Skip to content

Commit 319ac61

Browse files
etbeetbe
authored
fsadm (#1129)
* Changes needed for fsadm_t when sysadm_t is used instead of unconfined_t for root fowner capability is for btrfs subvol snapshot of subvols not owned by root rw non auth dirs is for btrfs operations on dirs sysipc info is for parted Signed-off-by: Russell Coker <russell@coker.com.au>
1 parent 2f1b5a9 commit 319ac61

2 files changed

Lines changed: 23 additions & 1 deletion

File tree

policy/modules/kernel/files.if

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1599,6 +1599,24 @@ interface(`files_rw_non_auth_files',`
15991599
rw_files_pattern($1, non_auth_file_type, non_auth_file_type)
16001600
')
16011601

1602+
########################################
1603+
## <summary>
1604+
## rw non-authentication related dirs.
1605+
## </summary>
1606+
## <param name="domain">
1607+
## <summary>
1608+
## Domain allowed access.
1609+
## </summary>
1610+
## </param>
1611+
#
1612+
interface(`files_rw_non_auth_dirs',`
1613+
gen_require(`
1614+
attribute non_auth_file_type;
1615+
')
1616+
1617+
allow $1 non_auth_file_type:dir rw_dir_perms;
1618+
')
1619+
16021620
########################################
16031621
## <summary>
16041622
## Manage non-authentication related

policy/modules/system/fstools.te

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ ifdef(`distro_gentoo',`
3333
#
3434

3535
# ipc_lock is for losetup
36-
allow fsadm_t self:capability { dac_override dac_read_search ipc_lock sys_admin sys_rawio sys_resource sys_tty_config };
36+
allow fsadm_t self:capability { dac_override dac_read_search fowner ipc_lock sys_admin sys_rawio sys_resource sys_tty_config };
3737
dontaudit fsadm_t self:capability net_admin;
3838
allow fsadm_t self:process { dyntransition execstack getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched setsockcreate share siginh signal_perms transition };
3939
allow fsadm_t self:fd use;
@@ -69,6 +69,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
6969
# Enable swapping to files
7070
allow fsadm_t swapfile_t:file rw_file_perms;
7171

72+
kernel_get_sysvipc_info(fsadm_t)
7273
kernel_read_system_state(fsadm_t)
7374
kernel_read_kernel_sysctls(fsadm_t)
7475
kernel_request_load_module(fsadm_t)
@@ -120,6 +121,8 @@ files_manage_lost_found(fsadm_t)
120121
# Write to /etc/mtab.
121122
files_manage_etc_runtime_files(fsadm_t)
122123
files_etc_filetrans_etc_runtime(fsadm_t, file)
124+
# btrfs subvol snapshot.
125+
files_rw_non_auth_dirs(fsadm_t)
123126

124127
fs_getattr_cgroup(fsadm_t)
125128
fs_getattr_dos_fs(fsadm_t)
@@ -208,6 +211,7 @@ optional_policy(`
208211

209212
optional_policy(`
210213
# for smartctl cron jobs
214+
cron_rw_inherited_tmp_files(fsadm_t)
211215
cron_system_entry(fsadm_t, fsadm_exec_t)
212216
')
213217

0 commit comments

Comments
 (0)