From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 11 Jul 2015 14:49:16 +0200
Subject: [refpolicy] Everything in mount_t or filesystem-specific mounts?
Message-ID: <20150711124916.GA23290@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi all

I'm working on a Ceph policy and I've noticed that I need to add a number of
additional privileges on top of mount_t. The /sbin/mount.ceph binary
executes script (corecmd_exec_shell) and perhaps a few more (I had to add in
a lot to get it to work, but have yet to see if it would be better for
_exec's or _domtrans's)

Currently, it looks like the system/mount.te policy assumes that all
privileges are to be added to mount_t. However, I get the impression that
mount_t could be a lot "smaller" policy-wise if we would grant the
permissions to filesystem-specific mounts (i.e. have a domain transition
from mount_t to mount_<fs>_t when mount executes /sbin/mount.<fs>)

The mount domains by the file systems could then be done through a
mount_domain_template(<fs>) call and expanded as necessary for the file
system itself.

I noticed we already added a few filesystem-specifics (such as FUSE support,
and SMBFS) but compared to the other file systems the number is sufficiently
low to keep the policy enhancements on mount_t. But given that additional
file systems are being developed which put more and more features (and as
such often require more and more privileges) I would expect that this would
only grow.

So my question: would it make sense to eventually migrate to
filesystem-specific mounts and, if so, what would be a good trigger (i.e.
which kind of permissions do we not want inside a generic mount_t)?

Wkr,
        Sven Vermeulen