From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 10 Jan 2011 09:10:22 -0500
Subject: [refpolicy] two fixups for mount_t: uses mount.tmpfs and manage
	lock files
In-Reply-To: <SNT139-w2581860337E8BCD21F00CAB1A0@phx.gbl>
References: <SNT139-w2581860337E8BCD21F00CAB1A0@phx.gbl>
Message-ID: <4D2B134E.8010502@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/20/10 22:16, HarryCiao wrote:
> 1. Since the mount program would make use of the shell script of mount.tmpfs
> to preserve the mountpoint's security context across mounting if it ever
> makes sense, the mount domain should have been able to execute the shell
> and rw its fifo files.
>  
> type=1400 audit(1292851031.156:19): avc: denied { execute } for pid=513
> comm="mount" name="bash" dev=sda ino=98324
> scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
> type=1400 audit(1288069794.081:6): avc: denied { getattr } for pid=92
> comm="mount.tmpfs" path="pipe:[2444]" dev=pipefs ino=2444
> scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t
> tclass=fifo_file
> type=1400 audit(1288069794.085:7): avc: denied { write } for pid=92
> comm="mount.tmpfs" path="pipe:[2444]" dev=pipefs ino=2444
> scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t
> tclass=fifo_file
> type=1400 audit(1288069794.149:8): avc: denied { read } for pid=93
> comm="grep" path="pipe:[2444]" dev=pipefs ino=2444
> scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t
> tclass=fifo_file
> type=1400 audit(1288069794.225:9): avc: denied { ioctl } for pid=95
> comm="ls" path="pipe:[2446]" dev=pipefs ino=2446
> scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t
> tclass=fifo_file

This makes me wonder if we should make a mount_helper_exec_t for these
mount.* helper programs.  I'd rather not allow mount to execute
shell_exec_t.

> 2. While the mount program writes into /etc/mtab, it needs to create
> a lock file under /var/lock/, otherwise the /etc/mtab would be empty.
>  
> type=1400 audit(1287984885.601:19): avc: denied { write } for pid=471
> comm="mount" name="lock" dev=sda ino=114693
> scontext=system_u:system_r:mount_t tcontext=system_u:object_r:var_lock_t
> tclass=dir
> can't create lock file /var/lock/mtab~471: Permission denied (use -n
> flag to override)

Which distro is this on?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com