From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-795547-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id DBA2F138CA2
	for <garchives@archives.gentoo.org>; Wed, 22 Apr 2015 21:46:38 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 45364E07A7;
	Wed, 22 Apr 2015 21:46:35 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id D1658E07A7
	for <gentoo-commits@lists.gentoo.org>; Wed, 22 Apr 2015 21:46:34 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 9BFA9340B47
	for <gentoo-commits@lists.gentoo.org>; Wed, 22 Apr 2015 21:46:33 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 2A2E716833
	for <gentoo-commits@lists.gentoo.org>; Wed, 22 Apr 2015 21:46:30 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1429739070.aa590f23e36cbb49b36ea7fc389d26d9111055fc.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/fstools.fc policy/modules/system/fstools.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: aa590f23e36cbb49b36ea7fc389d26d9111055fc
X-VCS-Branch: master
Date: Wed, 22 Apr 2015 21:46:30 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: fc07ec23-4b02-4f68-9dad-41d9ead7c389
X-Archives-Hash: f143c3faa2093774f4566c3178c16626

commit:     aa590f23e36cbb49b36ea7fc389d26d9111055fc
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Apr 13 18:13:39 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Apr 22 21:44:30 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aa590f23

fstools: add in filetrans for /run dir

the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
type an allows the transition in /run.

type=AVC msg=audit(1428929528.885:149519): avc:  denied  { write } for pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=0

In permissive:
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { write } for  pid=26197 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { add_name } for  pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { create } for  pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=SYSCALL msg=audit(1428948565.919:160149): arch=c000003e syscall=83 success=yes exit=0 a0=2cd79c6d214 a1=1ed a2=ffffffffffffff20 a3=539fe9bc40 items=2 ppid=28115 pid=26197 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="mkfs.ext4" exe="/sbin/mke2fs" subj=staff_u:sysadm_r:fsadm_t key=(null)
type=CWD msg=audit(1428948565.919:160149):  cwd="/root/selinux"
type=PATH msg=audit(1428948565.919:160149): item=0 name="/run/" inode=17656 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t nametype=PARENT
type=PATH msg=audit(1428948565.919:160149): item=1 name="/run/blkid" inode=4062404 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_run_t nametype=CREATE
type=UNKNOWN[1327] msg=audit(1428948565.919:160149): proctitle=6D6B66732E65787434002F6465762F7A72616D31
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { write } for  pid=26197 comm="mkfs.ext4" name="blkid" dev="tmpfs" ino=4062404 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { add_name } for  pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { create } for  pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { write open } for  pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160151): avc:  denied  { getattr } for  pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1

Changes from v1:
- only transition on dir, not file.
- add fcontext for /run/fsck too.
- the audit log in the previous version was missing some lines.

 policy/modules/system/fstools.fc | 3 +++
 policy/modules/system/fstools.te | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index be77216..9f3b9ca 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -63,6 +63,9 @@
 
 /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
 
+/var/run/blkid(/.*)?		gen_context(system_u:object_r:fsadm_run_t,s0)
+/var/run/fsck(/.*)?		gen_context(system_u:object_r:fsadm_run_t,s0)
+
 ifdef(`distro_gentoo',`
 /sbin/mkfs\.f2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkfs\.f2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index a0cfb1d..868cf31 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -16,6 +16,9 @@ logging_log_file(fsadm_log_t)
 type fsadm_tmp_t;
 files_tmp_file(fsadm_tmp_t)
 
+type fsadm_run_t;
+files_pid_file(fsadm_run_t)
+
 type swapfile_t; # customizable
 files_type(swapfile_t)
 
@@ -45,6 +48,10 @@ allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
 allow fsadm_t fsadm_tmp_t:file manage_file_perms;
 files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
 
+allow fsadm_t fsadm_run_t:dir manage_dir_perms;
+allow fsadm_t fsadm_run_t:file manage_file_perms;
+files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
+
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)