From mboxrd@z Thu Jan 1 00:00:00 1970 From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 27 Sep 2013 22:58:49 +0200 Subject: [refpolicy] [PATCH 16/20] mount: sets kernel thread priority mount: mount reads /lib/modules/3.10-2-amd64/modules.dep mount: mount lists all mount points In-Reply-To: <5245F0B3.5080309@tresys.com> References: <1380030014-25507-1-git-send-email-dominick.grift@gmail.com> <5245F0B3.5080309@tresys.com> Message-ID: <1380315529.23967.4.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2013-09-27 at 16:55 -0400, Christopher J. PeBenito wrote: > On Tue 24 Sep 2013 09:40:14 AM EDT, Dominick Grift wrote: > > In debian mount was trying to list / on a tmpfs (/run/lock). Since > > var_lock_t is a mountpoint type, and so is mnt_t, i decided to implement > > a files_list_all_mountpoints() and call that for mount because it makes > > sense > > > > Signed-off-by: Dominick Grift > > --- > > policy/modules/kernel/files.if | 18 ++++++++++++++++++ > > policy/modules/system/mount.te | 7 ++++++- > > 2 files changed, 24 insertions(+), 1 deletion(-) > > > > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if > > index 64ff4d7..f962f76 100644 > > --- a/policy/modules/kernel/files.if > > +++ b/policy/modules/kernel/files.if > > @@ -1655,6 +1655,24 @@ interface(`files_dontaudit_search_all_mountpoints',` > > > > ######################################## > > ## > > +## List all mount points. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`files_list_all_mountpoints',` > > + gen_require(` > > + attribute mountpoint; > > + ') > > + > > + allow $1 mountpoint:dir list_dir_perms; > > +') > > + > > +######################################## > > +## > > ## Do not audit listing of all mount points. > > ## > > ## > > diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te > > index eba28c0..5e5e089 100644 > > --- a/policy/modules/system/mount.te > > +++ b/policy/modules/system/mount.te > > @@ -59,6 +59,7 @@ files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount") > > > > kernel_read_system_state(mount_t) > > kernel_read_kernel_sysctls(mount_t) > > +kernel_setsched(mount_t) > > kernel_dontaudit_getattr_core_if(mount_t) > > kernel_dontaudit_write_debugfs_dirs(mount_t) > > kernel_dontaudit_write_proc_dirs(mount_t) > > @@ -96,7 +97,7 @@ files_unmount_all_file_type_fs(mount_t) > > files_read_isid_type_files(mount_t) > > # For reading cert files > > files_read_usr_files(mount_t) > > -files_list_mnt(mount_t) > > +files_list_all_mountpoints(mount_t) > > files_dontaudit_write_all_mountpoints(mount_t) > > files_dontaudit_setattr_all_mountpoints(mount_t) > > > > @@ -202,6 +203,10 @@ optional_policy(` > > ') > > > > optional_policy(` > > + modutils_read_module_deps(mount_t) > > +') > > + > > +optional_policy(` > > puppet_rw_tmp(mount_t) > > ') > > I merged it, though I'm a little dubious that broad of an access is > necessary. The fs_list_auto_mountpoints() call might now be redundant. Yes that is redundant since autofs_t is also a mountpoint > > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com