xenfs_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete files
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_manage_xenfs_files',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	manage_files_pattern($1, xenfs_t, xenfs_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to create,
+##	read, write, and delete files
+##	on a XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_manage_xenfs_files',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	dontaudit $1 xenfs_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Mount all filesystems.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 9821410..12272e5 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem, 1.12.0)
+policy_module(filesystem, 1.12.1)
 
 ########################################
 #
@@ -38,7 +38,7 @@ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
 # types, and label the filesystem itself with the specified context.
 # This is appropriate for pseudo filesystems that represent objects
 # like pipes and sockets, so that these objects are labeled with the same
-# type as the creating task.  
+# type as the creating task.
 fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
 fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
@@ -93,7 +93,7 @@ genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
 type hugetlbfs_t;
 fs_type(hugetlbfs_t)
 files_mountpoint(hugetlbfs_t)
-genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
+fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
 
 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
@@ -174,6 +174,11 @@ fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
 
 allow tmpfs_t noxattrfs:filesystem associate;
 
+type xenfs_t;
+fs_noxattr_type(xenfs_t)
+files_mountpoint(xenfs_t)
+genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
+
 ##############################
 #
 # Filesystems without extended attribute support
@@ -250,7 +255,6 @@ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
 genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
-genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
 genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
 
 ########################################
@@ -275,7 +279,7 @@ fs_associate_noxattr(noxattrfs)
 
 allow filesystem_unconfined_type filesystem_type:filesystem *;
 
-# Create/access other files.  fs_type is to pick up various
+# Create/access other files. fs_type is to pick up various
 # pseudo filesystem types that are applied to both the filesystem
 # and its files.
 allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;

More information about the scm-commits mailing list