Skip to content

Commit

Permalink
Allow kernel_t to manage and relabel all files
Browse files Browse the repository at this point in the history
Extend the abitlity to manage all files also to character & block
device files and also allow relabeling any file.

This is required for early boot overlay mounts to fully work, but may be
needed for other legitimate oprations as well.

See also: ostreedev/ostree#3062

Signed-off-by: Ondrej Mosnacek <[email protected]>
  • Loading branch information
WOnder93 committed Oct 6, 2023
1 parent 0366c6e commit 2f17241
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 0 deletions.
38 changes: 38 additions & 0 deletions policy/modules/kernel/files.if
Original file line number Diff line number Diff line change
Expand Up @@ -1839,6 +1839,44 @@ interface(`files_manage_all_files',`
')
')

########################################
## <summary>
## Manage all block device files on the filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`files_manage_all_blk_files',`
gen_require(`
attribute file_type;
')

manage_blk_files_pattern($1, file_type, file_type)
')

########################################
## <summary>
## Manage all character device files on the filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`files_manage_all_chr_files',`
gen_require(`
attribute file_type;
')

manage_chr_files_pattern($1, file_type, file_type)
')

########################################
## <summary>
## Grant execute access to all files on the filesystem,
Expand Down
3 changes: 3 additions & 0 deletions policy/modules/kernel/kernel.te
Original file line number Diff line number Diff line change
Expand Up @@ -385,6 +385,9 @@ domain_rw_all_sockets(kernel_t)
domain_obj_id_change_exemption(kernel_t)

files_manage_all_files(kernel_t)
files_manage_all_blk_files(kernel_t)
files_manage_all_chr_files(kernel_t)
files_relabel_all_files(kernel_t)
# The 'execute' permission on lower inodes is checked against the mounter
# cred by overlayfs, so we need to grant it to allow overlay mounts created
# during early boot to work.
Expand Down

0 comments on commit 2f17241

Please sign in to comment.