From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sun, 25 Mar 2012 14:42:37 +0200
Subject: [refpolicy] [PATCH 1/1] Marking debugfs and securityfs as
	mountpoints
In-Reply-To: <20120325123929.GA13219@siphos.be>
References: <20120325123929.GA13219@siphos.be>
Message-ID: <20120325124237.GC13219@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The locations for debugfs_t (/sys/kernel/debug) and security_t
(/selinux or /sys/fs/selinux) should be marked as mountpoints as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/kernel.te  |    1 +
 policy/modules/kernel/selinux.te |    1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8340ca8..f9c3513 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -56,6 +56,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
 #
 
 type debugfs_t;
+files_mountpoint(debugfs_t)
 fs_type(debugfs_t)
 allow debugfs_t self:filesystem associate;
 genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 0e51e12..2e5aef4 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -29,6 +29,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
 # applied to selinuxfs inodes.
 #
 type security_t, boolean_type;
+files_mountpoint(security_t)
 fs_type(security_t)
 mls_trusted_object(security_t)
 sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
-- 
1.7.3.4