From 7af0e9bc957f90201be1aa3e107deb9b9e0c07b1 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 12 Mar 2010 11:40:59 -0500
Subject: [PATCH] Filesystem patch from Dan Walsh.

---
 policy/modules/kernel/filesystem.if | 335 +++++++++++++++++++++++++++-
 policy/modules/kernel/filesystem.te |   9 +-
 2 files changed, 341 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index aa52f45b6..a2c146b96 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -557,6 +557,218 @@ interface(`fs_register_binary_executable_type',`
 	rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
 ')
 
+########################################
+## <summary>
+##	Mount a cgroup filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_mount_cgroup', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem mount;
+')
+
+########################################
+## <summary>
+##	Remount a cgroup filesystem  This allows
+##	some mount options to be changed.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_remount_cgroup', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem remount;
+')
+
+########################################
+## <summary>
+##	Unmount a cgroup file system.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_unmount_cgroup', `
+	gen_require(`
+		type cgroup_t;
+	')
+
+	allow $1 cgroup_t:filesystem unmount;
+')
+
+########################################
+## <summary>
+##	Get the attributes of a cgroup filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fs_getattr_cgroup',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	allow $1 cifs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+##      list dirs on cgroup
+##      file systems.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_list_cgroup_dirs', `
+        gen_require(`
+                type cgroup_t;
+
+        ')
+
+        list_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	dirs on a CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_cifs_dirs',`
+	gen_require(`
+		type cifs_t;
+	')
+
+	dontaudit $1 cifs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Manage dirs on cgroup file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_cgroup_dirs',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	manage_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Set attributes of files on cgroup
+##	file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_setattr_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	setattr_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Read files on cgroup
+##	file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	read_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Write files on cgroup
+##	file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_write_cgroup_files', `
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	write_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
+##	Read and write files on cgroup
+##	file systems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_rw_cgroup_files',`
+	gen_require(`
+		type cgroup_t;
+
+	')
+
+	rw_files_pattern($1, cgroup_t, cgroup_t)
+')
+
 ########################################
 ## <summary>
 ##	Mount a CIFS or SMB network filesystem.
@@ -929,7 +1141,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
 		type cifs_t;
 	')
 
-	dontaudit $1 cifs_t:file { read write };
+	dontaudit $1 cifs_t:file rw_file_perms;
 ')
 
 ########################################
@@ -1480,6 +1692,25 @@ interface(`fs_search_fusefs',`
 	allow $1 fusefs_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to list the contents
+##	of directories on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_fusefs',`
+	gen_require(`
+		type fusefs_t;
+	')
+
+	dontaudit $1 fusefs_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
@@ -1670,6 +1901,54 @@ interface(`fs_list_inotifyfs',`
 	allow $1 inotifyfs_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Dontaudit List inotifyfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_list_inotifyfs',`
+	gen_require(`
+		type inotifyfs_t;
+	')
+
+	dontaudit $1 inotifyfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create an object in a hugetlbfs filesystem, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`fs_hugetlbfs_filetrans',`
+	gen_require(`
+		type hugetlbfs_t;
+	')
+
+	allow $2 hugetlbfs_t:filesystem associate;
+	filetrans_pattern($1, hugetlbfs_t, $2, $3)
+')
+
 ########################################
 ## <summary>
 ##	Mount an iso9660 filesystem, which
@@ -2092,6 +2371,24 @@ interface(`fs_read_nfs_symlinks',`
 	read_lnk_files_pattern($1, nfs_t, nfs_t)
 ')
 
+########################################
+## <summary>
+##	Dontaudit read symbolic links on a NFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_read_nfs_symlinks',`
+	gen_require(`
+		type nfs_t;
+	')
+
+	dontaudit $1 nfs_t:lnk_file read_lnk_file_perms;
+')
+
 #########################################
 ## <summary>
 ##	Read named sockets on a NFS filesystem.
@@ -3479,6 +3776,24 @@ interface(`fs_manage_auto_mountpoints',`
 	allow $1 autofs_t:dir manage_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Read generic tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_tmpfs_files',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	read_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write generic tmpfs files.
@@ -3723,6 +4038,24 @@ interface(`fs_mount_xenfs',`
 	allow $1 xenfs_t:filesystem mount;
 ')
 
+########################################
+## <summary>
+##	Search the XENFS filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_search_xenfs',`
+	gen_require(`
+		type xenfs_t;
+	')
+
+	allow $1 xenfs_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 12272e557..5a49deae1 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem, 1.12.1)
+policy_module(filesystem, 1.12.2)
 
 ########################################
 #
@@ -29,6 +29,7 @@ fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
@@ -183,6 +184,7 @@ genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
 #
 # Filesystems without extended attribute support
 #
+
 type autofs_t;
 fs_noxattr_type(autofs_t)
 files_mountpoint(autofs_t)
@@ -205,6 +207,7 @@ genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
 #
 type dosfs_t;
 fs_noxattr_type(dosfs_t)
+files_mountpoint(dosfs_t)
 allow dosfs_t fs_t:filesystem associate;
 genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
 genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
@@ -216,6 +219,7 @@ genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
 
 type fusefs_t;
 fs_noxattr_type(fusefs_t)
+files_mountpoint(fusefs_t)
 allow fusefs_t self:filesystem associate;
 allow fusefs_t fs_t:filesystem associate;
 genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
@@ -228,6 +232,7 @@ genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0)
 #
 type iso9660_t;
 fs_noxattr_type(iso9660_t)
+files_mountpoint(iso9660_t)
 genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
 genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
 
@@ -237,7 +242,7 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
 type removable_t;
 allow removable_t noxattrfs:filesystem associate;
 fs_noxattr_type(removable_t)
-files_type(removable_t)
+files_mountpoint(removable_t)
 
 #
 # nfs_t is the default type for NFS file systems