RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Mark temporary block device as fixed_disk_device_t 

When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they
get by default marked as device_t. However, in case of software raid devices,
the mdadm application (running in mdadm_t) does not hold the proper privileges
to access this for its auto-assembly of the raids.

Other block device applications, like blkid (running in fsadm_t) use these
temporary block devices as well, but already hold the necessary privileges on
device_t to continue their work.

By marking the temporary block device as a fixed_disk_device_t, all these block
device handling applications (such as blkid, but also mdadm) now hold the proper
privileges. Since udev is selinux-aware, the created files are immediately
restorecon'ed before the rules are applied.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This commit is contained in:
Sven Vermeulen 2011-11-15 10:45:45 +01:00 committed by Chris PeBenito
parent 98a85d1000
commit 1668ffb244
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
policy/modules/kernel/storage.fc
View File

@ -1,4 +1,4 @@
/dev/\.tmp-block-.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/n?(raw)?[qr]ft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0) /dev/n?(raw)?[qr]ft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?[hs]t[0-9].* -c gen_context(system_u:object_r:tape_device_t,s0) /dev/n?[hs]t[0-9].* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?z?qft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0) /dev/n?z?qft[0-3] -c gen_context(system_u:object_r:tape_device_t,s0)