---
policy/modules/system/mount.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index fe24186..8a2105b 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -191,3 +191,21 @@ interface(`mount_read_loopback_files',`
allow $1 mount_loopback_t:file read_file_perms;
')
+
+########################################
+## <summary>
+## Read and write loopback filesystem image files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_rw_loopback_files',`
+ gen_require(`
+ type mount_loopback_t;
+ ')
+
+ allow $1 mount_loopback_t:file rw_file_perms;
+')
--
2.0.4
---
policy/modules/system/fstools.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 016a770..c4bbd88 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -83,6 +83,24 @@ interface(`fstools_signal',`
########################################
## <summary>
+## Inherit fstools file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`fstools_use_fds',`
+ gen_require(`
+ type fsadm_t;
+ ')
+
+ allow $1 fsadm_t:fd use;
+')
+
+########################################
+## <summary>
## Read fstools unnamed pipes.
## </summary>
## <param name="domain">
--
2.0.4
This allows losetup to bind mount_loopback_t files to loop devices.
---
policy/modules/kernel/kernel.te | 5 +++++
policy/modules/system/fstools.te | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7fe10c3..777f180 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -300,6 +300,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
+ # loop devices
+ fsadm_use_fds(kernel_t)
+')
+
+optional_policy(`
hotplug_search_config(kernel_t)
')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index b876224..1d40813 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -94,6 +94,8 @@ dev_rw_sysfs(fsadm_t)
dev_getattr_usbfs_dirs(fsadm_t)
# Access to /dev/mapper/control
dev_rw_lvm_control(fsadm_t)
+# for losetup
+dev_rw_loop_control(fsadm_t)
domain_use_interactive_fds(fsadm_t)
@@ -125,6 +127,9 @@ files_search_all(fsadm_t)
mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t)
+# losetup: bind mount_loopback_t files to loop devices
+mount_rw_loopback_files(fsadm_t)
+
storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
--
2.0.4
On Mon, 11 Aug 2014 15:33:18 +0200
Luis Ressel <[email protected]> wrote:
> diff --git a/policy/modules/system/fstools.te
> b/policy/modules/system/fstools.te index b876224..1d40813 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -94,6 +94,8 @@ dev_rw_sysfs(fsadm_t)
> dev_getattr_usbfs_dirs(fsadm_t)
> # Access to /dev/mapper/control
> dev_rw_lvm_control(fsadm_t)
> +# for losetup
> +dev_rw_loop_control(fsadm_t)
>
> domain_use_interactive_fds(fsadm_t)
>
> @@ -125,6 +127,9 @@ files_search_all(fsadm_t)
> mls_file_read_all_levels(fsadm_t)
> mls_file_write_all_levels(fsadm_t)
>
> +# losetup: bind mount_loopback_t files to loop devices
> +mount_rw_loopback_files(fsadm_t)
> +
> storage_raw_read_fixed_disk(fsadm_t)
> storage_raw_write_fixed_disk(fsadm_t)
> storage_raw_read_removable_device(fsadm_t)
I hope these are at the correct positions now as Chris requested.
Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140811/9a409739/attachment.bin
On Mon, 11 Aug 2014 15:33:18 +0200
Luis Ressel <[email protected]> wrote:
> optional_policy(`
> + # loop devices
> + fsadm_use_fds(kernel_t)
> +')
> +
> +optional_policy(`
> hotplug_search_config(kernel_t)
> ')
Whoops, that patch is faulty, it should be fstools_use_fds() of course.
I'll send a new patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140812/bdc8a21b/attachment.bin
This allows losetup to bind mount_loopback_t files to loop devices.
---
policy/modules/kernel/kernel.te | 5 +++++
policy/modules/system/fstools.te | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7fe10c3..fdd5b8d 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -300,6 +300,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
+ # loop devices
+ fstools_use_fds(kernel_t)
+')
+
+optional_policy(`
hotplug_search_config(kernel_t)
')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index b876224..1d40813 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -94,6 +94,8 @@ dev_rw_sysfs(fsadm_t)
dev_getattr_usbfs_dirs(fsadm_t)
# Access to /dev/mapper/control
dev_rw_lvm_control(fsadm_t)
+# for losetup
+dev_rw_loop_control(fsadm_t)
domain_use_interactive_fds(fsadm_t)
@@ -125,6 +127,9 @@ files_search_all(fsadm_t)
mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t)
+# losetup: bind mount_loopback_t files to loop devices
+mount_rw_loopback_files(fsadm_t)
+
storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
--
2.0.4
On 8/11/2014 6:24 PM, Luis Ressel wrote:
> This allows losetup to bind mount_loopback_t files to loop devices.
This set is merged.
> ---
> policy/modules/kernel/kernel.te | 5 +++++
> policy/modules/system/fstools.te | 5 +++++
> 2 files changed, 10 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 7fe10c3..fdd5b8d 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -300,6 +300,11 @@ ifdef(`distro_redhat',`
> ')
>
> optional_policy(`
> + # loop devices
> + fstools_use_fds(kernel_t)
> +')
> +
> +optional_policy(`
> hotplug_search_config(kernel_t)
> ')
>
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index b876224..1d40813 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -94,6 +94,8 @@ dev_rw_sysfs(fsadm_t)
> dev_getattr_usbfs_dirs(fsadm_t)
> # Access to /dev/mapper/control
> dev_rw_lvm_control(fsadm_t)
> +# for losetup
> +dev_rw_loop_control(fsadm_t)
>
> domain_use_interactive_fds(fsadm_t)
>
> @@ -125,6 +127,9 @@ files_search_all(fsadm_t)
> mls_file_read_all_levels(fsadm_t)
> mls_file_write_all_levels(fsadm_t)
>
> +# losetup: bind mount_loopback_t files to loop devices
> +mount_rw_loopback_files(fsadm_t)
> +
> storage_raw_read_fixed_disk(fsadm_t)
> storage_raw_write_fixed_disk(fsadm_t)
> storage_raw_read_removable_device(fsadm_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com