From: gizmo@giz-works.com (Chris Richards) Date: Mon, 8 Nov 2010 19:25:31 -0600 Subject: [refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems Message-ID: <1289265935-2604-1-git-send-email-gizmo@giz-works.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com As of util-linux-n 2.18, the mount utility now attempts to write to the root of newly mounted filesystems. It does this in an attempt to ensure that the r/w status of a filesystem as shown in mtab is correct. To detect whether a filesystem is r/w, mount calls access() with the W_OK argument. This results in an AVC denial with current policy. As a fallback, mount also attempts to modify the access time of the directory being mounted on if the call to access() fails. As mount already possesses the necessary privileges, the modification of the access time succeeds (at least on systems with the futimens() function, which has existed in linux since kernel 2.6.22 and glibc since version 2.6, or about July 2007). Signed-off-by: Chris Richards --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ 1 files changed, 18 insertions(+), 0 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 99482ca..15a7bef 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -3704,6 +3704,24 @@ interface(`dev_write_sysfs_dirs',` ######################################## ## +## Do not audit attempts to write in a sysfs directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_write_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + dontaudit $1 sysfs_t:dir write; +') + +######################################## +## ## Read hardware state information. ## ## -- 1.7.3.2