From: bigon@debian.org (Laurent Bigonville) Date: Sat, 12 Jan 2013 22:32:26 +0100 Subject: [refpolicy] [PATCH 08/13] Add mount_var_run_t type and allow mount_t domain to manage the files and directories In-Reply-To: <1358026351-12955-1-git-send-email-bigon@debian.org> References: <1358026351-12955-1-git-send-email-bigon@debian.org> Message-ID: <1358026351-12955-9-git-send-email-bigon@debian.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Laurent Bigonville In Debian, mount store some information (a utab file) under /var/run/mount directory. This is inspired by the fedora policy. --- policy/modules/system/mount.fc | 2 ++ policy/modules/system/mount.te | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc index 72c746e..a38605e 100644 --- a/policy/modules/system/mount.fc +++ b/policy/modules/system/mount.fc @@ -2,3 +2,5 @@ /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) + +/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 6a50270..8fcd782 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -26,6 +26,9 @@ files_type(mount_loopback_t) type mount_tmp_t; files_tmp_file(mount_tmp_t) +type mount_var_run_t; +files_pid_file(mount_var_run_t) + # causes problems with interfaces when # this is optionally declared in monolithic # policy--duplicate type declaration @@ -49,6 +52,11 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) +create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t) +create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) +rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) +files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount") + kernel_read_system_state(mount_t) kernel_read_kernel_sysctls(mount_t) kernel_dontaudit_getattr_core_if(mount_t) -- 1.7.10.4