From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems
Date: Thu, 11 Nov 2010 09:59:26 -0500 [thread overview]
Message-ID: <4CDC04CE.7090900@tresys.com> (raw)
In-Reply-To: <1289265935-2604-1-git-send-email-gizmo@giz-works.com>
On 11/08/10 20:25, Chris Richards wrote:
> As of util-linux-n 2.18, the mount utility now attempts to write to the root
> of newly mounted filesystems. It does this in an attempt to ensure that the
> r/w status of a filesystem as shown in mtab is correct. To detect whether
> a filesystem is r/w, mount calls access() with the W_OK argument. This
> results in an AVC denial with current policy. As a fallback, mount also
> attempts to modify the access time of the directory being mounted on if
> the call to access() fails. As mount already possesses the necessary
> privileges, the modification of the access time succeeds (at least on systems
> with the futimens() function, which has existed in linux since kernel 2.6.22
> and glibc since version 2.6, or about July 2007).
This set is merged, with a few trivial tweaks.
> Signed-off-by: Chris Richards <gizmo@giz-works.com>
> ---
> policy/modules/kernel/devices.if | 18 ++++++++++++++++++
> 1 files changed, 18 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 99482ca..15a7bef 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -3704,6 +3704,24 @@ interface(`dev_write_sysfs_dirs',`
>
> ########################################
> ## <summary>
> +## Do not audit attempts to write in a sysfs directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_dontaudit_write_sysfs_dirs',`
> + gen_require(`
> + type sysfs_t;
> + ')
> +
> + dontaudit $1 sysfs_t:dir write;
> +')
> +
> +########################################
> +## <summary>
> ## Read hardware state information.
> ## </summary>
> ## <desc>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2010-11-11 14:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-09 1:25 [refpolicy] [PATCH 1/5] dontaudit mount writes to newly mounted filesystems Chris Richards
2010-11-09 1:25 ` [refpolicy] [PATCH 2/5] " Chris Richards
2010-11-09 1:25 ` [refpolicy] [PATCH 3/5] " Chris Richards
2010-11-09 1:25 ` [refpolicy] [PATCH 4/5] " Chris Richards
2010-11-09 1:25 ` [refpolicy] [PATCH 5/5] " Chris Richards
2010-11-11 14:59 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CDC04CE.7090900@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.