Add mount_var_run_t type and allow mount_t domain to manage the files and directories

In Debian, mount store some information (a utab file) under /var/run/mount directory. This is inspired by the fedora policy.
2013-01-12 22:32:26 +01:00 · 2013-01-12 22:32:26 +01:00 · 693532ae68
parent ef854630b4
commit 693532ae68
2 changed files with 10 additions and 0 deletions
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@ -2,3 +2,5 @@
 /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)

 /usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
+
+/var/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@ -26,6 +26,9 @@ files_type(mount_loopback_t)
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)

+type mount_var_run_t;
+files_pid_file(mount_var_run_t)
+
 # causes problems with interfaces when
 # this is optionally declared in monolithic
 # policy--duplicate type declaration
@ -49,6 +52,11 @@ can_exec(mount_t, mount_exec_t)

 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })

+create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
+
 kernel_read_system_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
 kernel_dontaudit_getattr_core_if(mount_t)