[refpolicy] [PATCH 1/1] Extending support for SELinux on ZFS

Christopher J. PeBenito cpebenito at tresys.com
Tue Jan 21 08:57:46 EST 2014


On 01/20/14 11:31, Matthew Thode wrote:
> On 12/20/2013 03:06 PM, Matthew Thode wrote:
>> Signed-off-by: Matthew Thode <mthode at mthode.org>
>> ---
>>  policy/modules/kernel/storage.fc | 5 +++++
>>  policy/modules/system/fstools.fc | 6 ++++++
>>  policy/modules/system/mount.fc   | 4 ++++
>>  3 files changed, 15 insertions(+)
>>
>> diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
>> index 54f1827..4315bd5 100644
>> --- a/policy/modules/kernel/storage.fc
>> +++ b/policy/modules/kernel/storage.fc
>> @@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
>>  
>>  /dev/usb/rio500		-c	gen_context(system_u:object_r:removable_device_t,s0)
>>  
>> +/dev/zfs			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +/dev/zpios			-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +/dev/zvol(/.*)?		-l	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +/dev/zd.*			-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>> +
>>  /lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
>>  /lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
>> diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
>> index 948ce2a..39e6c25 100644
>> --- a/policy/modules/system/fstools.fc
>> +++ b/policy/modules/system/fstools.fc
>> @@ -36,6 +36,12 @@
>>  /sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>>  /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>>  /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zpios			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zinject		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zhack			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zdb			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> +/sbin/zstreamdump	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>>  
>>  /usr/bin/partition_uuid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>>  /usr/bin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
>> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
>> index 4619000..a5e1c6e 100644
>> --- a/policy/modules/system/mount.fc
>> +++ b/policy/modules/system/mount.fc
>> @@ -2,6 +2,10 @@
>>  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>>  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>>  
>> +/sbin/mount.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
>> +/sbin/zpool				--	gen_context(system_u:object_r:mount_exec_t,s0)
>> +/sbin/zfs				--	gen_context(system_u:object_r:mount_exec_t,s0)
>> +
>>  /usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
>>  
>>  /var/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
>>
> What's the status on the acceptance of this patch?

Sorry, I lost track of it.  Its committed now, though I removed the symlink label and rearranged the lines.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list