From 3e99a17663285ca506f58bf960db3196baf18929 Mon Sep 17 00:00:00 2001 From: Chris Richards Date: Mon, 8 Nov 2010 19:25:31 -0600 Subject: [PATCH] dontaudit mount writes to newly mounted filesystems As of util-linux-n 2.18, the mount utility now attempts to write to the root of newly mounted filesystems. It does this in an attempt to ensure that the r/w status of a filesystem as shown in mtab is correct. To detect whether a filesystem is r/w, mount calls access() with the W_OK argument. This results in an AVC denial with current policy. As a fallback, mount also attempts to modify the access time of the directory being mounted on if the call to access() fails. As mount already possesses the necessary privileges, the modification of the access time succeeds (at least on systems with the futimens() function, which has existed in linux since kernel 2.6.22 and glibc since version 2.6, or about July 2007). Signed-off-by: Chris Richards --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 99482cacd..15a7befa9 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -3702,6 +3702,24 @@ interface(`dev_write_sysfs_dirs',` allow $1 sysfs_t:dir write; ') +######################################## +## +## Do not audit attempts to write in a sysfs directory. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_write_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + dontaudit $1 sysfs_t:dir write; +') + ######################################## ## ## Read hardware state information.