From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 27 Sep 2013 16:55:15 -0400
Subject: [refpolicy] [PATCH 16/20] mount: sets kernel thread priority
 mount: mount reads /lib/modules/3.10-2-amd64/modules.dep mount: mount lists
 all mount points
In-Reply-To: <1380030014-25507-1-git-send-email-dominick.grift@gmail.com>
References: <1380030014-25507-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <5245F0B3.5080309@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue 24 Sep 2013 09:40:14 AM EDT, Dominick Grift wrote:
> In debian mount was trying to list / on a tmpfs (/run/lock). Since
> var_lock_t is a mountpoint type, and so is mnt_t, i decided to implement
> a files_list_all_mountpoints() and call that for mount because it makes
> sense
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
>  policy/modules/kernel/files.if | 18 ++++++++++++++++++
>  policy/modules/system/mount.te |  7 ++++++-
>  2 files changed, 24 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 64ff4d7..f962f76 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -1655,6 +1655,24 @@ interface(`files_dontaudit_search_all_mountpoints',`
>
>  ########################################
>  ## <summary>
> +##	List all mount points.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_list_all_mountpoints',`
> +	gen_require(`
> +		attribute mountpoint;
> +	')
> +
> +	allow $1 mountpoint:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Do not audit listing of all mount points.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index eba28c0..5e5e089 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -59,6 +59,7 @@ files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
>
>  kernel_read_system_state(mount_t)
>  kernel_read_kernel_sysctls(mount_t)
> +kernel_setsched(mount_t)
>  kernel_dontaudit_getattr_core_if(mount_t)
>  kernel_dontaudit_write_debugfs_dirs(mount_t)
>  kernel_dontaudit_write_proc_dirs(mount_t)
> @@ -96,7 +97,7 @@ files_unmount_all_file_type_fs(mount_t)
>  files_read_isid_type_files(mount_t)
>  # For reading cert files
>  files_read_usr_files(mount_t)
> -files_list_mnt(mount_t)
> +files_list_all_mountpoints(mount_t)
>  files_dontaudit_write_all_mountpoints(mount_t)
>  files_dontaudit_setattr_all_mountpoints(mount_t)
>
> @@ -202,6 +203,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	modutils_read_module_deps(mount_t)
> +')
> +
> +optional_policy(`
>  	puppet_rw_tmp(mount_t)
>  ')

I merged it, though I'm a little dubious that broad of an access is 
necessary.  The fs_list_auto_mountpoints() call might now be redundant.


--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com