From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 6 Sep 2011 14:36:52 -0400
Subject: [refpolicy] [PATCH 1/1] Allow mount to work on all file
	locations
In-Reply-To: <20110904122113.GA11786@siphos.be>
References: <20110904122113.GA11786@siphos.be>
Message-ID: <4E666844.2040501@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/04/11 08:21, Sven Vermeulen wrote:
> In order for mount to work with all file locations, it needs
> relabelfrom privileges as well (next to the relabelto ones).
> 
> The same patch is also already present in fedora's repository.

I don't understand this, can you explain further?  This rule is for context mounts, in which it would be relabeling from any filesystem type to a file type.  When would it relabel from a file type?

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/mount.te |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 57d7294..429596f 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -77,7 +77,7 @@ files_etc_filetrans_etc_runtime(mount_t, file)
>  files_mounton_all_mountpoints(mount_t)
>  files_unmount_rootfs(mount_t)
>  # These rules need to be generalized.  Only admin, initrc should have it:
> -files_relabelto_all_file_type_fs(mount_t)
> +files_relabel_all_file_type_fs(mount_t)
>  files_mount_all_file_type_fs(mount_t)
>  files_unmount_all_file_type_fs(mount_t)
>  # for when /etc/mtab loses its type


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com