[refpolicy] [PATCH 1/1] Mark temporary block device as fixed_disk_device_t

Christopher J. PeBenito cpebenito at tresys.com
Wed Feb 22 07:46:59 CST 2012


On 11/15/11 04:45, Sven Vermeulen wrote:
> When udev creates the temporary block devices (such as /dev/.tmp-block-8:1) they
> get by default marked as device_t. However, in case of software raid devices,
> the mdadm application (running in mdadm_t) does not hold the proper privileges
> to access this for its auto-assembly of the raids.
> 
> Other block device applications, like blkid (running in fsadm_t) use these
> temporary block devices as well, but already hold the necessary privileges on
> device_t to continue their work.
> 
> By marking the temporary block device as a fixed_disk_device_t, all these block
> device handling applications (such as blkid, but also mdadm) now hold the proper
> privileges. Since udev is selinux-aware, the created files are immediately
> restorecon'ed before the rules are applied.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> ---
>  policy/modules/kernel/storage.fc |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
> index 57c4a6a..54f1827 100644
> --- a/policy/modules/kernel/storage.fc
> +++ b/policy/modules/kernel/storage.fc
> @@ -1,4 +1,4 @@
> -
> +/dev/\.tmp-block-.*	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>  /dev/n?(raw)?[qr]ft[0-3] -c	gen_context(system_u:object_r:tape_device_t,s0)
>  /dev/n?[hs]t[0-9].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
>  /dev/n?z?qft[0-3]	-c	gen_context(system_u:object_r:tape_device_t,s0)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list