system/mount.if: Add mount_read_mount_loopback interface

2014-02-01 14:50:22 +01:00 · 2014-02-01 14:50:22 +01:00 · 09370605a3
parent 781377da9f
commit 09370605a3
2 changed files with 19 additions and 1 deletions
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@ -173,3 +173,21 @@ interface(`mount_run_unconfined',`
 	mount_domtrans_unconfined($1)
 	role $2 types unconfined_mount_t;
 ')
+
+########################################
+## <summary>
+##	Read mount_loopback files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_read_mount_loopback',`
+	gen_require(`
+		type mount_t;
+	')
+
+	allow $1 mount_loopback_t:file read_file_perms;
+')
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@ -43,7 +43,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
 # setuid/setgid needed to mount cifs
 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };

-allow mount_t mount_loopback_t:file read_file_perms;
+mount_read_mount_loopback(mount_t)

 allow mount_t mount_tmp_t:file manage_file_perms;
 allow mount_t mount_tmp_t:dir manage_dir_perms;