A few new paths and a new interface which is used by later patches Index: refpolicy/policy/modules/kernel/storage.fc =================================================================== --- refpolicy.orig/policy/modules/kernel/storage.fc 2008-07-19 19:15:34.000000000 +0200 +++ refpolicy/policy/modules/kernel/storage.fc 2008-08-03 18:09:53.000000000 +0200 @@ -13,6 +13,7 @@ /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) @@ -48,6 +49,7 @@ /dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) Index: refpolicy/policy/modules/kernel/storage.if =================================================================== --- refpolicy.orig/policy/modules/kernel/storage.if 2008-08-03 16:46:56.000000000 +0200 +++ refpolicy/policy/modules/kernel/storage.if 2008-08-03 18:09:53.000000000 +0200 @@ -81,6 +81,26 @@ ######################################## ## <summary> +## dontaudit the caller attempts to read from a fixed disk. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`storage_dontaudit_raw_read_fixed_disk',` + gen_require(` + attribute fixed_disk_raw_read; + type fixed_disk_device_t; + ') + + dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; + dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; +') + +######################################## +## <summary> ## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and -- David Härdeman -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
