[refpolicy] [PATCH 4/7] Add attribute file_type to pseudo filesystem types

Nicolas Iooss nicolas.iooss at m4x.org
Sat Aug 23 07:35:48 EDT 2014


Files in /sys/kernel/config are labeled configfs_t so this type needs
attribute "file_type".  Without this attribute, these denials happen
when using collectd with "df" plugin (this plugin enumerate mountpoints
and collect disk usage stats):

    avc:  denied  { getattr } for pid=872 comm="collectd"
    path="/sys/kernel/config" dev="configfs" ino=10234
    scontext=system_u:system_r:collectd_t
    tcontext=system_u:object_r:configfs_t tclass=dir

As collectd.te already contains files_getattr_all_dirs(collectd_t),
adding file_type to configfs_t is enough to allow this access.

Moreover, similar filesystems such as debugfs_t already has file_type:

    $ seinfo -xtdebugfs_t
       debugfs_t
          file_type
          filesystem_type
          non_security_file_type
          mountpoint
          non_auth_file_type
    $ seinfo -xtconfigfs_t
       configfs_t
          filesystem_type

This is because kernel.te contains files_mountpoint(debugfs_t), which
uses files_type(debugfs_t).

This patch adds files_type() to every pseudo filesystem type that
doesn't have file_type yet.
---
 policy/modules/kernel/filesystem.te | 11 +++++++++++
 policy/modules/kernel/kernel.te     |  1 +
 2 files changed, 12 insertions(+)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index cf04fb76dc66..083756999432 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -58,6 +58,7 @@ genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
 
 type bdev_t;
 fs_type(bdev_t)
+files_type(bdev_t)
 genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
 
 type binfmt_misc_fs_t;
@@ -78,10 +79,12 @@ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
 
 type configfs_t;
 fs_type(configfs_t)
+files_type(configfs_t)
 genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
 
 type cpusetfs_t;
 fs_type(cpusetfs_t)
+files_type(cpusetfs_t)
 allow cpusetfs_t self:filesystem associate;
 genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
 
@@ -92,6 +95,7 @@ genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
 
 type futexfs_t;
 fs_type(futexfs_t)
+files_type(futexfs_t)
 genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
 
 type hugetlbfs_t;
@@ -102,29 +106,35 @@ fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
 
 type ibmasmfs_t;
 fs_type(ibmasmfs_t)
+files_type(ibmasmfs_t)
 allow ibmasmfs_t self:filesystem associate;
 genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
 
 type infinibandeventfs_t;
 fs_type(infinibandeventfs_t)
+files_type(infinibandeventfs_t)
 allow infinibandeventfs_t self:filesystem associate;
 genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
 
 type inotifyfs_t;
 fs_type(inotifyfs_t)
+files_type(inotifyfs_t)
 genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
 
 type mvfs_t;
 fs_noxattr_type(mvfs_t)
+files_type(mvfs_t)
 allow mvfs_t self:filesystem associate;
 genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
 
 type nfsd_fs_t;
 fs_type(nfsd_fs_t)
+files_type(nfsd_fs_t)
 genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
 
 type oprofilefs_t;
 fs_type(oprofilefs_t)
+files_type(oprofilefs_t)
 genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
 
 type pstore_t;
@@ -140,6 +150,7 @@ genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
 
 type romfs_t;
 fs_type(romfs_t)
+files_type(romfs_t)
 genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)
 genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
 
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 3fc6a56d41f0..f6cd41b70135 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -66,6 +66,7 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
 #
 
 type kvmfs_t;
+files_type(kvmfs_t)
 fs_type(kvmfs_t)
 genfscon kvmfs / gen_context(system_u:object_r:kvmfs_t,s0)
 
-- 
2.0.4



More information about the refpolicy mailing list