[refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS

Matthew Thode mthode at mthode.org
Mon Jan 20 11:31:49 EST 2014


On 12/20/2013 03:06 PM, Matthew Thode wrote:
> Signed-off-by: Matthew Thode <mthode at mthode.org>
> ---
>  policy/modules/kernel/storage.fc | 5 +++++
>  policy/modules/system/fstools.fc | 6 ++++++
>  policy/modules/system/mount.fc   | 4 ++++
>  3 files changed, 15 insertions(+)
> 
> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
> index 54f1827..4315bd5 100644
> --- a/policy/modules/kernel/storage.fc
> +++ b/policy/modules/kernel/storage.fc
> @@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
>  
>  /dev/usb/rio500		-c	gen_context(system_u:object_r:removable_device_t,s0)
>  
> +/dev/zfs			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/zpios			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/zvol(/.*)?		-l	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +/dev/zd.*			-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
> +
>  /lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>  /lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
> index 948ce2a..39e6c25 100644
> --- a/policy/modules/system/fstools.fc
> +++ b/policy/modules/system/fstools.fc
> @@ -36,6 +36,12 @@
>  /sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>  /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>  /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> +/sbin/zstreamdump	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>  
>  /usr/bin/partition_uuid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>  /usr/bin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
> index 4619000..a5e1c6e 100644
> --- a/policy/modules/system/mount.fc
> +++ b/policy/modules/system/mount.fc
> @@ -2,6 +2,10 @@
>  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>  
> +/sbin/mount.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
> +/sbin/zpool				--	gen_context(system_u:object_r:mount_exec_t,s0)
> +/sbin/zfs				--	gen_context(system_u:object_r:mount_exec_t,s0)
> +
>  /usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
>  
>  /var/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
> 
What's the status on the acceptance of this patch?

-- 
-- Matthew Thode

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140120/e1d8a852/attachment.bin 


More information about the refpolicy mailing list