dontaudit mount writes to newly mounted filesystems

As of util-linux-n 2.18, the mount utility now attempts to write to the root of newly mounted filesystems. It does this in an attempt to ensure that the r/w status of a filesystem as shown in mtab is correct. To detect whether a filesystem is r/w, mount calls access() with the W_OK argument. This results in an AVC denial with current policy. As a fallback, mount also attempts to modify the access time of the directory being mounted on if the call to access() fails. As mount already possesses the necessary privileges, the modification of the access time succeeds (at least on systems with the futimens() function, which has existed in linux since kernel 2.6.22 and glibc since version 2.6, or about July 2007). Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-11-08 19:25:31 -06:00 · 2010-11-08 19:25:31 -06:00 · 3e99a17663
parent 239e8e214e
commit 3e99a17663
1 changed files with 18 additions and 0 deletions
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@ -3702,6 +3702,24 @@ interface(`dev_write_sysfs_dirs',`
 	allow $1 sysfs_t:dir write;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to write in a sysfs directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_sysfs_dirs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:dir write;
+')
+
 ########################################
 ## <summary>
 ##	Read hardware state information.