From: bigon@debian.org (Laurent Bigonville)
Date: Thu, 24 Jan 2013 19:07:22 +0100
Subject: [refpolicy] [PATCH 10/13] Allow mount_t to read module_deps_t
 files
In-Reply-To: <20130123214207.09211339@fornost.bigon.be>
References: <1358026351-12955-1-git-send-email-bigon@debian.org>
	<1358026351-12955-11-git-send-email-bigon@debian.org>
	<50FFD4E7.4030907@tresys.com>
	<20130123214207.09211339@fornost.bigon.be>
Message-ID: <20130124190722.07fb32f7@fornost.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le Wed, 23 Jan 2013 21:42:07 +0100,
Laurent Bigonville <bigon@debian.org> a ?crit :

> Le Wed, 23 Jan 2013 07:17:43 -0500,
> "Christopher J. PeBenito" <cpebenito@tresys.com> a ?crit :
> 
> > On 01/12/13 16:32, Laurent Bigonville wrote:
> > > From: Laurent Bigonville <bigon@bigon.be>
> > > 
> > > ---
> > >  policy/modules/system/mount.te |    2 ++
> > >  1 file changed, 2 insertions(+)
> > > 
> > > diff --git a/policy/modules/system/mount.te
> > > b/policy/modules/system/mount.te index 7a58d79..d412797 100644
> > > --- a/policy/modules/system/mount.te
> > > +++ b/policy/modules/system/mount.te
> > > @@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t)
> > >  
> > >  miscfiles_read_localization(mount_t)
> > >  
> > > +modutils_read_module_deps(mount_t)
> > > +
> > >  sysnet_use_portmap(mount_t)
> > >  
> > >  seutil_read_config(mount_t)
> >  
> > Any idea why this is required?
> > 
> 
> Mmmh, I cannot reproduce this on my desktop, I'll retry tomorrow on my
> laptop.

OK so I tried again, and I see these during early boot:

[   32.330243] type=1400 audit(1359049424.759:27): avc:  denied
{ read } for  pid=2090 comm="mount" name="modules.dep" dev="dm-1"
ino=4232 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:modules_dep_t:s0 tclass=file [   32.330265]
type=1400 audit(1359049424.759:27): avc:  denied  { open } for
pid=2090 comm="mount" path="/lib/modules/3.7-trunk-amd64/modules.dep"
dev="dm-1" ino=4232 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:modules_dep_t:s0 tclass=file [   32.330306]
type=1400 audit(1359049424.759:28): avc:  denied  { getattr } for
pid=2090 comm="mount" path="/lib/modules/3.7-trunk-amd64/modules.dep"
dev="dm-1" ino=4232 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:modules_dep_t:s0 tclass=file


Cheers

Laurent Bigonville