From: harrytaurus2002@hotmail.com (HarryCiao) Date: Tue, 21 Dec 2010 03:16:54 +0000 Subject: [refpolicy] two fixups for mount_t: uses mount.tmpfs and manage lock files Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 1. Since the mount program would make use of the shell script of mount.tmpfs to preserve the mountpoint's security context across mounting if it ever makes sense, the mount domain should have been able to execute the shell and rw its fifo files. type=1400 audit(1292851031.156:19): avc: denied { execute } for pid=513 comm="mount" name="bash" dev=sda ino=98324 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=1400 audit(1288069794.081:6): avc: denied { getattr } for pid=92 comm="mount.tmpfs" path="pipe:[2444]" dev=pipefs ino=2444 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=fifo_file type=1400 audit(1288069794.085:7): avc: denied { write } for pid=92 comm="mount.tmpfs" path="pipe:[2444]" dev=pipefs ino=2444 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=fifo_file type=1400 audit(1288069794.149:8): avc: denied { read } for pid=93 comm="grep" path="pipe:[2444]" dev=pipefs ino=2444 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=fifo_file type=1400 audit(1288069794.225:9): avc: denied { ioctl } for pid=95 comm="ls" path="pipe:[2446]" dev=pipefs ino=2446 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=fifo_file 2. While the mount program writes into /etc/mtab, it needs to create a lock file under /var/lock/, otherwise the /etc/mtab would be empty. type=1400 audit(1287984885.601:19): avc: denied { write } for pid=471 comm="mount" name="lock" dev=sda ino=114693 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:var_lock_t tclass=dir can't create lock file /var/lock/mtab~471: Permission denied (use -n flag to override) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/958c011d/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-mount_t-uses-tmpfs-helper.patch Type: application/octet-stream Size: 2551 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/958c011d/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-mount_t-manage-lock-files.patch Type: application/octet-stream Size: 1290 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/958c011d/attachment-0001.obj