commit: 56dd0a71e0ed5a64b1a35987cb1b296e97dd38ea
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Sep 14 11:47:48 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:23:43 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=56dd0a71
dphysswapfile: fix swapfile creation
Currently the policy only works when the swapfile already exists.
During creation swapfile_t is hard coded in `mkswap` and needs to be used.
v2:
move swapfile file context into fstools module
policy/modules/contrib/dphysswapfile.fc | 6 +++---
policy/modules/contrib/dphysswapfile.if | 6 ++++--
policy/modules/contrib/dphysswapfile.te | 14 +++++++++++++-
3 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/dphysswapfile.fc
b/policy/modules/contrib/dphysswapfile.fc
index 70b0ee3a..dd8ab602 100644
--- a/policy/modules/contrib/dphysswapfile.fc
+++ b/policy/modules/contrib/dphysswapfile.fc
@@ -2,8 +2,8 @@
/etc/rc\.d/init\.d/dphys-swapfile --
gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0)
-/usr/bin/dphys-swapfile --
gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+/usr/bin/dphys-swapfile --
gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
-/usr/sbin/dphys-swapfile --
gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+/usr/lib/systemd/system/dphys-swapfile\.service --
gen_context(system_u:object_r:dphysswapfile_unit_t,s0)
-/var/swap --
gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
+/usr/sbin/dphys-swapfile --
gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
diff --git a/policy/modules/contrib/dphysswapfile.if
b/policy/modules/contrib/dphysswapfile.if
index 7dda9553..c39464e4 100644
--- a/policy/modules/contrib/dphysswapfile.if
+++ b/policy/modules/contrib/dphysswapfile.if
@@ -11,6 +11,8 @@
## </param>
#
interface(`dphysswapfile_dontaudit_read_swap',`
+ refpolicywarn(`$0($*) has been deprecated')
+
gen_require(`
type dphysswapfile_swap_t;
')
@@ -38,12 +40,12 @@ interface(`dphysswapfile_dontaudit_read_swap',`
interface(`dphysswapfile_admin',`
gen_require(`
type dphysswapfile_t, dphysswapfile_conf_t;
- type dphysswapfile_initrc_exec_t;
+ type dphysswapfile_initrc_exec_t, dphysswapfile_unit_t;
')
admin_process_pattern($1, dphysswapfile_t)
- init_startstop_service($1, $2, dphysswapfile_t,
dphysswapfile_initrc_exec_t)
+ init_startstop_service($1, $2, dphysswapfile_t,
dphysswapfile_initrc_exec_t, dphysswapfile_unit_t)
files_search_etc($1)
admin_pattern($1, dphysswapfile_conf_t)
diff --git a/policy/modules/contrib/dphysswapfile.te
b/policy/modules/contrib/dphysswapfile.te
index dfd04e32..4bfe7826 100644
--- a/policy/modules/contrib/dphysswapfile.te
+++ b/policy/modules/contrib/dphysswapfile.te
@@ -18,6 +18,9 @@ init_script_file(dphysswapfile_initrc_exec_t)
type dphysswapfile_swap_t;
files_type(dphysswapfile_swap_t)
+type dphysswapfile_unit_t;
+init_unit_file(dphysswapfile_unit_t)
+
########################################
#
# Policy
@@ -32,20 +35,29 @@ allow dphysswapfile_t dphysswapfile_conf_t:file
read_file_perms;
allow dphysswapfile_t dphysswapfile_exec_t:file execute_no_trans;
-allow dphysswapfile_t dphysswapfile_swap_t:file manage_file_perms;
+allow dphysswapfile_t dphysswapfile_swap_t:file { manage_file_perms
relabelfrom };
kernel_read_system_state(dphysswapfile_t)
corecmd_exec_bin(dphysswapfile_t)
corecmd_exec_shell(dphysswapfile_t)
+dev_read_rand(dphysswapfile_t)
+dev_read_urand(dphysswapfile_t)
+
# ignore ls -l /var/swap noise
files_dontaudit_getattr_pid_dirs(dphysswapfile_t)
files_read_etc_files(dphysswapfile_t)
files_search_var(dphysswapfile_t)
+files_var_filetrans(dphysswapfile_t, dphysswapfile_swap_t, file)
fstools_exec(dphysswapfile_t)
+# swapfile_t is hardcoded in mkswap
+fstools_manage_swap_files(dphysswapfile_t)
+fstools_relabelto_swap_files(dphysswapfile_t)
miscfiles_read_localization(dphysswapfile_t)
+storage_getattr_removable_dev(dphysswapfile_t)
+
userdom_dontaudit_search_user_home_dirs(dphysswapfile_t)
