Merge branch 'mount_module' of git://github.com/cgzones/refpolicy

.travis.yml

@@ -33,6 +33,10 @@ sudo: false
 #sudo: required
 #dist: trusty
 
+cache:
+  directories:
+    - ${TRAVIS_BUILD_DIR}/selinux
+
 addons:
   apt:
     packages:
@@ -54,33 +58,39 @@ before_install:
   - python -V
 
 install:
-  # Download current SELinux userspace tools and libraries
-  - curl -sS -L https://github.com/SELinuxProject/selinux/archive/20161014.tar.gz | tar xz
-  - mv selinux-20161014 selinux-src
+  - SELINUX_USERSPACE_VERSION=20161014
 
-  # Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
-  - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
-  - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
+  - |
+      if [[ "${SELINUX_USERSPACE_VERSION}" != "$(cat ${TRAVIS_BUILD_DIR}/selinux/travis.version)" ]]; then
+        # Download current SELinux userspace tools and libraries
+        curl -sS -L "https://github.com/SELinuxProject/selinux/archive/${SELINUX_USERSPACE_VERSION}.tar.gz" | tar xz
+        mv "selinux-${SELINUX_USERSPACE_VERSION}" selinux-src
 
-  # Drop secilc to break xmlto dependence (secilc isn't used here anyway)
-  - sed -i -e 's/secilc//' selinux-src/Makefile
+        # Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
+        sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
+        sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
 
-  # Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
-  - sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
+        # Drop secilc to break xmlto dependence (secilc isn't used here anyway)
+        sed -i -e 's/secilc//' selinux-src/Makefile
 
-  # Drop restorecond to break glib dependence
-  - sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile
+        # Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
+        sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
 
-  # Drop sandbox to break libcap-ng dependence
-  - sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile
+        # Drop restorecond to break glib dependence
+        sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile
 
-  # Compile and install SELinux toolchain into ~/selinux
-  # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
-  #    error: declaration of 'index' shadows a global declarationo
-  - make "DESTDIR=$TRAVIS_BUILD_DIR/selinux" CFLAGS="-O2 -Wall" -C selinux-src install
+        # Drop sandbox to break libcap-ng dependence
+        sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile
+
+        # Compile and install SELinux toolchain into ~/selinux
+        # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
+        #    error: declaration of 'index' shadows a global declarationo
+        make "DESTDIR=${TRAVIS_BUILD_DIR}/selinux" CFLAGS="-O2 -Wall" -C selinux-src install
+        echo "${SELINUX_USERSPACE_VERSION}" > "${TRAVIS_BUILD_DIR}/selinux/travis.version"
+      fi
 
   # Use TEST_TOOLCHAIN variable to tell refpolicy Makefile about the installed location
-  - export TEST_TOOLCHAIN="$TRAVIS_BUILD_DIR/selinux"
+  - export TEST_TOOLCHAIN="${TRAVIS_BUILD_DIR}/selinux"
 
   # Drop build.conf settings to listen to env vars
   - sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf

Makefile

@@ -516,7 +516,8 @@ install-headers: $(layerxml) $(tunxml) $(boolxml)
 	@echo "Installing $(NAME) policy headers."
 	$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
 	$(verbose) mkdir -p $(headerdir)/support
-	$(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
+	$(verbose) $(INSTALL) -m 644 $(m4support) $(xmldtd) $(headerdir)/support
+	$(verbose) $(INSTALL) -m 755 $(word $(words $(genxml)),$(genxml)) $(headerdir)/support
 	$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
 	$(verbose) for i in $(notdir $(all_layers)); do \
 		mkdir -p $(headerdir)/$$i ;\

policy/modules/system/mount.fc

@@ -2,7 +2,7 @@
 /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
-/sbin/mount\.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount\.zfs		--	gen_context(system_u:object_r:mount_exec_t,s0)
 /sbin/zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /sbin/zpool			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
@@ -14,4 +14,4 @@
 /usr/sbin/zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /usr/sbin/zpool			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
-/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
+/run/mount(/.*)?			gen_context(system_u:object_r:mount_runtime_t,s0)

policy/modules/system/mount.te

@@ -23,12 +23,13 @@ role mount_roles types mount_t;
 type mount_loopback_t; # customizable
 files_type(mount_loopback_t)
 
+type mount_runtime_t;
+typealias mount_runtime_t alias mount_var_run_t;
+files_pid_file(mount_runtime_t)
+
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)
 
-type mount_var_run_t;
-files_pid_file(mount_var_run_t)
-
 # causes problems with interfaces when
 # this is optionally declared in monolithic
 # policy--duplicate type declaration
@@ -52,10 +53,10 @@ can_exec(mount_t, mount_exec_t)
 
 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 
-create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
+create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
 
 kernel_read_system_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
@@ -65,9 +66,6 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
 kernel_dontaudit_write_proc_dirs(mount_t)
 # To load binfmt_misc kernel module
 kernel_request_load_module(mount_t)
-# for when /etc/mtab loses its type
-# cjp: this seems wrong, the type should probably be etc
-kernel_read_unlabeled_files(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_bin(mount_t)
@@ -139,6 +137,7 @@ miscfiles_read_localization(mount_t)
 sysnet_use_portmap(mount_t)
 
 seutil_read_config(mount_t)
+selinux_getattr_fs(mount_t)
 
 userdom_use_all_users_fds(mount_t)