From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 31 Jan 2014 22:28:15 -0500
Subject: [refpolicy] [PATCH 1/3] Allow mount_t to follow
 mount_loopback_t symlinks
In-Reply-To: <1391035512-25441-2-git-send-email-aranea@aixah.de>
References: <1391035512-25441-1-git-send-email-aranea@aixah.de>
	<1391035512-25441-2-git-send-email-aranea@aixah.de>
Message-ID: <52EC69CF.3060408@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 1/29/2014 5:45 PM, Luis Ressel wrote:
> This is useful for some application scenarios and doesn't harm security.
> ---
>  policy/modules/system/mount.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 03f0911..7d01431 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -44,6 +44,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
>  allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
>  
>  allow mount_t mount_loopback_t:file read_file_perms;
> +allow mount_t mount_loopback_t:lnk_file read_file_perms;
>  
>  allow mount_t mount_tmp_t:file manage_file_perms;
>  allow mount_t mount_tmp_t:dir manage_dir_perms;
 
We generally prefer not to specially label symlinks.  They don't have the security properties of the object the point to, and the permissions are checked normally on the target.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com