From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Sat, 8 Feb 2014 10:51:11 -0500 Subject: [refpolicy] [PATCH 2/4] system/mount.if: Add mount_read_mount_loopback interface In-Reply-To: <1391262624-4486-3-git-send-email-aranea@aixah.de> References: <1391262624-4486-1-git-send-email-aranea@aixah.de> <1391262624-4486-3-git-send-email-aranea@aixah.de> Message-ID: <52F6526F.90906@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 2/1/2014 8:50 AM, Luis Ressel wrote: > --- > policy/modules/system/mount.if | 18 ++++++++++++++++++ > policy/modules/system/mount.te | 2 +- > 2 files changed, 19 insertions(+), 1 deletion(-) > > diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if > index 4584457..802fd3d 100644 > --- a/policy/modules/system/mount.if > +++ b/policy/modules/system/mount.if > @@ -173,3 +173,21 @@ interface(`mount_run_unconfined',` > mount_domtrans_unconfined($1) > role $2 types unconfined_mount_t; > ') > + > +######################################## > +##

> +## Read mount_loopback files. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +# > +interface(`mount_read_mount_loopback',` > + gen_require(` > + type mount_t; > + ') > + > + allow $1 mount_loopback_t:file read_file_perms; > +') > diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te > index 03f0911..9cd37d9 100644 > --- a/policy/modules/system/mount.te > +++ b/policy/modules/system/mount.te > @@ -43,7 +43,7 @@ application_domain(unconfined_mount_t, mount_exec_t) > # setuid/setgid needed to mount cifs > allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; > > -allow mount_t mount_loopback_t:file read_file_perms; > +mount_read_mount_loopback(mount_t) > > allow mount_t mount_tmp_t:file manage_file_perms; > allow mount_t mount_tmp_t:dir manage_dir_perms; Merged. I renamed the interface to mount_read_loopback_file(). -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com