From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Sat, 8 Feb 2014 10:51:11 -0500
Subject: [refpolicy] [PATCH 2/4] system/mount.if: Add
mount_read_mount_loopback interface
In-Reply-To: <1391262624-4486-3-git-send-email-aranea@aixah.de>
References: <1391262624-4486-1-git-send-email-aranea@aixah.de>
<1391262624-4486-3-git-send-email-aranea@aixah.de>
Message-ID: <52F6526F.90906@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 2/1/2014 8:50 AM, Luis Ressel wrote:
> ---
> policy/modules/system/mount.if | 18 ++++++++++++++++++
> policy/modules/system/mount.te | 2 +-
> 2 files changed, 19 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
> index 4584457..802fd3d 100644
> --- a/policy/modules/system/mount.if
> +++ b/policy/modules/system/mount.if
> @@ -173,3 +173,21 @@ interface(`mount_run_unconfined',`
> mount_domtrans_unconfined($1)
> role $2 types unconfined_mount_t;
> ')
> +
> +########################################
> +##
> +## Read mount_loopback files.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`mount_read_mount_loopback',`
> + gen_require(`
> + type mount_t;
> + ')
> +
> + allow $1 mount_loopback_t:file read_file_perms;
> +')
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 03f0911..9cd37d9 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -43,7 +43,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
> # setuid/setgid needed to mount cifs
> allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
>
> -allow mount_t mount_loopback_t:file read_file_perms;
> +mount_read_mount_loopback(mount_t)
>
> allow mount_t mount_tmp_t:file manage_file_perms;
> allow mount_t mount_tmp_t:dir manage_dir_perms;
Merged. I renamed the interface to mount_read_loopback_file().
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com