From: bigon@debian.org (Laurent Bigonville)
Date: Wed, 23 Jan 2013 21:42:07 +0100
Subject: [refpolicy] [PATCH 10/13] Allow mount_t to read module_deps_t
 files
In-Reply-To: <50FFD4E7.4030907@tresys.com>
References: <1358026351-12955-1-git-send-email-bigon@debian.org>
	<1358026351-12955-11-git-send-email-bigon@debian.org>
	<50FFD4E7.4030907@tresys.com>
Message-ID: <20130123214207.09211339@fornost.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le Wed, 23 Jan 2013 07:17:43 -0500,
"Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :

> On 01/12/13 16:32, Laurent Bigonville wrote:
> > From: Laurent Bigonville <bigon@bigon.be>
> > 
> > ---
> >  policy/modules/system/mount.te |    2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/policy/modules/system/mount.te
> > b/policy/modules/system/mount.te index 7a58d79..d412797 100644
> > --- a/policy/modules/system/mount.te
> > +++ b/policy/modules/system/mount.te
> > @@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t)
> >  
> >  miscfiles_read_localization(mount_t)
> >  
> > +modutils_read_module_deps(mount_t)
> > +
> >  sysnet_use_portmap(mount_t)
> >  
> >  seutil_read_config(mount_t)
>  
> Any idea why this is required?
> 

Mmmh, I cannot reproduce this on my desktop, I'll retry tomorrow on my
laptop.

BTW this is already in the fedora policy (in an optional_policy block)
with the following commit message:

"Allow mount to read modutils_dep_t, probably a leak but not worth
blocking"

Cheers

Laurent Bigonville