[selinux-policy: 2815/3172] Early devtmpfs access

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:10:34 UTC 2010 

commit 2fc79f1ef4f3928c3d33b20c3274e87ae148b5f6
Author: Jeremy Solt <jsolt at tresys.com>
Date:   Wed Aug 18 11:36:35 2010 -0400

    Early devtmpfs access
    
    dontaudit attempts to read/write device_t chr files occurring before udev relabel
    allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined)
    
    Signed-off-by: Jeremy Solt <jsolt at tresys.com>

 policy/modules/admin/readahead.te |    2 ++
 policy/modules/kernel/devices.if  |   18 ++++++++++++++++++
 policy/modules/system/hostname.te |    2 ++
 policy/modules/system/init.te     |    4 ++++
 policy/modules/system/mount.te    |    3 +++
 5 files changed, 29 insertions(+), 0 deletions(-)
---
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index c5c7852..f7d3b90 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -45,6 +45,8 @@ dev_getattr_all_blk_files(readahead_t)
 dev_dontaudit_read_all_blk_files(readahead_t)
 dev_dontaudit_getattr_memory_dev(readahead_t)
 dev_dontaudit_getattr_nvram_dev(readahead_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(readahead_t)
 
 domain_use_interactive_fds(readahead_t)
 domain_read_all_domains_state(readahead_t)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index fec4d40..8b09281 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -552,6 +552,24 @@ interface(`dev_rw_generic_chr_files',`
 
 ########################################
 ## <summary>
+##	Dontaudit attempts to read/write generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create generic character device files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index b9efd1b..e384dcd 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -25,6 +25,8 @@ kernel_list_proc(hostname_t)
 kernel_read_proc_symlinks(hostname_t)
 
 dev_read_sysfs(hostname_t)
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(hostname_t)
 
 domain_use_interactive_fds(hostname_t)
 
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 74c0c76..f8b4bad 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -119,6 +119,8 @@ corecmd_exec_chroot(init_t)
 corecmd_exec_bin(init_t)
 
 dev_read_sysfs(init_t)
+# Early devtmpfs
+dev_rw_generic_chr_files(init_t)
 
 domain_getpgid_all_domains(init_t)
 domain_kill_all_domains(init_t)
@@ -296,6 +298,8 @@ dev_manage_generic_files(initrc_t)
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)
 dev_getattr_all_chr_files(initrc_t)
+# Early devtmpfs
+dev_rw_generic_chr_files(initrc_t)
 
 domain_kill_all_domains(initrc_t)
 domain_signal_all_domains(initrc_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index ee6520c..280a534 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -60,6 +60,9 @@ dev_dontaudit_getattr_all_chr_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
 dev_getattr_sound_dev(mount_t)
 
+# Early devtmpfs, before udev relabel
+dev_dontaudit_rw_generic_chr_files(mount_t)
+
 domain_use_interactive_fds(mount_t)
 
 files_search_all(mount_t)

More information about the scm-commits mailing list