From: aranea@aixah.de (Luis Ressel) Date: Tue, 12 Aug 2014 00:24:15 +0200 Subject: [refpolicy] [PATCH v2 3/3] Add neccessary permissions for losetup In-Reply-To: <20140812001934.0fb5379a@gentp.lnet> References: <20140812001934.0fb5379a@gentp.lnet> Message-ID: <1407795855-5339-1-git-send-email-aranea@aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This allows losetup to bind mount_loopback_t files to loop devices. --- policy/modules/kernel/kernel.te | 5 +++++ policy/modules/system/fstools.te | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 7fe10c3..fdd5b8d 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -300,6 +300,11 @@ ifdef(`distro_redhat',` ') optional_policy(` + # loop devices + fstools_use_fds(kernel_t) +') + +optional_policy(` hotplug_search_config(kernel_t) ') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index b876224..1d40813 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -94,6 +94,8 @@ dev_rw_sysfs(fsadm_t) dev_getattr_usbfs_dirs(fsadm_t) # Access to /dev/mapper/control dev_rw_lvm_control(fsadm_t) +# for losetup +dev_rw_loop_control(fsadm_t) domain_use_interactive_fds(fsadm_t) @@ -125,6 +127,9 @@ files_search_all(fsadm_t) mls_file_read_all_levels(fsadm_t) mls_file_write_all_levels(fsadm_t) +# losetup: bind mount_loopback_t files to loop devices +mount_rw_loopback_files(fsadm_t) + storage_raw_read_fixed_disk(fsadm_t) storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) -- 2.0.4