Update the SELinux policy for cachefilesd

Signed-off-by: David Howells <dhowells@redhat.com>

4 files changed, 74 insertions, 36 deletions

diff --git a/cachefilesd.conf b/cachefilesd.conf
index 3796f5c..793d7e2 100644
--- a/cachefilesd.conf
+++ b/cachefilesd.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Copyright (C) 2006,2010 Red Hat, Inc. All Rights Reserved.
 # Written by David Howells (dhowells@redhat.com)
 #
 # This program is free software; you can redistribute it and/or
@@ -18,3 +18,7 @@ bstop 3%
 frun 10%
 fcull 7%
 fstop 3%
+
+# Assuming you're using SELinux with the default security policy included in
+# this package
+secctx system_u:system_r:cachefiles_kernel_t:s0
diff --git a/redhat/cachefilesd.spec b/redhat/cachefilesd.spec
index f660ae2..1f023ca 100644
--- a/redhat/cachefilesd.spec
+++ b/redhat/cachefilesd.spec
@@ -9,9 +9,6 @@ Group:          System Environment/Daemons
 License:        GPL
 URL:  		http://people.redhat.com/~dhowells/fscache/
 Source0:        http://people.redhat.com/dhowells/fscache/cachefilesd-%{version}.tar.bz2
-Source1:        cachefilesd.if
-Source2:        cachefilesd.te
-Source3:        cachefilesd.fc
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 BuildRequires: automake, autoconf
@@ -39,8 +36,6 @@ SELinux policy module supporting cachefilesd
 
 %prep
 %setup -q
-mkdir SELinux
-cp -p %{SOURCE1} %{SOURCE2} %{SOURCE3} SELinux
 
 %build
 %ifarch s390 s390x
@@ -54,11 +49,13 @@ CFLAGS="`echo $RPM_OPT_FLAGS $ARCH_OPT_FLAGS $PIE`"
 make all
 
 # Build SELinux policy modules
-cd SELinux
+cd selinux
 for selinuxvariant in %{selinux_variants}
 do
     make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
-    mv cachefilesd.pp cachefilesd.pp.${selinuxvariant}
+    mkdir ${selinuxvariant}
+    mv cachefilesd.pp ${selinuxvariant}/cachefilesd.pp
+    bzip2 -9 ${selinuxvariant}/cachefilesd.pp
     make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
 done
 cd -
@@ -69,19 +66,21 @@ mkdir -p %{buildroot}/sbin
 mkdir -p %{buildroot}%{_sysconfdir}/rc.d/init.d
 mkdir -p %{buildroot}%{_mandir}/{man5,man8}
 mkdir -p %{buildroot}/usr/share/doc/%{name}-%{version}
+mkdir -p %{buildroot}/usr/share/doc/%{name}-selinux-%{version}
 mkdir -p %{buildroot}%{_localstatedir}/fscache
 make DESTDIR=%{buildroot} install
 
 install -m 644 cachefilesd.conf %{buildroot}%{_sysconfdir}
 install -m 755 cachefilesd.initd %{buildroot}%{_sysconfdir}/rc.d/init.d/cachefilesd
+install -m 644 selinux/move-cache.txt %{buildroot}/usr/share/doc/%{name}-selinux-%{version}/
 
 # Install SELinux policy modules
-cd SELinux
+cd selinux
 for selinuxvariant in %{selinux_variants}
 do
     install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
-    install -p -m 644 cachefilesd.pp.${selinuxvariant} \
-           %{buildroot}%{_datadir}/selinux/${selinuxvariant}/cachefilesd.pp
+    install -p -m 644 ${selinuxvariant}/cachefilesd.pp.bz2 \
+           %{buildroot}%{_datadir}/selinux/${selinuxvariant}
 done
 cd -
 
@@ -103,7 +102,7 @@ fi
 for selinuxvariant in %{selinux_variants}
 do
   /usr/sbin/semodule -s ${selinuxvariant} -i \
-    %{_datadir}/selinux/${selinuxvariant}/cachefilesd.pp &> /dev/null || :
+    %{_datadir}/selinux/${selinuxvariant}/cachefilesd.pp.bz2 &> /dev/null || :
 done
 
 %preun
@@ -135,7 +134,6 @@ fi
 %defattr(-,root,root)
 %doc README
 %doc howto.txt
-%doc move-cache.txt
 %config(noreplace) %{_sysconfdir}/cachefilesd.conf
 %attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/cachefilesd
 /sbin/*
@@ -144,10 +142,18 @@ fi
 
 %files selinux
 %defattr(-,root,root,0755)
-%doc SELinux/*
-%{_datadir}/selinux/*/cachefilesd.pp
+%doc selinux/move-cache.txt
+%doc selinux/*.fc
+%doc selinux/*.if
+%doc selinux/*.te
+%{_datadir}/selinux/*/cachefilesd.pp.bz2
 
 %changelog
+
+* Thu Feb 25 2010 David Howells <dhowells@redhat.com>
+- Fix the SELinux policies for cachefilesd.
+- Compress the installed policy files.
+
 * Tue Feb 23 2010 David Howells <dhowells@redhat.com>
 - Must include sys/stat.h to use stat() and co. [RH BZ 565135].
 - Remove tail comments from functions.
diff --git a/selinux/cachefilesd.te b/selinux/cachefilesd.te
index b7cff68..61372e6 100644
--- a/selinux/cachefilesd.te
+++ b/selinux/cachefilesd.te
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
 # Written by David Howells (dhowells@redhat.com)
 #            Karl MacMillan (kmacmill@redhat.com)
 #
@@ -17,13 +17,12 @@
 # cache, on behalf of the processes accessing the cache through a network
 # filesystem such as NFS
 #
-policy_module(cachefilesd,1.0.16)
+policy_module(cachefilesd,1.0.17)
 
 ###############################################################################
 #
 # Declarations
 #
-###############################################################################
 require { type kernel_t; }
 
 #
@@ -54,29 +53,32 @@ type cachefilesd_var_run_t;
 files_pid_file(cachefilesd_var_run_t)
 
 #
-# The CacheFiles module causes processes accessing the cache files to do so
-# acting as security ID cachefiles_kernel_t
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
 #
 type cachefiles_kernel_t;
 domain_type(cachefiles_kernel_t)
 domain_obj_id_change_exemption(cachefiles_kernel_t)
-type_transition cachefilesd_t kernel_t : process cachefiles_kernel_t;
+role system_r types cachefiles_kernel_t;
 
 ###############################################################################
 #
 # Permit RPM to deal with files in the cache
 #
-###############################################################################
 rpm_use_script_fds(cachefilesd_t)
 
 ###############################################################################
 #
 # cachefilesd local policy
 #
-# Check in /etc/selinux/refpolicy/include for macros to use instead of allow
+# These define what cachefilesd is permitted to do.  This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache.  It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
 # rules.
 #
-###############################################################################
 allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
 
 # Basic access
@@ -91,28 +93,53 @@ term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
 
 # Allow manipulation of pid file
 allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
+manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+files_pid_file(cachefilesd_var_run_t)
 files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
 
-# Allow read access to cache
-allow cachefilesd_t cachefiles_var_t : dir create_dir_perms;
-allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
-
-# Access to cachefiles device
+# Allow access to cachefiles device file
 allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
 
-# Permit the filesystem to be statfs'd
+# Allow access to cache superstructure
+allow cachefilesd_t cachefiles_var_t : dir rw_dir_perms;
+allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
+
+# Permit statfs on the backing filesystem
 fs_getattr_xattr_fs(cachefilesd_t)
 
 ###############################################################################
 #
-# cachefiles kernel module local policy
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
 #
+# There are two parts to this:
+#
+#   (1) the security context used by the module to access files in the cache,
+#       as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
+
+#
+#   (2) the label that will be assigned to new files and directories created in
+#       the cache by the module, which will be the same as the label on the
+#       directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
+
 ###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
 allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
 allow cachefiles_kernel_t initrc_t:process sigchld;
 
-allow cachefiles_kernel_t cachefiles_var_t : dir manage_dir_perms;
-allow cachefiles_kernel_t cachefiles_var_t : file create_file_perms;
+manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
 
 fs_getattr_xattr_fs(cachefiles_kernel_t)
 
diff --git a/selinux/move-cache.txt b/selinux/move-cache.txt
index 8e2f09c..2444712 100644
--- a/selinux/move-cache.txt
+++ b/selinux/move-cache.txt
@@ -5,7 +5,7 @@
 If the cache is being used on a system on which SELinux is active and running
 in enforcing mode, then the security policy installed by the cachefilesd RPM
 needs to be updated to permit the CacheFiles module and daemon to access the
-cache.
+cache if the cache is moved.
 
 The simplest way to do this is to add an auxiliary policy to mark out the
 location of the new cache, whilst leaving the old location still available for
@@ -31,8 +31,8 @@ ADDING AN AUXILIARY POLICY
 Creating and adding an auxiliary policy is very easy.  Follow the following
 steps:
 
- (0) Check that checkpolicy and selinux-policy-devel packages are installed.
-     These are needed to build your policy.
+ (0) Check that checkpolicy and selinux-policy* packages are installed.  These
+     are needed to build your policy.
 
  (1) Create a new directory and go into it.
 
@@ -75,6 +75,7 @@ steps:
  (8) Modify /etc/cachefilesd.conf to point to the correct directory and then
      start the cachefilesd service.
 
+
 The auxiliary policy can be later removed by:
 
 	semodule -r mycache.pp