From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 28 Feb 2011 10:05:48 -0500 Subject: [refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors In-Reply-To: <1297838523.3205.120.camel@tesla.lan> References: <1297838523.3205.120.camel@tesla.lan> Message-ID: <4D6BB9CC.7060406@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/16/11 01:42, Guido Trentalancia wrote: > This patch allows mount to use kernel file descriptors. > > diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te > --- refpolicy-git-15022011-test/policy/modules/system/mount.te 2011-02-16 02:34:33.253189215 +0100 > +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te 2011-02-16 03:54:18.732023725 +0100 > @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t) > > files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) > > +kernel_use_fds(mount_t) > kernel_read_system_state(mount_t) > kernel_read_kernel_sysctls(mount_t) > kernel_dontaudit_getattr_core_if(mount_t) How did you come across this? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com