diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index d3e0b61..078fc71 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -13,6 +13,38 @@ attribute fs_type; ######################################## # +# filesystem_associate(type,[`optional']) +# +define(`filesystem_associate',` +requires_block_template(filesystem_associate_depend,$2) +allow $1 fs_t:filesystem associate; +') + +define(`filesystem_associate_depend',` +type fs_t; +class filesystem associate; +') + +######################################## +# +# filesystem_associate_noxattr(type,[`optional']) +# +define(`filesystem_associate_noxattr',` +requires_block_template(filesystem_associate_noxattr_depend,$2) +allow $1 autofs_t:filesystem associate; +allow $1 cifs_t:filesystem associate; +allow $1 dosfs_t:filesystem associate; +allow $1 iso9660_t:filesystem associate; +allow $1 nfs_t:filesystem associate; +') + +define(`filesystem_associate_noxattr_depend',` +type fs_t, nfs_t, cifs_t, dosfs_t, iso9660_t, autofs_t; +class filesystem associate; +') + +######################################## +# # filesystem_mount_persistent_filesystem(domain,[`optional']) # define(`filesystem_mount_persistent_filesystem',` @@ -69,20 +101,6 @@ class filesystem getattr; ######################################## # -# filesystem_associate(type,[`optional']) -# -define(`filesystem_associate',` -requires_block_template(filesystem_associate_depend,$2) -allow $1 fs_t:filesystem associate; -') - -define(`filesystem_associate_depend',` -type fs_t; -class filesystem associate; -') - -######################################## -# # filesystem_mount_automount_filesystem(domain,[`optional']) # define(`filesystem_mount_automount_filesystem',` diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index b8a9488..698cae3 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -6,11 +6,13 @@ define(`files_make_file',` requires_block_template(files_make_file_depend,$2) typeattribute $1 file_type; filesystem_associate($1,optional) +filesystem_associate_noxattr($1,optional) ') define(`files_make_file_depend',` attribute file_type; filesystem_associate_depend +filesystem_associate_noxattr_depend ') ######################################## diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te index 614b3ed..5a82d12 100644 --- a/refpolicy/policy/modules/system/files.te +++ b/refpolicy/policy/modules/system/files.te @@ -8,12 +8,14 @@ attribute tmpfile; # other than the generic /.* specification. type default_t, file_type; filesystem_associate(default_t) +filesystem_associate_noxattr(default_t) # # etc_t is the type of the system etc directories. # type etc_t, file_type; filesystem_associate(etc_t) +filesystem_associate_noxattr(etc_t) # # etc_runtime_t is the type of various @@ -22,6 +24,7 @@ filesystem_associate(etc_t) # type etc_runtime_t, file_type; filesystem_associate(etc_runtime_t) +filesystem_associate_noxattr(etc_runtime_t) # # file_t is the default type of a file that has not yet been @@ -30,6 +33,7 @@ filesystem_associate(etc_runtime_t) # type file_t, file_type; filesystem_associate(file_t) +filesystem_associate_noxattr(file_t) kernel_make_root_filesystem_mountpoint(file_t) # @@ -37,12 +41,14 @@ kernel_make_root_filesystem_mountpoint(file_t) # type removable_t, file_type; filesystem_associate(removable_t) +filesystem_associate_noxattr(removable_t) # # root_t is the type for rootfs and the root directory. # type root_t, file_type; filesystem_associate(root_t) +filesystem_associate_noxattr(root_t) kernel_read_directory_from(root_t) kernel_make_root_filesystem_mountpoint(root_t) genfscon rootfs / system_u:object_r:root_t @@ -53,54 +59,63 @@ genfscon rootfs / system_u:object_r:root_t # type home_root_t, file_type; filesystem_associate(home_root_t) +filesystem_associate_noxattr(home_root_t) # # lost_found_t is the type for the lost+found directories. # type lost_found_t, file_type; filesystem_associate(lost_found_t) +filesystem_associate_noxattr(lost_found_t) # # mnt_t is the type for mount points such as /mnt/cdrom # type mnt_t, file_type; filesystem_associate(mnt_t) +filesystem_associate_noxattr(mnt_t) # # src_t is the type of files in the system src directories. # type src_t, file_type; filesystem_associate(src_t) +filesystem_associate_noxattr(src_t) # # tmp_t is the type of the temporary directories # type tmp_t, file_type, tmpfile; filesystem_associate(tmp_t) +filesystem_associate_noxattr(tmp_t) # # usr_t is the type for /usr. # type usr_t, file_type; filesystem_associate(usr_t) +filesystem_associate_noxattr(usr_t) # # var_t is the type of /var # type var_t, file_type; filesystem_associate(var_t) +filesystem_associate_noxattr(var_t) # # var_lib_t is the type of /var/lib # type var_lib_t, file_type; filesystem_associate(var_lib_t) +filesystem_associate_noxattr(var_lib_t) # # var_lock_t is tye type of /var/lock # type var_lock_t, file_type, lockfile; filesystem_associate(var_lock_t) +filesystem_associate_noxattr(var_lock_t) # # var_run_t is the type of /var/run, usually @@ -108,9 +123,11 @@ filesystem_associate(var_lock_t) # type var_run_t, file_type, pidfile; filesystem_associate(var_run_t) +filesystem_associate_noxattr(var_run_t) # # var_spool_t is the type of /var/spool # type var_spool_t, file_type; filesystem_associate(var_spool_t) +filesystem_associate_noxattr(var_spool_t)