From: jason@perfinion.com (Jason Zaman)
Date: Mon, 13 Apr 2015 19:41:35 +0400
Subject: [refpolicy] [PATCH] fstools: add in filetrans for /run dir
Message-ID: <1428939695-20296-1-git-send-email-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
type an allows the transition in /run.

type=AVC msg=audit(1428929528.885:149519): avc:  denied  { write } for
pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656
scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t
tclass=dir permissive=0

In permissive:
avc: denied { write } for  pid=18595 comm="mkfs.ext4" name="blkid.tab"
dev="tmpfs" ino=5441676 scontext=root:sysadm_r:fsadm_t
tcontext=root:object_r:var_run_t tclass=file permissive=1
avc: denied { write } for  pid=18595 comm="mkfs.ext4" name="blkid"
dev="tmpfs" ino=370936 scontext=root:sysadm_r:fsadm_t
tcontext=root:object_r:var_run_t tclass=dir permissive=1
avc: denied { add_name } for  pid=18595 comm="mkfs.ext4"
name="blkid.tab-ZaM0Am" scontext=root:sysadm_r:fsadm_t
tcontext=root:object_r:var_run_t tclass=dir permissive=1
avc: denied { create } for  pid=18595 comm="mkfs.ext4"
name="blkid.tab-ZaM0Am" scontext=root:sysadm_r:fsadm_t
tcontext=root:object_r:var_run_t tclass=file permissive=1
---
 policy/modules/system/fstools.fc | 2 ++
 policy/modules/system/fstools.te | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index d10368d..cba4184 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -62,3 +62,5 @@
 /usr/sbin/smartctl	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
 /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
+
+/var/run/blkid(/.*)?		gen_context(system_u:object_r:fsadm_run_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index a0cfb1d..cbaa18b 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -16,6 +16,9 @@ logging_log_file(fsadm_log_t)
 type fsadm_tmp_t;
 files_tmp_file(fsadm_tmp_t)
 
+type fsadm_run_t;
+files_pid_file(fsadm_run_t)
+
 type swapfile_t; # customizable
 files_type(swapfile_t)
 
@@ -45,6 +48,10 @@ allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
 allow fsadm_t fsadm_tmp_t:file manage_file_perms;
 files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
 
+allow fsadm_t fsadm_run_t:dir manage_dir_perms;
+allow fsadm_t fsadm_run_t:file manage_file_perms;
+files_pid_filetrans(fsadm_t, fsadm_run_t, { file dir })
+
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
-- 
2.0.5