From: bigon@debian.org (Laurent Bigonville) Date: Wed, 23 Jan 2013 21:42:07 +0100 Subject: [refpolicy] [PATCH 10/13] Allow mount_t to read module_deps_t files In-Reply-To: <50FFD4E7.4030907@tresys.com> References: <1358026351-12955-1-git-send-email-bigon@debian.org> <1358026351-12955-11-git-send-email-bigon@debian.org> <50FFD4E7.4030907@tresys.com> Message-ID: <20130123214207.09211339@fornost.bigon.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le Wed, 23 Jan 2013 07:17:43 -0500, "Christopher J. PeBenito" a ?crit : > On 01/12/13 16:32, Laurent Bigonville wrote: > > From: Laurent Bigonville > > > > --- > > policy/modules/system/mount.te | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/policy/modules/system/mount.te > > b/policy/modules/system/mount.te index 7a58d79..d412797 100644 > > --- a/policy/modules/system/mount.te > > +++ b/policy/modules/system/mount.te > > @@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t) > > > > miscfiles_read_localization(mount_t) > > > > +modutils_read_module_deps(mount_t) > > + > > sysnet_use_portmap(mount_t) > > > > seutil_read_config(mount_t) > > Any idea why this is required? > Mmmh, I cannot reproduce this on my desktop, I'll retry tomorrow on my laptop. BTW this is already in the fedora policy (in an optional_policy block) with the following commit message: "Allow mount to read modutils_dep_t, probably a leak but not worth blocking" Cheers Laurent Bigonville