From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 01 Oct 2010 15:01:12 -0400
Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora
 13.
In-Reply-To: <4CA5FE07.80504@redhat.com>
References: <20100924193754.GA28777@localhost.localdomain>	<4CA5E90E.3030206@tresys.com>	<20101001143000.GB14548@localhost.localdomain>	<4CA5F5A3.2080708@tresys.com>	<20101001151000.GE14548@localhost.localdomain>
	<4CA5FE07.80504@redhat.com>
Message-ID: <4CA62FF8.4050201@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/01/10 11:28, Daniel J Walsh wrote:
> On 10/01/2010 11:10 AM, Dominick Grift wrote:
>> On Fri, Oct 01, 2010 at 10:52:19AM -0400, Christopher J. PeBenito wrote:
>>> On 10/01/10 10:30, Dominick Grift wrote:
>>>> On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote:
>>>>> On 09/24/10 15:37, Dominick Grift wrote:
>>>>>> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
>>>>>> index fca6947..5f5f331 100644
>>>>>> --- a/policy/modules/system/mount.te
>>>>>> +++ b/policy/modules/system/mount.te
>>>>>
>>>>>> @@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t)
>>>>>>   fs_unmount_all_fs(mount_t)
>>>>>>   fs_remount_all_fs(mount_t)
>>>>>>   fs_relabelfrom_all_fs(mount_t)
>>>>>> -fs_list_auto_mountpoints(mount_t)
>>>>>> +# wants to list usbfs_t
>>>>>> +fs_list_all(mount_t)
>>>>>
>>>>> If you know it wants to list usbfs, why list all?
> I am pretty sure this comes up with things like debugfs and others.  I
> don't see why you would not accept this since mount is a powerfull
> domain and this hardly seems like a preventive measure.  You are just
> enabling a lot of stupid AVC messages by not allowing it to list.

I didn't say I was rejecting it.  I was asking a question.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com