Return-Path: <SRS0=IBWD=PX=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 257D7C43387
	for <selinux-refpolicy@archiver.kernel.org>; Tue, 15 Jan 2019 03:20:33 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id DECE120645
	for <selinux-refpolicy@archiver.kernel.org>; Tue, 15 Jan 2019 03:20:32 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="A/Y5xxX4"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727525AbfAODUc (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Mon, 14 Jan 2019 22:20:32 -0500
Received: from mail-eopbgr700096.outbound.protection.outlook.com ([40.107.70.96]:51280
        "EHLO NAM04-SN1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1727341AbfAODUc (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 14 Jan 2019 22:20:32 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector1-tresys-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=9yFU7vDc72h3hGea9khzpvFLBQYUUMUN1SK6R8xKRVs=;
 b=A/Y5xxX4tDmsVunbszB1O2SAT5y80OiNQypdDHEyOsqwG4o/Zgft/AwmHDLtP2vQzLRe2jNJf3WDgjZmCM5XZ9J1aakNIekhsgbrXePIlHnCBWcj++ACTPh7nvYcQ8g1k9UcIn1GwXP89gzq2lt9WJnUTmIw3lJNMlMI88kHoJo=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1156.namprd15.prod.outlook.com (10.172.205.22) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1516.18; Tue, 15 Jan 2019 03:20:28 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::6d82:5bd:50b3:6a10]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::6d82:5bd:50b3:6a10%3]) with mapi id 15.20.1516.019; Tue, 15 Jan 2019
 03:20:28 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] Interface to read and write the mount_runtime_t directory.
Thread-Topic: [PATCH] Interface to read and write the mount_runtime_t
 directory.
Thread-Index: AQHUrIFD8rb+6D+3LUWqlU7g+TX6BQ==
Date:   Tue, 15 Jan 2019 03:20:28 +0000
Message-ID: <20190115032018.28662-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [73.180.141.176]
x-clientproxiedby: BL0PR02CA0009.namprd02.prod.outlook.com
 (2603:10b6:207:3c::22) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.20.1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR15MB1156;6:jFznb3hwufOLsF9KDyihoDPj+Z+yCjnUY66leNk17OCDhiUb1sitf2M4XyTdCCKXTjQplhd38/oduAG8xuvviOC+Ebw6l6MKS3b2PQ6IYgjJ2nlsM7209oro9G8ToaUVMf87XrjkMLsZsbqEINptiUhlWYCyUOF9K0cx0CBD7zeBPC38aBAd2ZEoTxeE3OMWfXpL6tb+c8vw1KA18DYvcKPfEnlWxG8EUZWyQFW7ABJ96gQCPZq+1xBrAUAyIO87sLfwWa+7HikQo2EXNbcvvudBaJg95/FUMxmW30XVFwIsWdzm3CtYgrLB16etT8VQ/1U7dnUUM1YfB+px88cjshZRWqt54KwDZENnENi+SUo0cjByGwNUTcx+k/GBLhMWgDWZQOybMUmWv1KgXE0BcXD1kWwzDSj+Q2sidHIDyeqrYa55kS2HV2aEK5HK+hF6OEmZI/3skij4BbREWtxH1g==;5:PogfP2Y5YotaKxuvvLdsQTfzj3eWwUY6v3LlJ/cRa0dvuzAE3LPWZag0DKKsn4TAC+yz2RWw0HPLje+VwpFOMjGZkSt8v3JVnb1+rNYj6oSMLa8refP4hWVQTUtuA8r5cviKOjKIFUBsoxh8u+4CRDglI6sSSWpzSZxZup/8IknjrJ4lgr4FRTASF+bsfmSWUkGmyRt040V2nBB4caZTvg==;7:FxnM+VQdEKy9LaC2emYGQGimsGgd6pL+cMmFpEpBUmyIjKbHKBvghd0MXUqHALiBoUxFjq91AKPOFYcfNiy8jYHlrFWhKmmGbqJPgNweDxEMiA5nZpeGBAoMtsmP7M1aXyHyzY9V11KXBbr0sVF/RQ==
x-ms-office365-filtering-correlation-id: d1984b37-70f6-4127-a8b9-08d67a98659a
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(7094020)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7027125)(7023125)(5600109)(711020)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1156;
x-ms-traffictypediagnostic: BN6PR15MB1156:
x-microsoft-antispam-prvs: <BN6PR15MB11566EEE0BC0564F7B0F9D7AB9810@BN6PR15MB1156.namprd15.prod.outlook.com>
x-forefront-prvs: 0918748D70
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(346002)(366004)(189003)(199004)(86362001)(14454004)(256004)(508600001)(2501003)(6486002)(36756003)(486006)(66066001)(6436002)(5640700003)(14444005)(97736004)(476003)(105586002)(2616005)(106356001)(2906002)(2351001)(99286004)(26005)(52116002)(6116002)(25786009)(3846002)(7736002)(5660300001)(8936002)(6512007)(305945005)(102836004)(71200400001)(53936002)(81156014)(8676002)(50226002)(6916009)(81166006)(68736007)(6506007)(386003)(1076003)(71190400001)(186003);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1156;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: OMRfQBrcsk4i4yb0/AlGr36Kvz570RgA8fbPLmMjCQHwlUHmvX0jQ91/P+hyaFoGaASLlgvZsoWHsmLbbG++SRcFc1XXKgg7USanQcMlykv9aSMlB49bRP1IUJhHs9M36JwUtEreAkSshZX0Hxg/Fmc0ia2PRihsfWxCiWMZd6ciQCAIWzIDVA7XJEGc1DKNzMv8kOt9NSi57IhbVXyHGC9+JHwi5UvSrK/2lcCuWAIGQ1XXfkU0Y95jVdaCd8m/YC0QLs/2P7EHLfWvXt5CL/EVFAOhXRpo/waxj6kXoxPWoaVsjn1E9fncJ9/U2eLUb5c4RLfHDHPJpQBg8bgrRraDsDEKvNFEYbEi8LdWLT72tiiHdOkdiT2Ix8fRft/K/Njp/uXwh9zsggrXbQA+Xy3DIyc9qDrefTrcU+W3kls=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d1984b37-70f6-4127-a8b9-08d67a98659a
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jan 2019 03:20:27.7095
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1156
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

I see this denial when mounting media.  I'm running mount_exec_t
from my domain, not transitioning.

type=3DAVC msg=3Daudit(1547086778.470:331): avc:  denied  { read write } fo=
r  pid=3D11172 comm=3D"mount" name=3D"mount" dev=3D"tmpfs" ino=3D9470 scont=
ext=3Dsysadm_u:sysadm_r:settings_sudo_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:=
object_r:mount_runtime_t:s0 tclass=3Ddir permissive=3D1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/mount.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.i=
f
index bf9a8bf3..31475bde 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -220,3 +220,21 @@ interface(`mount_rw_runtime_files',`
 	rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
 ')
=20
+########################################
+## <summary>
+##	Read and write mount runtime directory
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_rw_runtime_dir',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:dir rw_dir_perms;
+')
+
--=20
2.20.1