From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 19 Aug 2014 08:46:33 -0400
Subject: [refpolicy] [PATCH v2 3/3] Add neccessary permissions for
	losetup
In-Reply-To: <1407795855-5339-1-git-send-email-aranea@aixah.de>
References: <20140812001934.0fb5379a@gentp.lnet>
	<1407795855-5339-1-git-send-email-aranea@aixah.de>
Message-ID: <53F34729.6050305@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 8/11/2014 6:24 PM, Luis Ressel wrote:
> This allows losetup to bind mount_loopback_t files to loop devices.

This set is merged.

> ---
>  policy/modules/kernel/kernel.te  | 5 +++++
>  policy/modules/system/fstools.te | 5 +++++
>  2 files changed, 10 insertions(+)
> 
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 7fe10c3..fdd5b8d 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -300,6 +300,11 @@ ifdef(`distro_redhat',`
>  ')
>  
>  optional_policy(`
> +	# loop devices
> +	fstools_use_fds(kernel_t)
> +')
> +
> +optional_policy(`
>  	hotplug_search_config(kernel_t)
>  ')
>  
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index b876224..1d40813 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -94,6 +94,8 @@ dev_rw_sysfs(fsadm_t)
>  dev_getattr_usbfs_dirs(fsadm_t)
>  # Access to /dev/mapper/control
>  dev_rw_lvm_control(fsadm_t)
> +# for losetup
> +dev_rw_loop_control(fsadm_t)
>  
>  domain_use_interactive_fds(fsadm_t)
>  
> @@ -125,6 +127,9 @@ files_search_all(fsadm_t)
>  mls_file_read_all_levels(fsadm_t)
>  mls_file_write_all_levels(fsadm_t)
>  
> +# losetup: bind mount_loopback_t files to loop devices
> +mount_rw_loopback_files(fsadm_t)
> +
>  storage_raw_read_fixed_disk(fsadm_t)
>  storage_raw_write_fixed_disk(fsadm_t)
>  storage_raw_read_removable_device(fsadm_t)
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com