From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/3] Allow mount_t to follow mount_loopback_t symlinks
Date: Fri, 31 Jan 2014 22:28:15 -0500 [thread overview]
Message-ID: <52EC69CF.3060408@tresys.com> (raw)
In-Reply-To: <1391035512-25441-2-git-send-email-aranea@aixah.de>
On 1/29/2014 5:45 PM, Luis Ressel wrote:
> This is useful for some application scenarios and doesn't harm security.
> ---
> policy/modules/system/mount.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 03f0911..7d01431 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -44,6 +44,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
> allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
>
> allow mount_t mount_loopback_t:file read_file_perms;
> +allow mount_t mount_loopback_t:lnk_file read_file_perms;
>
> allow mount_t mount_tmp_t:file manage_file_perms;
> allow mount_t mount_tmp_t:dir manage_dir_perms;
We generally prefer not to specially label symlinks. They don't have the security properties of the object the point to, and the permissions are checked normally on the target.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2014-02-01 3:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-29 22:45 [refpolicy] Support loopback mounts Luis Ressel
2014-01-29 22:45 ` [refpolicy] [PATCH 1/3] Allow mount_t to follow mount_loopback_t symlinks Luis Ressel
2014-02-01 3:28 ` Christopher J. PeBenito [this message]
2014-02-01 11:53 ` Luis Ressel
2014-01-29 22:45 ` [refpolicy] [PATCH 2/3] Allow mount_t usage of /dev/loop-control Luis Ressel
2014-02-01 3:26 ` Christopher J. PeBenito
2014-01-29 22:45 ` [refpolicy] [PATCH 3/3] Grant kernel_t necessary permissions for loopback mounts Luis Ressel
2014-02-01 3:32 ` Christopher J. PeBenito
2014-02-01 13:14 ` Luis Ressel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52EC69CF.3060408@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.