Filesystem patch from Dan Walsh.

2010-03-12 11:40:59 -05:00 · 2010-03-12 11:40:59 -05:00 · 7af0e9bc95
parent 9e506eb236
commit 7af0e9bc95
2 changed files with 341 additions and 3 deletions
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -557,6 +557,218 @@ interface(`fs_register_binary_executable_type',`
 	rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
 ')

+########################################
+## <summary>
+##	Mount a cgroup filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_cgroup', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount a cgroup filesystem  This allows
+##	some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_cgroup', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a cgroup file system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_cgroup', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a cgroup filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_cgroup',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##      list dirs on cgroup
+##      file systems.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_list_cgroup_dirs', `
+        gen_require(`
+                type cgroup_t;
+
+        ')
+
+        list_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Manage dirs on cgroup file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	manage_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Set attributes of files on cgroup
+##	file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_setattr_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	setattr_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Read files on cgroup
+##	file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	read_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Write files on cgroup
+##	file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_write_cgroup_files', `
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	write_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Read and write files on cgroup
+##	file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	rw_files_pattern($1, cgroup_t, cgroup_t)
+')
+
 ########################################
 ## <summary>
 ##	Mount a CIFS or SMB network filesystem.
@ -929,7 +1141,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
 		type cifs_t;
 	')

-	dontaudit $1 cifs_t:file { read write };
+	dontaudit $1 cifs_t:file rw_file_perms;
 ')

 ########################################
@ -1480,6 +1692,25 @@ interface(`fs_search_fusefs',`
 	allow $1 fusefs_t:dir search_dir_perms;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to list the contents
+##	of directories on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	dontaudit $1 fusefs_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
@ -1670,6 +1901,54 @@ interface(`fs_list_inotifyfs',`
 	allow $1 inotifyfs_t:dir list_dir_perms;
 ')

+########################################
+## <summary>
+##	Dontaudit List inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_inotifyfs',`
+	gen_require(`
+		type inotifyfs_t;
+	')
+
+	dontaudit $1 inotifyfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create an object in a hugetlbfs filesystem, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`fs_hugetlbfs_filetrans',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $2 hugetlbfs_t:filesystem associate;
+	filetrans_pattern($1, hugetlbfs_t, $2, $3)
+')
+
 ########################################
 ## <summary>
 ##	Mount an iso9660 filesystem, which
@ -2092,6 +2371,24 @@ interface(`fs_read_nfs_symlinks',`
 	read_lnk_files_pattern($1, nfs_t, nfs_t)
 ')

+########################################
+## <summary>
+##	Dontaudit read symbolic links on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_read_nfs_symlinks',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:lnk_file read_lnk_file_perms;
+')
+
 #########################################
 ## <summary>
 ##	Read named sockets on a NFS filesystem.
@ -3479,6 +3776,24 @@ interface(`fs_manage_auto_mountpoints',`
 	allow $1 autofs_t:dir manage_dir_perms;
 ')

+########################################
+## <summary>
+##	Read generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	read_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write generic tmpfs files.
@ -3723,6 +4038,24 @@ interface(`fs_mount_xenfs',`
 	allow $1 xenfs_t:filesystem mount;
 ')

+########################################
+## <summary>
+##	Search the XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_xenfs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	allow $1 xenfs_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@ -1,5 +1,5 @@

-policy_module(filesystem, 1.12.1)
+policy_module(filesystem, 1.12.2)

 ########################################
 #
@ -29,6 +29,7 @@ fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
@ -183,6 +184,7 @@ genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
 #
 # Filesystems without extended attribute support
 #
+
 type autofs_t;
 fs_noxattr_type(autofs_t)
 files_mountpoint(autofs_t)
@ -205,6 +207,7 @@ genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
 #
 type dosfs_t;
 fs_noxattr_type(dosfs_t)
+files_mountpoint(dosfs_t)
 allow dosfs_t fs_t:filesystem associate;
 genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
@ -216,6 +219,7 @@ genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)

 type fusefs_t;
 fs_noxattr_type(fusefs_t)
+files_mountpoint(fusefs_t)
 allow fusefs_t self:filesystem associate;
 allow fusefs_t fs_t:filesystem associate;
 genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
@ -228,6 +232,7 @@ genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0)
 #
 type iso9660_t;
 fs_noxattr_type(iso9660_t)
+files_mountpoint(iso9660_t)
 genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
 genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)

@ -237,7 +242,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
 type removable_t;
 allow removable_t noxattrfs:filesystem associate;
 fs_noxattr_type(removable_t)
-files_type(removable_t)
+files_mountpoint(removable_t)

 #
 # nfs_t is the default type for NFS file systems