From 8c7670c1e66953de82781cce9be812716e02c1b2 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mar 12 2019 12:37:06 +0000 Subject: policycoreutils/modules: Use filesystem_type instead of fs_t Sometime, /tmp can be tmpfs_t so we need to allow test_t to be associated to all filesystem types. Fixes: :: [ 08:16:37 ] :: [ BEGIN ] :: Running 'chcon -t test_t test_file' chcon: failed to change context of 'test_file' to ‘unconfined_u:object_r:test_t:s0’: Permission denied :: [ 08:16:37 ] :: [ FAIL ] :: Command 'chcon -t test_t test_file' (Expected 0, got 1) type=AVC msg=audit(1552392203.833:2467): avc: denied { associate } for pid=571 comm="chcon" name="test_file" dev="tmpfs" ino=77668 scontext=unconfined_u:object_r:test_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 --- diff --git a/policycoreutils/modules/runtest.sh b/policycoreutils/modules/runtest.sh index 369f282..280c831 100755 --- a/policycoreutils/modules/runtest.sh +++ b/policycoreutils/modules/runtest.sh @@ -47,14 +47,14 @@ module test_module 1.0; require { type unconfined_t; - type fs_t; + attribute filesystem_type; class file { getattr ioctl lock open read relabelto write }; class filesystem { associate }; } type test_t; -allow test_t fs_t:filesystem { associate }; +allow test_t filesystem_type:filesystem { associate }; allow unconfined_t test_t:file { getattr ioctl lock open read relabelto}; dontaudit unconfined_t test_t:file { write }; EOF" @@ -84,7 +84,7 @@ EOF" # create new type, allow reading, do not allow writing rlRun "cat << EOF >test_module.cil (type test_t) -(allow test_t fs_t (filesystem (associate))) +(allow test_t filesystem_type (filesystem (associate))) (allow unconfined_t test_t (file (getattr ioctl lock open read relabelto))) (dontaudit unconfined_t test_t (file (write))) EOF" @@ -112,7 +112,7 @@ EOF" # create new type, allow reading and writing rlRun "cat << EOF >test_module.cil (type test_t) -(allow test_t fs_t (filesystem (associate))) +(allow test_t filesystem_type (filesystem (associate))) (allow unconfined_t test_t (file (getattr ioctl lock open read relabelto write))) EOF" @@ -129,7 +129,7 @@ EOF" # create new type, allow only reading rlRun "cat << EOF >test_module.cil (type test_t) -(allow test_t fs_t (filesystem (associate))) +(allow test_t filesystem_type (filesystem (associate))) (allow unconfined_t test_t (file (getattr ioctl lock open read relabelto))) (dontaudit unconfined_t test_t (file (write))) EOF" @@ -156,7 +156,7 @@ EOF" # create new type, allow reading rlRun "cat << EOF >test_module.cil (type test_t) -(allow test_t fs_t (filesystem (associate))) +(allow test_t filesystem_type (filesystem (associate))) (allow unconfined_t test_t (file (getattr ioctl lock open read relabelto))) (dontaudit unconfined_t test_t (file (write))) EOF"