From: dac.override@gmail.com (Dominick Grift)
Date: Thu, 28 Aug 2014 09:06:38 +0200
Subject: [refpolicy] [PATCH 4/7] Add attribute file_type to pseudo
 filesystem types
In-Reply-To: <53FE52DB.8000605@m4x.org>
References: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org>
	<1408793751-11289-5-git-send-email-nicolas.iooss@m4x.org>
	<53FC7B94.3000001@tresys.com> <20140826145258.GA1464@e145.network2>
	<53FE52DB.8000605@m4x.org>
Message-ID: <1409209598.3998.3.camel@joe.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2014-08-27 at 23:51 +0200, Nicolas Iooss wrote:

> > avc:  denied  { write } for  pid=674 comm="mount" name="/" dev="debugfs" ino=1 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=0
> >
> > The mount command checks mountpoint file directories for write access
> 
> OK.  Just out of curiosity, is this write access expected or a kind of
> bug that is silently denied by the refpolicy, which contains
> files_dontaudit_write_all_mountpoints(mount_t) in system/mount.te?
> 

In my view it should probably be:

dontaudit $1 mountpoint:dir audit_access

I have an interface called: files_audit_access_all_mountpoints()

... Or something along those lines