commit: 7016d9a6b6505eea13d0c4cb7a4d94d096ef07ee Author: cgzones <cgzones <AT> googlemail <DOT> com> AuthorDate: Fri Jan 6 14:05:00 2017 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Fri Jan 13 18:39:37 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7016d9a6
update mount module * rename mount_var_run_t to mount_runtime_t * delete kernel_read_unlabeled_files(mount_t) * add selinux_getattr_fs(mount_t) policy/modules/system/mount.fc | 4 ++-- policy/modules/system/mount.te | 19 +++++++++---------- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc index 9cfb93a..182d0fd 100644 --- a/policy/modules/system/mount.fc +++ b/policy/modules/system/mount.fc @@ -2,7 +2,7 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0) /sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0) /sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -14,4 +14,4 @@ /usr/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0) -/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/run/mount(/.*)? gen_context(system_u:object_r:mount_runtime_t,s0) diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index a2ed9b7..4bfb93b 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -23,12 +23,13 @@ role mount_roles types mount_t; type mount_loopback_t; # customizable files_type(mount_loopback_t) +type mount_runtime_t; +typealias mount_runtime_t alias mount_var_run_t; +files_pid_file(mount_runtime_t) + type mount_tmp_t; files_tmp_file(mount_tmp_t) -type mount_var_run_t; -files_pid_file(mount_var_run_t) - # causes problems with interfaces when # this is optionally declared in monolithic # policy--duplicate type declaration @@ -55,10 +56,10 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) -create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t) -create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) -rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) -files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount") +create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t) +create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t) +rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t) +files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount") kernel_read_system_state(mount_t) kernel_read_kernel_sysctls(mount_t) @@ -68,9 +69,6 @@ kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module kernel_request_load_module(mount_t) -# for when /etc/mtab loses its type -# cjp: this seems wrong, the type should probably be etc -kernel_read_unlabeled_files(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -142,6 +140,7 @@ miscfiles_read_localization(mount_t) sysnet_use_portmap(mount_t) seutil_read_config(mount_t) +selinux_getattr_fs(mount_t) userdom_use_all_users_fds(mount_t)