From cbca03f51353d60877e11677d2c1366b64f69c43 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jun 28 2005 17:48:59 +0000 Subject: add lost_found_t manage, rename fs_type attribute to filesystem_type and rename fs_make_fs to fs_type --- diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index 302796e..8a45060 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -148,7 +148,7 @@ fs_associate_tmpfs(sound_device_t) # type sysfs_t; files_mountpoint(sysfs_t) -fs_make_fs(sysfs_t) +fs_type(sysfs_t) genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0) # diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index e184f51..373bc0d 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -8,12 +8,12 @@ ## The type of the process performing this action. ## # -interface(`fs_make_fs',` +interface(`fs_type',` gen_require(` - attribute fs_type; + attribute filesystem_type; ') - typeattribute $1 fs_type; + typeattribute $1 filesystem_type; ') ######################################## @@ -31,7 +31,7 @@ interface(`fs_make_noxattr_fs',` attribute noxattrfs; ') - fs_make_fs($1) + fs_type($1) typeattribute $1 noxattrfs; ') @@ -1498,11 +1498,11 @@ interface(`fs_manage_tmpfs_block_devices',` # interface(`fs_mount_all_fs',` gen_require(` - attribute fs_type; + attribute filesystem_type; class filesystem mount; ') - allow $1 fs_type:filesystem mount; + allow $1 filesystem_type:filesystem mount; ') ######################################## @@ -1516,11 +1516,11 @@ interface(`fs_mount_all_fs',` # interface(`fs_remount_all_fs',` gen_require(` - attribute fs_type; + attribute filesystem_type; class filesystem remount; ') - allow $1 fs_type:filesystem remount; + allow $1 filesystem_type:filesystem remount; ') ######################################## @@ -1533,11 +1533,11 @@ interface(`fs_remount_all_fs',` # interface(`fs_unmount_all_fs',` gen_require(` - attribute fs_type; + attribute filesystem_type; class filesystem unmount; ') - allow $1 fs_type:filesystem unmount; + allow $1 filesystem_type:filesystem unmount; ') ######################################## @@ -1552,11 +1552,11 @@ interface(`fs_unmount_all_fs',` # interface(`fs_getattr_all_fs',` gen_require(` - attribute fs_type; + attribute filesystem_type; class filesystem getattr; ') - allow $1 fs_type:filesystem getattr; + allow $1 filesystem_type:filesystem getattr; ') ######################################## @@ -1570,11 +1570,11 @@ interface(`fs_getattr_all_fs',` # interface(`fs_dontaudit_getattr_all_fs',` gen_require(` - attribute fs_type; + attribute filesystem_type; class filesystem getattr; ') - dontaudit $1 fs_type:filesystem getattr; + dontaudit $1 filesystem_type:filesystem getattr; ') ######################################## @@ -1587,11 +1587,11 @@ interface(`fs_dontaudit_getattr_all_fs',` # interface(`fs_get_all_fs_quotas',` gen_require(` - attribute fs_type; + attribute filesystem_type; class filesystem quotaget; ') - allow $1 fs_type:filesystem quotaget; + allow $1 filesystem_type:filesystem quotaget; ') ######################################## @@ -1604,11 +1604,11 @@ interface(`fs_get_all_fs_quotas',` # interface(`fs_set_all_quotas',` gen_require(` - attribute fs_type; + attribute filesystem_type; class filesystem quotamod; ') - allow $1 fs_type:filesystem quotamod; + allow $1 filesystem_type:filesystem quotamod; ') ######################################## @@ -1617,7 +1617,7 @@ interface(`fs_set_all_quotas',` # interface(`fs_getattr_all_files',` gen_require(` - attribute fs_type; + attribute filesystem_type; class dir { search getattr }; class file getattr; class lnk_file getattr; @@ -1625,10 +1625,10 @@ interface(`fs_getattr_all_files',` class sock_file getattr; ') - allow $1 fs_type:dir { search getattr }; - allow $1 fs_type:file getattr; - allow $1 fs_type:lnk_file getattr; - allow $1 fs_type:fifo_file getattr; - allow $1 fs_type:sock_file getattr; + allow $1 filesystem_type:dir { search getattr }; + allow $1 filesystem_type:file getattr; + allow $1 filesystem_type:lnk_file getattr; + allow $1 filesystem_type:fifo_file getattr; + allow $1 filesystem_type:sock_file getattr; ') diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index 5a8b530..42edcd8 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -1,7 +1,7 @@ policy_module(filesystem,1.0) -attribute fs_type; +attribute filesystem_type; attribute noxattrfs; ######################################## @@ -9,7 +9,7 @@ attribute noxattrfs; # fs_t is the default type for persistent # filesystems with extended attributes # -type fs_t, fs_type; +type fs_t, filesystem_type; sid fs context_template(system_u:object_r:fs_t,s0) # Use xattrs for the following filesystem types. @@ -31,37 +31,37 @@ fs_use_task sockfs context_template(system_u:object_r:fs_t,s0); # # Non-persistent/pseudo filesystems # -type bdev_t, fs_type; +type bdev_t, filesystem_type; genfscon bdev / context_template(system_u:object_r:bdev_t,s0) -type binfmt_misc_fs_t, fs_type; +type binfmt_misc_fs_t, filesystem_type; genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0) -type eventpollfs_t, fs_type; +type eventpollfs_t, filesystem_type; genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0) -type futexfs_t, fs_type; +type futexfs_t, filesystem_type; genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0) -type nfsd_fs_t, fs_type; +type nfsd_fs_t, filesystem_type; genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0) -type ramfs_t, fs_type; +type ramfs_t, filesystem_type; allow ramfs_t self:filesystem associate; genfscon ramfs / context_template(system_u:object_r:ramfs_t,s0) -type romfs_t, fs_type; +type romfs_t, filesystem_type; allow romfs_t self:filesystem associate; genfscon romfs / context_template(system_u:object_r:romfs_t,s0) genfscon cramfs / context_template(system_u:object_r:romfs_t,s0) -type rpc_pipefs_t, fs_type; +type rpc_pipefs_t, filesystem_type; genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0) # # tmpfs_t is the type for tmpfs filesystems # -type tmpfs_t, fs_type; +type tmpfs_t, filesystem_type; files_file_type(tmpfs_t) # Use a transition SID based on the allocating task SID and the @@ -79,7 +79,7 @@ allow tmpfs_t noxattrfs:filesystem associate; # # Filesystems without extended attribute support # -type autofs_t, fs_type, noxattrfs; +type autofs_t, filesystem_type, noxattrfs; allow autofs_t self:filesystem associate; genfscon autofs / context_template(system_u:object_r:autofs_t,s0) genfscon automount / context_template(system_u:object_r:autofs_t,s0) @@ -88,7 +88,7 @@ genfscon automount / context_template(system_u:object_r:autofs_t,s0) # cifs_t is the type for filesystems and their # files shared from Windows servers # -type cifs_t alias sambafs_t, fs_type, noxattrfs; +type cifs_t alias sambafs_t, filesystem_type, noxattrfs; allow cifs_t self:filesystem associate; genfscon cifs / context_template(system_u:object_r:cifs_t,s0) genfscon smbfs / context_template(system_u:object_r:cifs_t,s0) @@ -97,7 +97,7 @@ genfscon smbfs / context_template(system_u:object_r:cifs_t,s0) # dosfs_t is the type for fat and vfat # filesystems and their files. # -type dosfs_t, fs_type, noxattrfs; +type dosfs_t, filesystem_type, noxattrfs; allow dosfs_t self:filesystem associate; genfscon vfat / context_template(system_u:object_r:dosfs_t,s0) genfscon msdos / context_template(system_u:object_r:dosfs_t,s0) @@ -108,7 +108,7 @@ genfscon ntfs / context_template(system_u:object_r:dosfs_t,s0) # iso9660_t is the type for CD filesystems # and their files. # -type iso9660_t, fs_type, noxattrfs; +type iso9660_t, filesystem_type, noxattrfs; allow iso9660_t self:filesystem associate; genfscon iso9660 / context_template(system_u:object_r:iso9660_t,s0) genfscon udf / context_template(system_u:object_r:iso9660_t,s0) @@ -116,14 +116,14 @@ genfscon udf / context_template(system_u:object_r:iso9660_t,s0) # # removable_t is the default type of all removable media # -type removable_t, fs_type, noxattrfs; +type removable_t, filesystem_type, noxattrfs; allow removable_t noxattrfs:filesystem associate; # # nfs_t is the default type for NFS file systems # and their files. # -type nfs_t, fs_type, noxattrfs; +type nfs_t, filesystem_type, noxattrfs; files_mountpoint(nfs_t) allow nfs_t self:filesystem associate; genfscon nfs / context_template(system_u:object_r:nfs_t,s0) diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index bc938cf..80398fe 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -55,7 +55,7 @@ sid tcp_socket context_template(system_u:object_r:unlabeled_t,s0) type proc_t; files_mountpoint(proc_t) -fs_make_fs(proc_t) +fs_type(proc_t) genfscon proc / context_template(system_u:object_r:proc_t,s0) genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0) diff --git a/refpolicy/policy/modules/kernel/selinux.te b/refpolicy/policy/modules/kernel/selinux.te index 69f6e10..25c104a 100644 --- a/refpolicy/policy/modules/kernel/selinux.te +++ b/refpolicy/policy/modules/kernel/selinux.te @@ -12,6 +12,6 @@ policy_module(selinux,1.0) # applied to selinuxfs inodes. # type security_t; -fs_make_fs(security_t) +fs_type(security_t) sid security context_template(system_u:object_r:security_t,s0) genfscon selinuxfs / context_template(system_u:object_r:security_t,s0) diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te index 83bedfc..ce98f3d 100644 --- a/refpolicy/policy/modules/kernel/terminal.te +++ b/refpolicy/policy/modules/kernel/terminal.te @@ -22,7 +22,7 @@ dev_node(console_device_t) # type devpts_t; files_mountpoint(devpts_t) -fs_make_fs(devpts_t) +fs_type(devpts_t) fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0); # diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 30d7443..9f70fef 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -747,9 +747,9 @@ interface(`files_manage_isid_type_chr_node',` ') ######################################## -## -## Get listing home home directories. -## +## +## Get listing of home directories. +## ## ## The type of the process performing this action. ## @@ -764,6 +764,32 @@ interface(`files_list_home',` ') ######################################## +## +## Create, read, write, and delete objects in +## lost+found directories. +## +## +## The type of the process performing this action. +## +# +interface(`files_manage_lost_found',` + gen_require(` + type lost_found_t; + class dir create_dir_perms; + class file create_file_perms; + class sock_file create_file_perms; + class fifo_file create_file_perms; + class lnk_file create_lnk_perms; + ') + + allow $1 lost_found_t:dir create_dir_perms; + allow $1 lost_found_t:file create_file_perms; + allow $1 lost_found_t:sock_file create_file_perms; + allow $1 lost_found_t:fifo_file create_file_perms; + allow $1 lost_found_t:lnk_file create_lnk_perms; +') + +######################################## # # files_search_mnt(domain) # diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te index 1ce9c12..17eae07 100644 --- a/refpolicy/policy/modules/system/fstools.te +++ b/refpolicy/policy/modules/system/fstools.te @@ -75,6 +75,7 @@ files_list_home(fsadm_t) files_read_usr_files(fsadm_t) files_read_generic_etc_files(fsadm_t) files_list_mnt(fsadm_t) +files_manage_lost_found(fsadm_t) # Write to /etc/mtab. files_manage_etc_runtime_files(fsadm_t) # Access to /initrd devices @@ -122,11 +123,6 @@ allow fsadm_t default_t:notdevfile_class_set r_file_perms; # mkreiserfs needs this allow fsadm_t proc_t:filesystem getattr; -# Access lost+found. -allow fsadm_t lost_found_t:dir create_dir_perms; -allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms; -allow fsadm_t lost_found_t:lnk_file create_lnk_perms; - allow fsadm_t file_t:dir { search read getattr rmdir create }; # Recreate /mnt/cdrom.