On Mon, 2008-08-04 at 14:35 +0200, david@xxxxxxxxxxx wrote: > plain text document attachment (policy_modules_kernel_storage.patch) > A few new paths and a new interface which is used by later patches Merged. In the future, when a new interface is created and then called, both changes should be in the same patch. > Index: refpolicy/policy/modules/kernel/storage.fc > =================================================================== > --- refpolicy.orig/policy/modules/kernel/storage.fc 2008-07-19 19:15:34.000000000 +0200 > +++ refpolicy/policy/modules/kernel/storage.fc 2008-08-03 18:09:53.000000000 +0200 > @@ -13,6 +13,7 @@ > /dev/cm20.* -b gen_context(system_u:object_r:removable_device_t,s0) > /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > +/dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0) > /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) > @@ -48,6 +49,7 @@ > /dev/tw[a-z][^/]+ -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) > /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > +/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > /dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > > /dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) > Index: refpolicy/policy/modules/kernel/storage.if > =================================================================== > --- refpolicy.orig/policy/modules/kernel/storage.if 2008-08-03 16:46:56.000000000 +0200 > +++ refpolicy/policy/modules/kernel/storage.if 2008-08-03 18:09:53.000000000 +0200 > @@ -81,6 +81,26 @@ > > ######################################## > ## <summary> > +## dontaudit the caller attempts to read from a fixed disk. > +## </summary> > +## <param name="domain"> > +## <summary> > +## The type of the process performing this action. > +## </summary> > +## </param> > +# > +interface(`storage_dontaudit_raw_read_fixed_disk',` > + gen_require(` > + attribute fixed_disk_raw_read; > + type fixed_disk_device_t; > + ') > + > + dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; > + dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; > +') > + > +######################################## > +## <summary> > ## Allow the caller to directly read from a fixed disk. > ## This is extremly dangerous as it can bypass the > ## SELinux protections for filesystem objects, and > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
