update mount module
* rename mount_var_run_t to mount_runtime_t * delete kernel_read_unlabeled_files(mount_t) * add selinux_getattr_fs(mount_t)
This commit is contained in:
cgzones
parent
2d8da56da4
commit
2526c96a2c
|
|
@ -2,7 +2,7 @@
|
|||
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
|
||||
/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
|
||||
|
|
@ -14,4 +14,4 @@
|
|||
/usr/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/usr/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
|
||||
/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
|
||||
/run/mount(/.*)? gen_context(system_u:object_r:mount_runtime_t,s0)
|
||||
|
|
|
|||
|
|
@ -23,12 +23,13 @@ role mount_roles types mount_t;
|
|||
type mount_loopback_t; # customizable
|
||||
files_type(mount_loopback_t)
|
||||
|
||||
type mount_runtime_t;
|
||||
typealias mount_runtime_t alias mount_var_run_t;
|
||||
files_pid_file(mount_runtime_t)
|
||||
|
||||
type mount_tmp_t;
|
||||
files_tmp_file(mount_tmp_t)
|
||||
|
||||
type mount_var_run_t;
|
||||
files_pid_file(mount_var_run_t)
|
||||
|
||||
# causes problems with interfaces when
|
||||
# this is optionally declared in monolithic
|
||||
# policy--duplicate type declaration
|
||||
|
|
@ -52,10 +53,10 @@ can_exec(mount_t, mount_exec_t)
|
|||
|
||||
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
|
||||
|
||||
create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
|
||||
create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
|
||||
rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
|
||||
files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
|
||||
create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
|
||||
create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
|
||||
rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
|
||||
files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
|
||||
|
||||
kernel_read_system_state(mount_t)
|
||||
kernel_read_kernel_sysctls(mount_t)
|
||||
|
|
@ -65,9 +66,6 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
|
|||
kernel_dontaudit_write_proc_dirs(mount_t)
|
||||
# To load binfmt_misc kernel module
|
||||
kernel_request_load_module(mount_t)
|
||||
# for when /etc/mtab loses its type
|
||||
# cjp: this seems wrong, the type should probably be etc
|
||||
kernel_read_unlabeled_files(mount_t)
|
||||
|
||||
# required for mount.smbfs
|
||||
corecmd_exec_bin(mount_t)
|
||||
|
|
@ -139,6 +137,7 @@ miscfiles_read_localization(mount_t)
|
|||
sysnet_use_portmap(mount_t)
|
||||
|
||||
seutil_read_config(mount_t)
|
||||
selinux_getattr_fs(mount_t)
|
||||
|
||||
userdom_use_all_users_fds(mount_t)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue