From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 3 Mar 2014 09:28:52 -0500
Subject: [refpolicy] [PATCH 3/3] Add neccessary permissions for losetup
In-Reply-To: <1392568477-15921-4-git-send-email-aranea@aixah.de>
References: <1392568477-15921-1-git-send-email-aranea@aixah.de>
	<1392568477-15921-4-git-send-email-aranea@aixah.de>
Message-ID: <531491A4.4040902@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 2/16/2014 11:34 AM, Luis Ressel wrote:
> This allows losetup to bind mount_loopback_t files to loop devices.
> ---
>  policy/modules/kernel/kernel.te  | 2 ++
>  policy/modules/system/fstools.te | 4 ++++
>  2 files changed, 6 insertions(+)
> 
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 7f7372f..cdea637 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -317,6 +317,8 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	# loop devices
> +	fsadm_use_fds(kernel_t)
>  	mount_use_fds(kernel_t)
>  	mount_read_loopback_files(kernel_t)
>  ')

While I doubt that any system would be missing mount, I could see a stateless system missing fsadm.  This addition should be separated out into another optional.

> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index 653d0b9..8c751f5 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -53,6 +53,10 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
>  # Enable swapping to files
>  allow fsadm_t swapfile_t:file { rw_file_perms swapon };
>  
> +# losetup: bind mount_loopback_t files to loop devices
> +dev_rw_loop_control(fsadm_t)
> +mount_rw_loopback_files(fsadm_t)

These need to be moved to their correct place in the file.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com