From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 11 Nov 2010 09:59:26 -0500 Subject: [refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems In-Reply-To: <1289265935-2604-1-git-send-email-gizmo@giz-works.com> References: <1289265935-2604-1-git-send-email-gizmo@giz-works.com> Message-ID: <4CDC04CE.7090900@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/08/10 20:25, Chris Richards wrote: > As of util-linux-n 2.18, the mount utility now attempts to write to the root > of newly mounted filesystems. It does this in an attempt to ensure that the > r/w status of a filesystem as shown in mtab is correct. To detect whether > a filesystem is r/w, mount calls access() with the W_OK argument. This > results in an AVC denial with current policy. As a fallback, mount also > attempts to modify the access time of the directory being mounted on if > the call to access() fails. As mount already possesses the necessary > privileges, the modification of the access time succeeds (at least on systems > with the futimens() function, which has existed in linux since kernel 2.6.22 > and glibc since version 2.6, or about July 2007). This set is merged, with a few trivial tweaks. > Signed-off-by: Chris Richards > --- > policy/modules/kernel/devices.if | 18 ++++++++++++++++++ > 1 files changed, 18 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if > index 99482ca..15a7bef 100644 > --- a/policy/modules/kernel/devices.if > +++ b/policy/modules/kernel/devices.if > @@ -3704,6 +3704,24 @@ interface(`dev_write_sysfs_dirs',` > > ######################################## > ## > +## Do not audit attempts to write in a sysfs directory. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`dev_dontaudit_write_sysfs_dirs',` > + gen_require(` > + type sysfs_t; > + ') > + > + dontaudit $1 sysfs_t:dir write; > +') > + > +######################################## > +## > ## Read hardware state information. > ## > ## -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com