Can someone please have a look at the following. This works for me, but: https://bugzilla.redhat.com/show_bug.cgi?id=598475 I have removed the patch to dracut mentioned in the rhbz in my personal branch because it seems to no longer be needed. However this patch is still applied to Fedora as far as i know. Because maintainer wants proof that its no longer needed and he does not want to try it himself. So the change in this patch will not be enough to make a stock fedora 14 boot unless you remove: mount --bind /dev "$NEWROOT/dev" chroot "$NEWROOT" /sbin/restorecon -R /dev from selinux-loadpolicy.sh and regenerate a new initramfs. Signed-off-by: Dominick Grift <domg472@xxxxxxxxx> --- :100644 100644 c381190... cbd0d5c... M policy/modules/kernel/devices.if :100644 100644 806026c... 07eea83... M policy/modules/kernel/kernel.te :100644 100644 bde6daa... b2f68b8... M policy/modules/kernel/storage.if policy/modules/kernel/devices.if | 37 +++++++++++++++++++++++++++++++++++++ policy/modules/kernel/kernel.te | 30 ++++++++++++++++++++---------- policy/modules/kernel/storage.if | 38 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+), 10 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index c381190..cbd0d5c 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -480,6 +480,24 @@ interface(`dev_dontaudit_setattr_generic_blk_files',` ######################################## ## <summary> +## Set attributes of generic block device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_setattr_generic_blk_files',` + gen_require(` + type device_t; + ') + + setattr_blk_files_pattern($1, device_t, device_t) +') + +######################################## +## <summary> ## Create generic block device files. ## </summary> ## <param name="domain"> @@ -3996,6 +4014,25 @@ interface(`dev_write_urand',` ######################################## ## <summary> +## Delete USB character device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_delete_generic_usb_dev',` + gen_require(` + type usb_device_t, device_t; + ') + + delete_chr_files_pattern($1, device_t, usb_device_t) + dev_remove_entry_generic_dirs($1) +') + +######################################## +## <summary> ## Getattr generic the USB devices. ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 806026c..07eea83 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -185,6 +185,7 @@ allow kernel_t self:capability *; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; allow kernel_t self:sem create_sem_perms; +allow kernel_t self:system module_request; allow kernel_t self:msg { send receive }; allow kernel_t self:msgq create_msgq_perms; allow kernel_t self:unix_dgram_socket create_socket_perms; @@ -206,9 +207,9 @@ allow kernel_t proc_net_t:file read_file_perms; allow kernel_t proc_mdstat_t:file read_file_perms; -allow kernel_t proc_kcore_t:file getattr; +allow kernel_t proc_kcore_t:file getattr_file_perms; -allow kernel_t proc_kmsg_t:file getattr; +allow kernel_t proc_kmsg_t:file getattr_file_perms; allow kernel_t sysctl_kernel_t:dir list_dir_perms; allow kernel_t sysctl_kernel_t:file read_file_perms; @@ -242,10 +243,13 @@ dev_search_usbfs(kernel_t) # devtmpfs handling: dev_create_generic_dirs(kernel_t) dev_delete_generic_dirs(kernel_t) +dev_setattr_generic_blk_files(kernel_t) dev_create_generic_blk_files(kernel_t) dev_delete_generic_blk_files(kernel_t) dev_create_generic_chr_files(kernel_t) dev_delete_generic_chr_files(kernel_t) +dev_delete_generic_usb_dev(kernel_t) +dev_setattr_generic_usb_dev(kernel_t) dev_mounton(kernel_t) # Mount root file system. Used when loading a policy @@ -259,7 +263,6 @@ term_use_all_terms(kernel_t) term_use_ptmx(kernel_t) corecmd_exec_shell(kernel_t) -corecmd_list_bin(kernel_t) # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. corecmd_exec_bin(kernel_t) @@ -284,15 +287,13 @@ mls_file_read_all_levels(kernel_t) mls_socket_write_all_levels(kernel_t) mls_fd_share_all_levels(kernel_t) -logging_manage_generic_logs(kernel_t) +userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) ifdef(`distro_redhat',` # Bugzilla 222337 fs_rw_tmpfs_chr_files(kernel_t) ') -userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir }) - optional_policy(` hotplug_search_config(kernel_t) ') @@ -302,16 +303,16 @@ optional_policy(` ') optional_policy(` - libs_use_ld_so(kernel_t) - libs_use_shared_libs(kernel_t) + logging_manage_generic_logs(kernel_t) + logging_send_syslog_msg(kernel_t) ') optional_policy(` - logging_send_syslog_msg(kernel_t) + nis_use_ypbind(kernel_t) ') optional_policy(` - nis_use_ypbind(kernel_t) + plymouthd_manage_lib_files(kernel_t) ') optional_policy(` @@ -366,6 +367,15 @@ optional_policy(` ') optional_policy(` + storage_delete_scsi_generic_dev(kernel_t) + storage_setattr_scsi_generic_dev(kernel_t) + storage_delete_removable_dev(kernel_t) + storage_setattr_removable_dev(kernel_t) + storage_delete_fixed_disk_dev(kernel_t) + storage_setattr_fixed_disk_dev(kernel_t) +') + +optional_policy(` unconfined_domain_noaudit(kernel_t) ') diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index bde6daa..b2f68b8 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -388,6 +388,25 @@ interface(`storage_dontaudit_rw_fuse',` ######################################## ## <summary> +## Delete generic SCSI interface device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`storage_delete_scsi_generic_dev',` + gen_require(` + type scsi_generic_device_t; + ') + + allow $1 scsi_generic_device_t:chr_file delete_chr_file_perms; + dev_remove_entry_generic_dirs($1) +') + +######################################## +## <summary> ## Allow the caller to get the attributes of ## the generic SCSI interface device nodes. ## </summary> @@ -517,6 +536,25 @@ interface(`storage_dontaudit_rw_scsi_generic',` ######################################## ## <summary> +## Delete removable block device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`storage_delete_removable_dev',` + gen_require(` + type removable_device_t; + ') + + allow $1 removable_device_t:blk_file delete_blk_file_perms; + dev_remove_entry_generic_dirs($1) +') + +######################################## +## <summary> ## Allow the caller to get the attributes of removable ## devices device nodes. ## </summary> -- 1.7.2.3
Attachment:
pgpQ_u9cPOKlr.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
