From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 23 Jan 2013 07:27:41 -0500
Subject: [refpolicy] [PATCH 08/13] Add mount_var_run_t type and allow
 mount_t domain to manage the files and directories
In-Reply-To: <1358026351-12955-9-git-send-email-bigon@debian.org>
References: <1358026351-12955-1-git-send-email-bigon@debian.org>
	<1358026351-12955-9-git-send-email-bigon@debian.org>
Message-ID: <50FFD73D.7070909@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> In Debian, mount store some information (a utab file) under
> /var/run/mount directory.
> 
> This is inspired by the fedora policy.

Merged.

> ---
>  policy/modules/system/mount.fc |    2 ++
>  policy/modules/system/mount.te |    8 ++++++++
>  2 files changed, 10 insertions(+)
> 
> diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
> index 72c746e..a38605e 100644
> --- a/policy/modules/system/mount.fc
> +++ b/policy/modules/system/mount.fc
> @@ -2,3 +2,5 @@
>  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
>  
>  /usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
> +
> +/var/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 6a50270..8fcd782 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -26,6 +26,9 @@ files_type(mount_loopback_t)
>  type mount_tmp_t;
>  files_tmp_file(mount_tmp_t)
>  
> +type mount_var_run_t;
> +files_pid_file(mount_var_run_t)
> +
>  # causes problems with interfaces when
>  # this is optionally declared in monolithic
>  # policy--duplicate type declaration
> @@ -49,6 +52,11 @@ can_exec(mount_t, mount_exec_t)
>  
>  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
>  
> +create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
> +create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
> +rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
> +files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
> +
>  kernel_read_system_state(mount_t)
>  kernel_read_kernel_sysctls(mount_t)
>  kernel_dontaudit_getattr_core_if(mount_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com