Back when the SECMARK implementation was new, the packet class was always
checked. Because of that, unlabeled_t packet rules proliferated refpolicy
since the common case was to have no SECMARK rules. Since then, the kernel
has been modified to only enforce the packet class if there are SECMARK
rules. Remove the unlabeled_t packet rules, since users of SECMARK will
likely want no unlabeled_t packet rules, and the common case users will
have no impact since the packet class isn't enforced on their systems.
To have partial SECMARK confinement, the following rule applies:
allow { domain -type_i_want_to_constrain_t } unlabeled_t:packet { send recv };
It seems like over-allowing, but if you have no SECMARK rules, it's the equivalent of:
allow * unlabeled_t:packet { send recv };
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Replaced calls to interfaces allowing access to all files except
auth_file_type files with calls to interfaces allowing access to
non_auth_file_type files.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The locations for debugfs_t (/sys/kernel/debug) and security_t
(/selinux or /sys/fs/selinux) should be marked as mountpoints as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Move devtmpfs to devices module (remove from filesystem module)
Make device_t a filesystem
Add interface for associating types with device_t filesystem (dev_associate)
Call dev_associate from dev_filetrans
Allow all device nodes associate with device_t filesystem
Remove dev_tmpfs_filetrans_dev from kernel_t
Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate
Mounton interface, to allow the kernel to mounton device_t
Signed-off-by: Jeremy Solt <jsolt@tresys.com>
Move cgroup_t declarations from kernel.te to filesystem.te
Redo cgroup interfaces in filesystem.if
Add file context specification for /cgroup mountpoint to filesystem.fc
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Add ability to dontaudit requiests to load kernel modules. If you
disable ipv6 every confined app that does ip, tries to get the kernel to
load the module.
Better handling of unlabeled files by the kernel interfaces
