From: domg472@gmail.com (Dominick Grift) Date: Mon, 4 Oct 2010 11:18:08 +0200 Subject: [refpolicy] [patch 1/1] stuff to make refpolicy boot on fedora 13. In-Reply-To: <4CA62FF8.4050201@tresys.com> References: <20100924193754.GA28777@localhost.localdomain> <4CA5E90E.3030206@tresys.com> <20101001143000.GB14548@localhost.localdomain> <4CA5F5A3.2080708@tresys.com> <20101001151000.GE14548@localhost.localdomain> <4CA5FE07.80504@redhat.com> <4CA62FF8.4050201@tresys.com> Message-ID: <20101004091806.GA2793@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Oct 01, 2010 at 03:01:12PM -0400, Christopher J. PeBenito wrote: > On 10/01/10 11:28, Daniel J Walsh wrote: > >On 10/01/2010 11:10 AM, Dominick Grift wrote: > >>On Fri, Oct 01, 2010 at 10:52:19AM -0400, Christopher J. PeBenito wrote: > >>>On 10/01/10 10:30, Dominick Grift wrote: > >>>>On Fri, Oct 01, 2010 at 09:58:38AM -0400, Christopher J. PeBenito wrote: > >>>>>On 09/24/10 15:37, Dominick Grift wrote: > >>>>>>diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te > >>>>>>index fca6947..5f5f331 100644 > >>>>>>--- a/policy/modules/system/mount.te > >>>>>>+++ b/policy/modules/system/mount.te > >>>>> > >>>>>>@@ -87,7 +91,8 @@ fs_mount_all_fs(mount_t) > >>>>>> fs_unmount_all_fs(mount_t) > >>>>>> fs_remount_all_fs(mount_t) > >>>>>> fs_relabelfrom_all_fs(mount_t) > >>>>>>-fs_list_auto_mountpoints(mount_t) > >>>>>>+# wants to list usbfs_t > >>>>>>+fs_list_all(mount_t) > >>>>> > >>>>>If you know it wants to list usbfs, why list all? > >I am pretty sure this comes up with things like debugfs and others. I > >don't see why you would not accept this since mount is a powerfull > >domain and this hardly seems like a preventive measure. You are just > >enabling a lot of stupid AVC messages by not allowing it to list. > > I didn't say I was rejecting it. I was asking a question. I just tested it and it seems to only need the listing of usbfs dirs so far. I havent executed any exotic mount commands but i did do a simple mount to get a listing of all mounts and i rebooted a couple times. So for now i will do what PeBenito suggests and keep an eye on this issue. > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101004/c1aa264f/attachment.bin