* [refpolicy] [PATCH 0/2] label some character device nodes @ 2012-08-31 17:38 Dominick Grift 2012-08-31 17:38 ` [refpolicy] [PATCH 1/2] Declare a loop control device node type and label /dev/loop-control accordingly Dominick Grift 2012-08-31 17:38 ` [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly Dominick Grift 0 siblings, 2 replies; 9+ messages in thread From: Dominick Grift @ 2012-08-31 17:38 UTC (permalink / raw) To: refpolicy I am currently trying to get refpolicy to work in a nobase text kvm-guest, to see if i can come up with a better policy for systemd. In the process is stumbled upon some unlabeled character device nodes. Dominick Grift (2): Declare a loop control device node type and label /dev/loop-control accordingly Declare a virtio port device type and label /dev/vport.* accordingly policy/modules/kernel/devices.fc | 2 ++ policy/modules/kernel/devices.te | 6 ++++++ 2 files changed, 8 insertions(+) -- 1.7.11.4 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/2] Declare a loop control device node type and label /dev/loop-control accordingly 2012-08-31 17:38 [refpolicy] [PATCH 0/2] label some character device nodes Dominick Grift @ 2012-08-31 17:38 ` Dominick Grift 2012-09-05 17:45 ` Christopher J. PeBenito 2012-08-31 17:38 ` [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly Dominick Grift 1 sibling, 1 reply; 9+ messages in thread From: Dominick Grift @ 2012-08-31 17:38 UTC (permalink / raw) To: refpolicy Signed-off-by: Dominick Grift <dominick.grift@gmail.com> --- policy/modules/kernel/devices.fc | 1 + policy/modules/kernel/devices.te | 3 +++ 2 files changed, 4 insertions(+) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 84e7337..5214c08 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -57,6 +57,7 @@ /dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0) /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) /dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 17e0915..99fe460 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -115,6 +115,9 @@ dev_node(kvm_device_t) type lirc_device_t; dev_node(lirc_device_t) +type loop_control_device_t; +dev_node(loop_control_device_t) + # # Type for /dev/mapper/control # -- 1.7.11.4 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 1/2] Declare a loop control device node type and label /dev/loop-control accordingly 2012-08-31 17:38 ` [refpolicy] [PATCH 1/2] Declare a loop control device node type and label /dev/loop-control accordingly Dominick Grift @ 2012-09-05 17:45 ` Christopher J. PeBenito 0 siblings, 0 replies; 9+ messages in thread From: Christopher J. PeBenito @ 2012-09-05 17:45 UTC (permalink / raw) To: refpolicy On 08/31/12 13:38, Dominick Grift wrote: > Signed-off-by: Dominick Grift <dominick.grift@gmail.com> > --- > policy/modules/kernel/devices.fc | 1 + > policy/modules/kernel/devices.te | 3 +++ > 2 files changed, 4 insertions(+) > > diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc > index 84e7337..5214c08 100644 > --- a/policy/modules/kernel/devices.fc > +++ b/policy/modules/kernel/devices.fc > @@ -57,6 +57,7 @@ > /dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0) > /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) > /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) > +/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) > /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) > /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) > /dev/mei -c gen_context(system_u:object_r:mei_device_t,s0) > diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te > index 17e0915..99fe460 100644 > --- a/policy/modules/kernel/devices.te > +++ b/policy/modules/kernel/devices.te > @@ -115,6 +115,9 @@ dev_node(kvm_device_t) > type lirc_device_t; > dev_node(lirc_device_t) > > +type loop_control_device_t; > +dev_node(loop_control_device_t) > + > # > # Type for /dev/mapper/control > # > Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly 2012-08-31 17:38 [refpolicy] [PATCH 0/2] label some character device nodes Dominick Grift 2012-08-31 17:38 ` [refpolicy] [PATCH 1/2] Declare a loop control device node type and label /dev/loop-control accordingly Dominick Grift @ 2012-08-31 17:38 ` Dominick Grift 2012-09-04 10:28 ` Miroslav Grepl 1 sibling, 1 reply; 9+ messages in thread From: Dominick Grift @ 2012-08-31 17:38 UTC (permalink / raw) To: refpolicy Signed-off-by: Dominick Grift <dominick.grift@gmail.com> --- policy/modules/kernel/devices.fc | 1 + policy/modules/kernel/devices.te | 3 +++ 2 files changed, 4 insertions(+) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 5214c08..94505c4 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -124,6 +124,7 @@ ifdef(`distro_suse', ` /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0) /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 99fe460..52c535d 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -272,6 +272,9 @@ dev_node(v4l_device_t) type vhost_device_t; dev_node(vhost_device_t) +type virtio_device_t; +dev_node(virtio_device_t) + # Type for vmware devices. type vmware_device_t; dev_node(vmware_device_t) -- 1.7.11.4 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly 2012-08-31 17:38 ` [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly Dominick Grift @ 2012-09-04 10:28 ` Miroslav Grepl 2012-09-04 12:50 ` Dominick Grift 0 siblings, 1 reply; 9+ messages in thread From: Miroslav Grepl @ 2012-09-04 10:28 UTC (permalink / raw) To: refpolicy On 08/31/2012 07:38 PM, Dominick Grift wrote: > Signed-off-by: Dominick Grift <dominick.grift@gmail.com> > --- > policy/modules/kernel/devices.fc | 1 + > policy/modules/kernel/devices.te | 3 +++ > 2 files changed, 4 insertions(+) > > diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc > index 5214c08..94505c4 100644 > --- a/policy/modules/kernel/devices.fc > +++ b/policy/modules/kernel/devices.fc > @@ -124,6 +124,7 @@ ifdef(`distro_suse', ` > /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) > /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) > /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) > +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0) > /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) > /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) > /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) > diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te > index 99fe460..52c535d 100644 > --- a/policy/modules/kernel/devices.te > +++ b/policy/modules/kernel/devices.te > @@ -272,6 +272,9 @@ dev_node(v4l_device_t) > type vhost_device_t; > dev_node(vhost_device_t) > > +type virtio_device_t; > +dev_node(virtio_device_t) > + > # Type for vmware devices. > type vmware_device_t; > dev_node(vmware_device_t) We declare it in terminal.* policy files. Also I think base access interfaces should be part of this patch? ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly 2012-09-04 10:28 ` Miroslav Grepl @ 2012-09-04 12:50 ` Dominick Grift 2012-09-04 18:31 ` Miroslav Grepl 0 siblings, 1 reply; 9+ messages in thread From: Dominick Grift @ 2012-09-04 12:50 UTC (permalink / raw) To: refpolicy On Tue, 2012-09-04 at 12:28 +0200, Miroslav Grepl wrote: > On 08/31/2012 07:38 PM, Dominick Grift wrote: > > Signed-off-by: Dominick Grift <dominick.grift@gmail.com> > > --- > > policy/modules/kernel/devices.fc | 1 + > > policy/modules/kernel/devices.te | 3 +++ > > 2 files changed, 4 insertions(+) > > > > diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc > > index 5214c08..94505c4 100644 > > --- a/policy/modules/kernel/devices.fc > > +++ b/policy/modules/kernel/devices.fc > > @@ -124,6 +124,7 @@ ifdef(`distro_suse', ` > > /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) > > /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) > > /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) > > +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0) > > /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) > > /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) > > /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) > > diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te > > index 99fe460..52c535d 100644 > > --- a/policy/modules/kernel/devices.te > > +++ b/policy/modules/kernel/devices.te > > @@ -272,6 +272,9 @@ dev_node(v4l_device_t) > > type vhost_device_t; > > dev_node(vhost_device_t) > > > > +type virtio_device_t; > > +dev_node(virtio_device_t) > > + > > # Type for vmware devices. > > type vmware_device_t; > > dev_node(vmware_device_t) > We declare it in terminal.* policy files. must be new then, last time i tried (a week ago on f18?) it was still mislabeled (device_t) > Also I think base access interfaces should be part of this patch? i don't see that requirement. i also haven't encountered any process trying to access it yet. ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly 2012-09-04 12:50 ` Dominick Grift @ 2012-09-04 18:31 ` Miroslav Grepl 2012-09-04 19:08 ` Dominick Grift 2012-09-04 19:23 ` Dominick Grift 0 siblings, 2 replies; 9+ messages in thread From: Miroslav Grepl @ 2012-09-04 18:31 UTC (permalink / raw) To: refpolicy On 09/04/2012 02:50 PM, Dominick Grift wrote: > > On Tue, 2012-09-04 at 12:28 +0200, Miroslav Grepl wrote: >> On 08/31/2012 07:38 PM, Dominick Grift wrote: >>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> >>> --- >>> policy/modules/kernel/devices.fc | 1 + >>> policy/modules/kernel/devices.te | 3 +++ >>> 2 files changed, 4 insertions(+) >>> >>> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc >>> index 5214c08..94505c4 100644 >>> --- a/policy/modules/kernel/devices.fc >>> +++ b/policy/modules/kernel/devices.fc >>> @@ -124,6 +124,7 @@ ifdef(`distro_suse', ` >>> /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) >>> /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) >>> /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) >>> +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0) >>> /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) >>> /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) >>> /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) >>> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te >>> index 99fe460..52c535d 100644 >>> --- a/policy/modules/kernel/devices.te >>> +++ b/policy/modules/kernel/devices.te >>> @@ -272,6 +272,9 @@ dev_node(v4l_device_t) >>> type vhost_device_t; >>> dev_node(vhost_device_t) >>> >>> +type virtio_device_t; >>> +dev_node(virtio_device_t) >>> + >>> # Type for vmware devices. >>> type vmware_device_t; >>> dev_node(vmware_device_t) >> We declare it in terminal.* policy files. > must be new then, last time i tried (a week ago on f18?) it was still > mislabeled (device_t) We have /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) maybe it needs to be fixed. And then rhev.te:term_use_virtio_console(rhev_agentd_t) rhev.te: term_use_virtio_console(rhev_agentd_consolehelper_t) vdagent.te:term_use_virtio_console(vdagent_t) > >> Also I think base access interfaces should be part of this patch? > i don't see that requirement. i also haven't encountered any process > trying to access it yet. > ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly 2012-09-04 18:31 ` Miroslav Grepl @ 2012-09-04 19:08 ` Dominick Grift 2012-09-04 19:23 ` Dominick Grift 1 sibling, 0 replies; 9+ messages in thread From: Dominick Grift @ 2012-09-04 19:08 UTC (permalink / raw) To: refpolicy On Tue, 2012-09-04 at 20:31 +0200, Miroslav Grepl wrote: > > /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) > > maybe it needs to be fixed. > > And then > > rhev.te:term_use_virtio_console(rhev_agentd_t) > rhev.te: term_use_virtio_console(rhev_agentd_consolehelper_t) > vdagent.te:term_use_virtio_console(vdagent_t) could you please create a patch for refpolicy that fixes this issue? I would do it but i screwed up my refpolicy repository and cant undo it right now because i am in the middle of a project. But if you do , please double check the file context spec becuase i suspect that it may not catch the interface. (i submitted this patch because the device was mislabeled) > > > >> Also I think base access interfaces should be part of this patch? > > i don't see that requirement. i also haven't encountered any process > > trying to access it yet. > > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly 2012-09-04 18:31 ` Miroslav Grepl 2012-09-04 19:08 ` Dominick Grift @ 2012-09-04 19:23 ` Dominick Grift 1 sibling, 0 replies; 9+ messages in thread From: Dominick Grift @ 2012-09-04 19:23 UTC (permalink / raw) To: refpolicy On Tue, 2012-09-04 at 20:31 +0200, Miroslav Grepl wrote: > On 09/04/2012 02:50 PM, Dominick Grift wrote: > > > > On Tue, 2012-09-04 at 12:28 +0200, Miroslav Grepl wrote: > >> On 08/31/2012 07:38 PM, Dominick Grift wrote: > >>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> > >>> --- > >>> policy/modules/kernel/devices.fc | 1 + > >>> policy/modules/kernel/devices.te | 3 +++ > >>> 2 files changed, 4 insertions(+) > >>> > >>> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc > >>> index 5214c08..94505c4 100644 > >>> --- a/policy/modules/kernel/devices.fc > >>> +++ b/policy/modules/kernel/devices.fc > >>> @@ -124,6 +124,7 @@ ifdef(`distro_suse', ` > >>> /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) > >>> /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) > >>> /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) > >>> +/dev/vport.* -c gen_context(system_u:object_r:virtio_device_t,s0) > >>> /dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) > >>> /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) > >>> /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) > >>> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te > >>> index 99fe460..52c535d 100644 > >>> --- a/policy/modules/kernel/devices.te > >>> +++ b/policy/modules/kernel/devices.te > >>> @@ -272,6 +272,9 @@ dev_node(v4l_device_t) > >>> type vhost_device_t; > >>> dev_node(vhost_device_t) > >>> > >>> +type virtio_device_t; > >>> +dev_node(virtio_device_t) > >>> + > >>> # Type for vmware devices. > >>> type vmware_device_t; > >>> dev_node(vmware_device_t) > >> We declare it in terminal.* policy files. > > must be new then, last time i tried (a week ago on f18?) it was still > > mislabeled (device_t) > We have > > /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) > > maybe it needs to be fixed. > > And then > > rhev.te:term_use_virtio_console(rhev_agentd_t) > rhev.te: term_use_virtio_console(rhev_agentd_consolehelper_t) > vdagent.te:term_use_virtio_console(vdagent_t) > > > > >> Also I think base access interfaces should be part of this patch? > > i don't see that requirement. i also haven't encountered any process > > trying to access it yet. > > > never mind, this patch was not merged. so just ignore this patch ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2012-09-05 17:45 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2012-08-31 17:38 [refpolicy] [PATCH 0/2] label some character device nodes Dominick Grift 2012-08-31 17:38 ` [refpolicy] [PATCH 1/2] Declare a loop control device node type and label /dev/loop-control accordingly Dominick Grift 2012-09-05 17:45 ` Christopher J. PeBenito 2012-08-31 17:38 ` [refpolicy] [PATCH 2/2] Declare a virtio port device type and label /dev/vport.* accordingly Dominick Grift 2012-09-04 10:28 ` Miroslav Grepl 2012-09-04 12:50 ` Dominick Grift 2012-09-04 18:31 ` Miroslav Grepl 2012-09-04 19:08 ` Dominick Grift 2012-09-04 19:23 ` Dominick Grift
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.