From: russell@coker.com.au (Russell Coker) Date: Wed, 30 Jan 2013 09:17:35 +1100 Subject: [refpolicy] [PATCH 10/13] Allow mount_t to read module_deps_t files In-Reply-To: <20130124190722.07fb32f7@fornost.bigon.be> References: <1358026351-12955-1-git-send-email-bigon@debian.org> <1358026351-12955-11-git-send-email-bigon@debian.org> <50FFD4E7.4030907@tresys.com> <20130123214207.09211339@fornost.bigon.be> <20130124190722.07fb32f7@fornost.bigon.be> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This looks like an inherited file handle. What process is executing mount? Maybe auditallow rules on executing mount and opening the dep file will reveal what is going wrong. Laurent Bigonville wrote: >Le Wed, 23 Jan 2013 21:42:07 +0100, >Laurent Bigonville a ?crit : > >> Le Wed, 23 Jan 2013 07:17:43 -0500, >> "Christopher J. PeBenito" a ?crit : >> >> > On 01/12/13 16:32, Laurent Bigonville wrote: >> > > From: Laurent Bigonville >> > > >> > > --- >> > > policy/modules/system/mount.te | 2 ++ >> > > 1 file changed, 2 insertions(+) >> > > >> > > diff --git a/policy/modules/system/mount.te >> > > b/policy/modules/system/mount.te index 7a58d79..d412797 100644 >> > > --- a/policy/modules/system/mount.te >> > > +++ b/policy/modules/system/mount.te >> > > @@ -135,6 +135,8 @@ logging_send_syslog_msg(mount_t) >> > > >> > > miscfiles_read_localization(mount_t) >> > > >> > > +modutils_read_module_deps(mount_t) >> > > + >> > > sysnet_use_portmap(mount_t) >> > > >> > > seutil_read_config(mount_t) >> > >> > Any idea why this is required? >> > >> >> Mmmh, I cannot reproduce this on my desktop, I'll retry tomorrow on >my >> laptop. > >OK so I tried again, and I see these during early boot: > >[ 32.330243] type=1400 audit(1359049424.759:27): avc: denied >{ read } for pid=2090 comm="mount" name="modules.dep" dev="dm-1" >ino=4232 scontext=system_u:system_r:mount_t:s0 >tcontext=system_u:object_r:modules_dep_t:s0 tclass=file [ 32.330265] >type=1400 audit(1359049424.759:27): avc: denied { open } for >pid=2090 comm="mount" path="/lib/modules/3.7-trunk-amd64/modules.dep" >dev="dm-1" ino=4232 scontext=system_u:system_r:mount_t:s0 >tcontext=system_u:object_r:modules_dep_t:s0 tclass=file [ 32.330306] >type=1400 audit(1359049424.759:28): avc: denied { getattr } for >pid=2090 comm="mount" path="/lib/modules/3.7-trunk-amd64/modules.dep" >dev="dm-1" ino=4232 scontext=system_u:system_r:mount_t:s0 >tcontext=system_u:object_r:modules_dep_t:s0 tclass=file > > >Cheers > >Laurent Bigonville >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy -- My blog http://etbe.coker.com.au Sent from a Galaxy S3 Android phone with K-9 Mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130130/959f2d83/attachment.html