From: gizmo@giz-works.com (Chris Richards) Date: Mon, 8 Nov 2010 19:25:35 -0600 Subject: [refpolicy] [PATCH 5/5] dontaudit mount writes to newly mounted filesystems In-Reply-To: <1289265935-2604-1-git-send-email-gizmo@giz-works.com> References: <1289265935-2604-1-git-send-email-gizmo@giz-works.com> Message-ID: <1289265935-2604-5-git-send-email-gizmo@giz-works.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Chris Richards --- policy/modules/system/mount.te | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index fca6947..9d83898 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -49,16 +49,21 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) kernel_read_system_state(mount_t) kernel_read_kernel_sysctls(mount_t) kernel_dontaudit_getattr_core_if(mount_t) +kernel_dontaudit_write_debugfs_dirs(mount_t) +kernel_dontaudit_write_proc_dirs(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) dev_getattr_all_blk_files(mount_t) dev_list_all_dev_nodes(mount_t) +dev_read_sysfs(mount_t) dev_rw_lvm_control(mount_t) dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) +dev_dontaudit_write_sysfs_dirs(mount_t) dev_getattr_sound_dev(mount_t) + # Early devtmpfs, before udev relabel dev_dontaudit_rw_generic_chr_files(mount_t) @@ -80,6 +85,7 @@ files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) files_list_mnt(mount_t) +files_dontaudit_write_root_dirs(mount_t) fs_getattr_xattr_fs(mount_t) fs_getattr_cifs(mount_t) @@ -90,6 +96,7 @@ fs_relabelfrom_all_fs(mount_t) fs_list_auto_mountpoints(mount_t) fs_rw_tmpfs_chr_files(mount_t) fs_read_tmpfs_symlinks(mount_t) +fs_dontaudit_write_tmpfs_dirs(mount_t) mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -- 1.7.3.2