From: guido@trentalancia.com (Guido Trentalancia)
Date: Mon, 28 Feb 2011 20:16:16 +0100
Subject: [refpolicy] [PATCH 32/34]: patch to allow mount use kernel file
 descriptors
In-Reply-To: <4D6BB9CC.7060406@tresys.com>
References: <1297838523.3205.120.camel@tesla.lan> <4D6BB9CC.7060406@tresys.com>
Message-ID: <1298920576.3123.12.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:42, Guido Trentalancia wrote:
> > This patch allows mount to use kernel file descriptors.
> > 
> > diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
> > --- refpolicy-git-15022011-test/policy/modules/system/mount.te	2011-02-16 02:34:33.253189215 +0100
> > +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te	2011-02-16 03:54:18.732023725 +0100
> > @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
> >  
> >  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
> >  
> > +kernel_use_fds(mount_t)
> >  kernel_read_system_state(mount_t)
> >  kernel_read_kernel_sysctls(mount_t)
> >  kernel_dontaudit_getattr_core_if(mount_t)
> 
> How did you come across this?

type=1400 audit(1295758153.958:3): avc:  denied  { use } for  pid=1429
comm="mount" path="/dev/pts/0" dev=devpts ino=3
scontext=system_u:system_r:mount_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=fd

Regards,

Guido