From 26cfbe531777e7aa8d330ae2fc9c91d1abc3c5fb Mon Sep 17 00:00:00 2001
From: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Sun, 25 Mar 2012 14:42:37 +0200
Subject: [PATCH] Marking debugfs and securityfs as mountpoints

The locations for debugfs_t (/sys/kernel/debug) and security_t
(/selinux or /sys/fs/selinux) should be marked as mountpoints as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/kernel.te  | 1 +
 policy/modules/kernel/selinux.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8340ca829..f9c35136e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -56,6 +56,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
 #
 
 type debugfs_t;
+files_mountpoint(debugfs_t)
 fs_type(debugfs_t)
 allow debugfs_t self:filesystem associate;
 genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 0e51e1204..2e5aef45f 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -29,6 +29,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
 # applied to selinuxfs inodes.
 #
 type security_t, boolean_type;
+files_mountpoint(security_t)
 fs_type(security_t)
 mls_trusted_object(security_t)
 sid security gen_context(system_u:object_r:security_t,mls_systemhigh)