From: guido@trentalancia.com (Guido Trentalancia)
Date: Sat, 19 Feb 2011 06:08:06 +0100
Subject: [refpolicy] [PATCH 6/34]: patch to update mount permissions
In-Reply-To: <1297836161.3205.36.camel@tesla.lan>
References: <1297836161.3205.36.camel@tesla.lan>
Message-ID: <1298092086.3101.50.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Hello !
A quick note about a minor issue with this patch.
Apparently, the mount.tmpfs script will be obsoleted with Fedora 15, so
the conditional block for that script on redhat systems, will probably
be better removed (from the mount.te patch).
Regards,
Guido
On Wed, 16/02/2011 at 07.02 +0100, Guido Trentalancia wrote:
> This patch adds a new interface for mount. It then uses the new
> interface and adds some permissions needed to use mount. It also
> adds a conditional block for redhat systems that use a mount script
> called /sbin/mount.tmpfs. Finally the patch adds a permission
> needed for example by ntfs-3g (storage_rw_fuse).
>
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/kernel/corecommands.if refpolicy-git-15022011-new-modified/policy/modules/kernel/corecommands.if
> --- refpolicy-git-15022011-new-before-modification/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/kernel/corecommands.if 2011-02-15 22:50:02.386800459 +0100
> @@ -808,6 +808,25 @@ interface(`corecmd_check_exec_shell',`
>
> ########################################
> ##
> +## Allow mmap_file_perms on a shell
> +## executable.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`corecmd_mmap_file_exec_shell',`
> + gen_require(`
> + type bin_t, shell_exec_t;
> + ')
> +
> + mmap_files_pattern($1, bin_t, shell_exec_t)
> +')
> +
> +########################################
> +##
> ## Execute shells in the caller domain.
> ##
> ##
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/system/mount.te refpolicy-git-15022011-new-modified/policy/modules/system/mount.te
> --- refpolicy-git-15022011-new-before-modification/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/system/mount.te 2011-02-15 22:52:27.570043460 +0100
> @@ -37,6 +37,11 @@ application_domain(unconfined_mount_t, m
> # setuid/setgid needed to mount cifs
> allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
>
> +ifdef(`distro_redhat',`
> + # needed by /sbin/mount.tmpfs bash script
> + allow mount_t self:fifo_file rw_fifo_file_perms;
> +')
> +
> allow mount_t mount_loopback_t:file read_file_perms;
>
> allow mount_t mount_tmp_t:file manage_file_perms;
> @@ -51,15 +56,23 @@ kernel_read_kernel_sysctls(mount_t)
> kernel_dontaudit_getattr_core_if(mount_t)
> kernel_dontaudit_write_debugfs_dirs(mount_t)
> kernel_dontaudit_write_proc_dirs(mount_t)
> +
> # To load binfmt_misc kernel module
> kernel_request_load_module(mount_t)
>
> +kernel_setsched(mount_t)
> +
> # required for mount.smbfs
> corecmd_exec_bin(mount_t)
>
> +# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
> +# from initscripts
> +corecmd_mmap_file_exec_shell(mount_t)
> +
> dev_getattr_all_blk_files(mount_t)
> dev_list_all_dev_nodes(mount_t)
> dev_read_sysfs(mount_t)
> +dev_read_usbfs(mount_t)
> dev_dontaudit_write_sysfs_dirs(mount_t)
> dev_rw_lvm_control(mount_t)
> dev_dontaudit_getattr_all_chr_files(mount_t)
> @@ -108,6 +121,8 @@ storage_raw_read_fixed_disk(mount_t)
> storage_raw_write_fixed_disk(mount_t)
> storage_raw_read_removable_device(mount_t)
> storage_raw_write_removable_device(mount_t)
> +# needed for example by ntfs-3g
> +storage_rw_fuse(mount_t)
>
> term_use_all_terms(mount_t)
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>