Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing Listkernel_files changes
From: dwalsh_at_redhat.com
Date: Wed, 30 May 2007 11:20:24 -0400
######################################## ## <summary> -## Mount a filesystem on all non-security -## directories and files. +## Mount a filesystem on all non-security directories. ## </summary> ## <param name="domain"> ## <summary> ## </param> # -interface(`files_mounton_non_security',` +interface(`files_mounton_non_security_dir',` gen_require(` attribute file_type, security_file_type; ') allow $1 { file_type -security_file_type }:dir mounton; +') + +######################################## +## <summary> +## Mount a filesystem on all non-security and files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_mounton_non_security_files',` + gen_require(` + attribute file_type, security_file_type; + ') + allow $1 { file_type -security_file_type }:file mounton;')
@@ -376,7 +392,7 @@ attribute file_type, security_file_type; ') - allow $1 { file_type -security_file_type }:dir write; + allow $1 { file_type -security_file_type }:dir rw_dir_perms;') ########################################') ########################################') ######################################## @@ -3305,6 +3321,42 @@ ######################################## ## <summary> +## Add and remove entries from /usr directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_rw_usr_dirs',` + gen_require(` + type usr_t; + ') + + allow $1 usr_t:dir rw_dir_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete files in the /usr directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_manage_usr_files',` + gen_require(` + type usr_t; + ') + + manage_files_pattern($1, usr_t, usr_t) +') + +######################################## +## <summary> ## Get the attributes of files in /usr.## </summary> ## <param name="domain"> @@ -3632,7 +3684,7 @@ type var_t; ') - dontaudit $1 var_t:dir search; + dontaudit $1 var_t:dir search_dir_perms;') ########################################') ######################################## ') ########################################') ######################################## + ') ######################################## @@ -4583,3 +4639,28 @@ allow $1 { file_type -security_file_type }:dir manage_dir_perms; ') + +######################################## +## <summary> +## Create a core files in / +## </summary> +## <desc> +## <p> +## Create a core file in /, +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`files_dump_core',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir rw_dir_perms; + allow $1 root_t:file { create getattr write }; +') --- nsaserefpolicy/policy/modules/kernel/files.te 2007-05-29 14:10:48.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/kernel/files.te 2007-05-30 09:25:53.000000000 -0400 @@ -54,6 +54,7 @@ files_type(etc_t) # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; +typealias etc_t alias snmpd_etc_t;
#
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-05-29 14:10:48.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if 2007-05-30 09:25:53.000000000 -0400 @@ -1096,6 +1096,24 @@ ######################################## ## <summary> +## Search dosfs filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_search_dos',` + gen_require(` + type dosfs_t; + ') + + allow $1 dosfs_t:dir search_dir_perms; +') + +######################################## +## <summary> ## Read files on a DOS filesystem. ## </summary> ## <param name="domain"> @@ -1291,6 +1309,26 @@ ######################################## ## <summary> +## Read files on an iso9660 filesystem, which +## is usually used on CDs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_getattr_iso9660_files',` + gen_require(` + type iso9660_t; + ') + + allow $1 iso9660_t:dir list_dir_perms; + allow $1 iso9660_t:file getattr; +') + +######################################## +## <summary> ## Mount a NFS filesystem. ## </summary> ## <param name="domain"> @@ -3420,3 +3458,22 @@ relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs) relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)') + + +######################################## +## <summary> +## Mount an fuse filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_mount_fusefs',` + gen_require(` + type fusefs_t; + ') + + allow $1 fusefs_t:filesystem mount; +') --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-05-29 14:10:48.000000000 -0400 +++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.te 2007-05-30 09:25:53.000000000 -0400 @@ -54,17 +54,29 @@
type capifs_t;
type configfs_t;
+type cpusetfs_t; +fs_type(cpusetfs_t) +allow cpusetfs_t self:filesystem associate; +genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0) + type eventpollfs_t; fs_type(eventpollfs_t) # change to task SID 20060628 #genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0) +type fusefs_t; +fs_noxattr_type(fusefs_t) +allow fusefs_t self:filesystem associate; +genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) +genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0) + type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) @@ -83,6 +95,11 @@ fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) +type mvfs_t; +fs_noxattr_type(mvfs_t) +allow mvfs_t self:filesystem associate; +genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) + type nfsd_fs_t; fs_type(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) @@ -105,6 +122,16 @@ genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0) files_mountpoint(rpc_pipefs_t) +type spufs_t; +fs_type(spufs_t) +genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) +files_mountpoint(spufs_t) + +type vxfs_t; +fs_noxattr_type(vxfs_t) +files_mountpoint(vxfs_t) +genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) + # # tmpfs_t is the type for tmpfs filesystems # -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 30 May 2007 - 13:37:03 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |