Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
Date: Tue, 26 Mar 2019 10:17:38
Message-Id: 1553508325.98f3eac837bb8fa985f1f3fe7090e17573c9f3a9.perfinion@gentoo
1 commit: 98f3eac837bb8fa985f1f3fe7090e17573c9f3a9
2 Author: Sugar, David <dsugar <AT> tresys <DOT> com>
3 AuthorDate: Tue Mar 5 22:32:44 2019 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Mon Mar 25 10:05:25 2019 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98f3eac8
7
8 Add interface to allow relabeling of iso 9660 filesystems.
9
10 I have a case where I'm labeling media with my own types to control
11 access. But that is requiring that I relabel from iso9660_t to my
12 own type. This interface allows that relabel.
13
14 type=AVC msg=audit(1551621984.372:919): avc: denied { relabelfrom } for pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0
15
16 Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
17 Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
18
19 policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
20 1 file changed, 19 insertions(+)
21
22 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
23 index 6da7cc22..603bfc28 100644
24 --- a/policy/modules/kernel/filesystem.if
25 +++ b/policy/modules/kernel/filesystem.if
26 @@ -2505,6 +2505,25 @@ interface(`fs_remount_iso9660_fs',`
27 allow $1 iso9660_t:filesystem remount;
28 ')
29
30 +########################################
31 +## <summary>
32 +## Allow changing of the label of a
33 +## filesystem with iso9660 type
34 +## </summary>
35 +## <param name="domain">
36 +## <summary>
37 +## Domain allowed access.
38 +## </summary>
39 +## </param>
40 +#
41 +interface(`fs_relabelfrom_iso9660_fs',`
42 + gen_require(`
43 + type iso9660_t;
44 + ')
45 +
46 + allow $1 iso9660_t:filesystem relabelfrom;
47 +')
48 +
49 ########################################
50 ## <summary>
51 ## Unmount an iso9660 filesystem, which
Report Message
Find on MARC Find on Google Groups