Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC9B4C43381 for ; Tue, 5 Mar 2019 22:32:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6EA1B20652 for ; Tue, 5 Mar 2019 22:32:48 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="alWbao8U" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727741AbfCEWcs (ORCPT ); Tue, 5 Mar 2019 17:32:48 -0500 Received: from mail-eopbgr700103.outbound.protection.outlook.com ([40.107.70.103]:39238 "EHLO NAM04-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726210AbfCEWcr (ORCPT ); Tue, 5 Mar 2019 17:32:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9P75G1iJiSuKldLsynx5qefgw7hWFwkzvHy4PRQVsJQ=; b=alWbao8UZWsH8nUXgaW2wamKbBUbx2D/da/7skC7FotjNI5hWZDIugh+LWEkONQ5PMLT84gG6V5XZowESBi086I8vqJ9Rv0M0lKjwOyRyxtdvReTGwVkDBagnPI1exqaNzzWtlMhTLwyAOLrJtvd6BsxEkwK7v1TWB7dOUVfH70= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1444.namprd15.prod.outlook.com (10.172.151.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.16; Tue, 5 Mar 2019 22:32:44 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a%7]) with mapi id 15.20.1665.020; Tue, 5 Mar 2019 22:32:44 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Add interface to allow relabeling of iso 9660 filesystems. Thread-Topic: [PATCH] Add interface to allow relabeling of iso 9660 filesystems. Thread-Index: AQHU06NZE3Bp1bXhyESiEKo2eqwugA== Date: Tue, 5 Mar 2019 22:32:44 +0000 Message-ID: <20190305223209.18922-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [173.8.5.193] x-clientproxiedby: BN6PR02CA0107.namprd02.prod.outlook.com (2603:10b6:405:60::48) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 7a5b92ca-2fd2-49ca-98c8-08d6a1ba7c35 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1444; x-ms-traffictypediagnostic: BN6PR15MB1444: x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1444;23:0IXHO9TV6h0xlvr4+YHdwfIzFA2QoB+DL9UgZK+?= =?iso-8859-1?Q?MR0AvHTtEaBnmfhmYbVW1mJ5ZyXPE/qdL+tgJhuESf/syE1C+gXZ65BVBt?= =?iso-8859-1?Q?feGMyP3kqdr87ZJ0O6nVEjFh1iqLfmRdEXYjYw3pjpcekGeLhtMlJD0cus?= =?iso-8859-1?Q?7qNODs2IUiKJOHTEtkjjb4eHwe7ie4az2Sv6/K4FZ18PXgXfhC4P3EKmIw?= =?iso-8859-1?Q?T4GEe/ls96zwOhxwdjKECGppmvXoXaPIirnzaGNyVaXKE8l8ZTs9N+nESw?= =?iso-8859-1?Q?EvN5wwxBtVikYPeFM218oE3IHSwXKD0Vc1XfM+PUO2HUdAveSzeoHlehpZ?= =?iso-8859-1?Q?0jCFyEloL0UZKAdtZ84JHWA7Ibzke5oRw7DSo7YtKn1nL0WyLQDuATfBId?= =?iso-8859-1?Q?1BO0QpXkJcddTzifTO2lJ9eDQjncJNtKV5EyAQ2ITyn4krclLLOVYRrSNy?= =?iso-8859-1?Q?EnFKn5gpkWtNFwbcNCA+PY7i1KCXnMd8lDQ5uu9I0LwJZw4txbse8bOw0h?= =?iso-8859-1?Q?hInnenGZoNX8l6XF4ck17zMVelKLUMo6KviWU/ODSVBs3ZkmGYRjOYy8XR?= =?iso-8859-1?Q?XRppkzbBj/fVIhq6keb9iQ7NYxQrB6b3GWp4gm2+GsCCbsOf1NoXSkx4p9?= =?iso-8859-1?Q?zDgYM3MM93k0AUMHByzP9ItaAQnO1zFSAYIYT0Xkcv7Ju3e+k/uDhxKpei?= =?iso-8859-1?Q?6sT8F/e3zXpgDYDB2xBCfVNt9hs2zVIMxmkaBwhCoUqHd0ebxQf0OKKZ2q?= =?iso-8859-1?Q?PYC+JwEMCp1vhL1qJ8mRZiHvZvA9C31eFGyL4wCq347OsBYAqMAQvHqDnz?= =?iso-8859-1?Q?ThtDM2YNvcoSTZRiArDBtRzx6gUE1BtFsR7ILW17aKTWg9/Wn/mqJliyw8?= =?iso-8859-1?Q?t89CrP554w21zuUtCuFmlwOvW7gdsIUWpvtrvaehRcVrOhemPpFLts0/0y?= =?iso-8859-1?Q?NdrH/A5xuyZhUdpNnPKzd5oDpTDifDShrByBcNNHxW2jUQ6uq0BJJe/8mY?= =?iso-8859-1?Q?SZrdy5Fiw6s3n78hzmmURHZb8qXqARkD51qKnkNpUBO137reXSOfP4XzU6?= =?iso-8859-1?Q?uLOof4zfyU+4PGMZi+53VcA7q0XDFfnrlz9wVMPshfMTQJI12kseP47TFK?= =?iso-8859-1?Q?wHNojoKwpkfgBJZH7BhdisangbrciODwZx5eOUdjIK4No0oyKyhyBEp0f8?= =?iso-8859-1?Q?mR5/FFe5GFNBa2HPYc11lwo/Fl5Nt8+NIDKBXm0WpJNWg/vh9ax4R0=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 0967749BC1 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39840400004)(346002)(396003)(366004)(376002)(136003)(189003)(199004)(68736007)(1076003)(50226002)(8936002)(105586002)(2906002)(106356001)(66066001)(36756003)(6916009)(97736004)(2351001)(102836004)(316002)(476003)(52116002)(486006)(386003)(6506007)(2616005)(305945005)(8676002)(7736002)(81166006)(26005)(81156014)(99286004)(186003)(86362001)(6486002)(256004)(6436002)(6116002)(53936002)(14454004)(5640700003)(6512007)(3846002)(508600001)(25786009)(71190400001)(71200400001)(14444005)(5660300002)(2501003);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1444;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: mJ4XYp1vtXY9/E79LoJoBQoh+LOK5k7K3NNxagMmpE+cBRcrYP7f2bUTDfYrmSBY+w8SOLcDJExvvFKBYwBlbxa9dwClEkQYGa/+APW05mCMq7b6Xr3v1XoH0sEqOwFeoDIf1pewz+fvAzqYNdyxhTWyxnJi29U+trxvsVDpVOc+d2uidP+AD6bosTf/n6BkwJemUjP+507BVvf4WyZIsnGdrSmHnHZOqokZRNb9BKY9NCiKPLzu5OLtXxBmeDqO7PhKR2gWuusll01NtHrgVf7X7G4PZ2T4xBpSHRowfZCVFeJxmXyKaShFBGTkOQtPQDeIUpXIDjhxp3zsEVryRyVBIsthgle+88WMPcw1DJuIv5v+GfNWGMUWtYHQUiWnSBoWfvpeqlE9+FsIH84yKblU7/YfOW1aFwIjmw0+XAY= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7a5b92ca-2fd2-49ca-98c8-08d6a1ba7c35 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2019 22:32:44.1962 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1444 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I have a case where I'm labeling media with my own types to control access. But that is requiring that I relabel from iso9660_t to my own type. This interface allows that relabel. type=3DAVC msg=3Daudit(1551621984.372:919): avc: denied { relabelfrom } f= or pid=3D9717 comm=3D"mount" scontext=3Dstaff_u:staff_r:mymedia_sudo_t:s0-= s0:c0.c1023 tcontext=3Dsystem_u:object_r:iso9660_t:s0 tclass=3Dfilesystem p= ermissive=3D0 Signed-off-by: Dave Sugar --- policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/fi= lesystem.if index 048b9d65..a22cb6ba 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2505,6 +2505,25 @@ interface(`fs_remount_iso9660_fs',` allow $1 iso9660_t:filesystem remount; ') =20 +######################################## +## +## Allow changing of the label of a +## filesystem with iso9660 type +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabelfrom_iso9660_fs',` + gen_require(` + type iso9660_t; + ') + + allow $1 iso9660_t:filesystem relabelfrom; +') + ######################################## ## ## Unmount an iso9660 filesystem, which --=20 2.20.1