* [refpolicy] [PATCH] Add file_type attribute to configfs_t
@ 2014-09-07 21:47 Nicolas Iooss
2014-09-12 18:09 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Nicolas Iooss @ 2014-09-07 21:47 UTC (permalink / raw)
To: refpolicy
/sys/kernel/config filesystem can be used to configure some kernel
components such as netconsole [1]. Hence configfs_t can be used to
label files and directories and should be file_type.
Moreover this fixes the following AVC denial from collectd:
avc: denied { getattr } for pid=872 comm="collectd"
path="/sys/kernel/config" dev="configfs" ino=10234
scontext=system_u:system_r:collectd_t
tcontext=system_u:object_r:configfs_t tclass=dir
[1] https://www.kernel.org/doc/Documentation/networking/netconsole.txt
---
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index cf04fb76dc66..fab828f00f97 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -78,6 +78,7 @@ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
type configfs_t;
fs_type(configfs_t)
+files_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
type cpusetfs_t;
--
2.1.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH] Add file_type attribute to configfs_t
2014-09-07 21:47 [refpolicy] [PATCH] Add file_type attribute to configfs_t Nicolas Iooss
@ 2014-09-12 18:09 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2014-09-12 18:09 UTC (permalink / raw)
To: refpolicy
On 9/7/2014 5:47 PM, Nicolas Iooss wrote:
> /sys/kernel/config filesystem can be used to configure some kernel
> components such as netconsole [1]. Hence configfs_t can be used to
> label files and directories and should be file_type.
I don't think configfs_t labels any files but those in the configfs
pseudo filesystem, which is consistent with the following denial. I
don't think it should be a file type.
> Moreover this fixes the following AVC denial from collectd:
>
> avc: denied { getattr } for pid=872 comm="collectd"
> path="/sys/kernel/config" dev="configfs" ino=10234
> scontext=system_u:system_r:collectd_t
> tcontext=system_u:object_r:configfs_t tclass=dir
>
> [1] https://www.kernel.org/doc/Documentation/networking/netconsole.txt
> ---
> policy/modules/kernel/filesystem.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index cf04fb76dc66..fab828f00f97 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -78,6 +78,7 @@ genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
>
> type configfs_t;
> fs_type(configfs_t)
> +files_type(configfs_t)
> genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
>
> type cpusetfs_t;
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-09-12 18:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-09-07 21:47 [refpolicy] [PATCH] Add file_type attribute to configfs_t Nicolas Iooss
2014-09-12 18:09 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.