diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index aa52f45..a2c146b 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -559,6 +559,218 @@ interface(`fs_register_binary_executable_type',` ######################################## ## +## Mount a cgroup filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mount_cgroup', ` + gen_require(` + type cgroup_t; + ') + + allow $1 cgroup_t:filesystem mount; +') + +######################################## +## +## Remount a cgroup filesystem This allows +## some mount options to be changed. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_remount_cgroup', ` + gen_require(` + type cgroup_t; + ') + + allow $1 cgroup_t:filesystem remount; +') + +######################################## +## +## Unmount a cgroup file system. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_unmount_cgroup', ` + gen_require(` + type cgroup_t; + ') + + allow $1 cgroup_t:filesystem unmount; +') + +######################################## +## +## Get the attributes of a cgroup filesystem. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_getattr_cgroup',` + gen_require(` + type cifs_t; + ') + + allow $1 cifs_t:filesystem getattr; +') + +######################################## +## +## list dirs on cgroup +## file systems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_list_cgroup_dirs', ` + gen_require(` + type cgroup_t; + + ') + + list_dirs_pattern($1, cgroup_t, cgroup_t) +') + +######################################## +## +## Do not audit attempts to read +## dirs on a CIFS or SMB filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_list_cifs_dirs',` + gen_require(` + type cifs_t; + ') + + dontaudit $1 cifs_t:dir list_dir_perms; +') + +######################################## +## +## Manage dirs on cgroup file systems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_manage_cgroup_dirs',` + gen_require(` + type cgroup_t; + + ') + + manage_dirs_pattern($1, cgroup_t, cgroup_t) +') + +######################################## +## +## Set attributes of files on cgroup +## file systems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_setattr_cgroup_files',` + gen_require(` + type cgroup_t; + + ') + + setattr_files_pattern($1, cgroup_t, cgroup_t) +') + +######################################## +## +## Read files on cgroup +## file systems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_cgroup_files',` + gen_require(` + type cgroup_t; + + ') + + read_files_pattern($1, cgroup_t, cgroup_t) +') + +######################################## +## +## Write files on cgroup +## file systems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_write_cgroup_files', ` + gen_require(` + type cgroup_t; + + ') + + write_files_pattern($1, cgroup_t, cgroup_t) +') + +######################################## +## +## Read and write files on cgroup +## file systems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_cgroup_files',` + gen_require(` + type cgroup_t; + + ') + + rw_files_pattern($1, cgroup_t, cgroup_t) +') + +######################################## +## ## Mount a CIFS or SMB network filesystem. ## ## @@ -929,7 +1141,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') - dontaudit $1 cifs_t:file { read write }; + dontaudit $1 cifs_t:file rw_file_perms; ') ######################################## @@ -1482,6 +1694,25 @@ interface(`fs_search_fusefs',` ######################################## ## +## Do not audit attempts to list the contents +## of directories on a FUSEFS filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`fs_dontaudit_list_fusefs',` + gen_require(` + type fusefs_t; + ') + + dontaudit $1 fusefs_t:dir list_dir_perms; +') + +######################################## +## ## Create, read, write, and delete directories ## on a FUSEFS filesystem. ## @@ -1672,6 +1903,54 @@ interface(`fs_list_inotifyfs',` ######################################## ## +## Dontaudit List inotifyfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_list_inotifyfs',` + gen_require(` + type inotifyfs_t; + ') + + dontaudit $1 inotifyfs_t:dir list_dir_perms; +') + +######################################## +## +## Create an object in a hugetlbfs filesystem, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +# +interface(`fs_hugetlbfs_filetrans',` + gen_require(` + type hugetlbfs_t; + ') + + allow $2 hugetlbfs_t:filesystem associate; + filetrans_pattern($1, hugetlbfs_t, $2, $3) +') + +######################################## +## ## Mount an iso9660 filesystem, which ## is usually used on CDs. ## @@ -2092,6 +2371,24 @@ interface(`fs_read_nfs_symlinks',` read_lnk_files_pattern($1, nfs_t, nfs_t) ') +######################################## +## +## Dontaudit read symbolic links on a NFS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_read_nfs_symlinks',` + gen_require(` + type nfs_t; + ') + + dontaudit $1 nfs_t:lnk_file read_lnk_file_perms; +') + ######################################### ## ## Read named sockets on a NFS filesystem. @@ -3481,6 +3778,24 @@ interface(`fs_manage_auto_mountpoints',` ######################################## ## +## Read generic tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + read_files_pattern($1, tmpfs_t, tmpfs_t) +') + +######################################## +## ## Read and write generic tmpfs files. ## ## @@ -3725,6 +4040,24 @@ interface(`fs_mount_xenfs',` ######################################## ## +## Search the XENFS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_search_xenfs',` + gen_require(` + type xenfs_t; + ') + + allow $1 xenfs_t:dir search_dir_perms; +') + +######################################## +## ## Create, read, write, and delete directories ## on a XENFS filesystem. ## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 12272e5..5a49dea 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,5 +1,5 @@ -policy_module(filesystem, 1.12.1) +policy_module(filesystem, 1.12.2) ######################################## # @@ -29,6 +29,7 @@ fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); @@ -183,6 +184,7 @@ genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0) # # Filesystems without extended attribute support # + type autofs_t; fs_noxattr_type(autofs_t) files_mountpoint(autofs_t) @@ -205,6 +207,7 @@ genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0) # type dosfs_t; fs_noxattr_type(dosfs_t) +files_mountpoint(dosfs_t) allow dosfs_t fs_t:filesystem associate; genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0) @@ -216,6 +219,7 @@ genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) type fusefs_t; fs_noxattr_type(fusefs_t) +files_mountpoint(fusefs_t) allow fusefs_t self:filesystem associate; allow fusefs_t fs_t:filesystem associate; genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) @@ -228,6 +232,7 @@ genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0) # type iso9660_t; fs_noxattr_type(iso9660_t) +files_mountpoint(iso9660_t) genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0) genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) @@ -237,7 +242,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) -files_type(removable_t) +files_mountpoint(removable_t) # # nfs_t is the default type for NFS file systems