From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 16 Feb 2011 07:02:41 +0100
Subject: [refpolicy] [PATCH 6/34]: patch to update mount permissions
Message-ID: <1297836161.3205.36.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
This patch adds a new interface for mount. It then uses the new
interface and adds some permissions needed to use mount. It also
adds a conditional block for redhat systems that use a mount script
called /sbin/mount.tmpfs. Finally the patch adds a permission
needed for example by ntfs-3g (storage_rw_fuse).
diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/kernel/corecommands.if refpolicy-git-15022011-new-modified/policy/modules/kernel/corecommands.if
--- refpolicy-git-15022011-new-before-modification/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100
+++ refpolicy-git-15022011-new-modified/policy/modules/kernel/corecommands.if 2011-02-15 22:50:02.386800459 +0100
@@ -808,6 +808,25 @@ interface(`corecmd_check_exec_shell',`
########################################
##
+## Allow mmap_file_perms on a shell
+## executable.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corecmd_mmap_file_exec_shell',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ mmap_files_pattern($1, bin_t, shell_exec_t)
+')
+
+########################################
+##
## Execute shells in the caller domain.
##
##
diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/mount.te refpolicy-git-15022011-new-modified/policy/modules/system/mount.te
--- refpolicy-git-15022011-new-before-modification/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100
+++ refpolicy-git-15022011-new-modified/policy/modules/system/mount.te 2011-02-15 22:52:27.570043460 +0100
@@ -37,6 +37,11 @@ application_domain(unconfined_mount_t, m
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+ifdef(`distro_redhat',`
+ # needed by /sbin/mount.tmpfs bash script
+ allow mount_t self:fifo_file rw_fifo_file_perms;
+')
+
allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t mount_tmp_t:file manage_file_perms;
@@ -51,15 +56,23 @@ kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
+
# To load binfmt_misc kernel module
kernel_request_load_module(mount_t)
+kernel_setsched(mount_t)
+
# required for mount.smbfs
corecmd_exec_bin(mount_t)
+# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
+# from initscripts
+corecmd_mmap_file_exec_shell(mount_t)
+
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
dev_read_sysfs(mount_t)
+dev_read_usbfs(mount_t)
dev_dontaudit_write_sysfs_dirs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
@@ -108,6 +121,8 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
+# needed for example by ntfs-3g
+storage_rw_fuse(mount_t)
term_use_all_terms(mount_t)