[selinux-policy: 2648/3172] Add kernel access to devtmpfs. Also add workround while devtmpfs is tmpfs_t instead of device_t.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:55:27 UTC 2010 

commit 03a6e03926157381a7a95b0bc386feef4f9a5442
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon May 3 11:17:16 2010 -0400

    Add kernel access to devtmpfs.  Also add workround while devtmpfs is tmpfs_t instead of device_t.

 policy/modules/kernel/devices.if |   87 ++++++++++++++++++++++++++++++++++++-
 policy/modules/kernel/devices.te |    2 +-
 policy/modules/kernel/kernel.te  |   11 ++++-
 3 files changed, 95 insertions(+), 5 deletions(-)
---
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 1b72daa..6bab252 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -407,7 +407,7 @@ interface(`dev_dontaudit_setattr_generic_blk_files',`
 
 ########################################
 ## <summary>
-##	Allow read, write, and create for generic character device files.
+##	Create generic block device files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -415,12 +415,30 @@ interface(`dev_dontaudit_setattr_generic_blk_files',`
 ##	</summary>
 ## </param>
 #
-interface(`dev_create_generic_chr_files',`
+interface(`dev_create_generic_blk_files',`
 	gen_require(`
 		type device_t;
 	')
 
-	create_chr_files_pattern($1, device_t, device_t)
+	create_blk_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Delete generic block device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_generic_blk_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	delete_blk_files_pattern($1, device_t, device_t)
 ')
 
 ########################################
@@ -497,6 +515,42 @@ interface(`dev_rw_generic_chr_files',`
 
 ########################################
 ## <summary>
+##	Create generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	create_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
+##	Delete generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	delete_chr_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to set the attributes
 ##	of symbolic links in device directories (/dev).
 ## </summary>
@@ -711,6 +765,33 @@ interface(`dev_filetrans',`
 
 ########################################
 ## <summary>
+##	Create, read, and write device nodes. The node
+##	will be transitioned to the type provided.  This is
+##	a temporary interface until devtmpfs functionality
+##	fixed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="objectclass(es)">
+##	<summary>
+##	Object class(es) (single or set including {}) for which this
+##	the transition will occur.
+##	</summary>
+## </param>
+#
+interface(`dev_tmpfs_filetrans_dev',`
+	gen_require(`
+		type device_t;
+	')
+
+	fs_tmpfs_filetrans($1, device_t, $2)
+')
+
+########################################
+## <summary>
 ##	Getattr on all block file device nodes.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 1586fbb..72311a4 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices, 1.9.3)
+policy_module(devices, 1.9.4)
 
 ########################################
 #
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 3ef6a62..1923f55 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel, 1.11.3)
+policy_module(kernel, 1.11.4)
 
 ########################################
 #
@@ -248,6 +248,15 @@ corenet_send_all_packets(kernel_t)
 
 dev_read_sysfs(kernel_t)
 dev_search_usbfs(kernel_t)
+# devtmpfs handling:
+dev_create_generic_dirs(kernel_t)
+dev_delete_generic_dirs(kernel_t)
+dev_create_generic_blk_files(kernel_t)
+dev_delete_generic_blk_files(kernel_t)
+dev_create_generic_chr_files(kernel_t)
+dev_delete_generic_chr_files(kernel_t)
+# work around until devtmpfs has device_t type
+dev_tmpfs_filetrans_dev(kernel_t, { dir blk_file chr_file })
 
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem

More information about the scm-commits mailing list