From 789307d57e10041179952dbd203c60af99432399 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 22 Dec 2019 16:54:51 +0100
Subject: [PATCH] mount: allow callers of mount to search /usr/bin

In order to be able to invoke /usr/bin/mount, /usr/bin/fusermount, etc.
callers need to be able to search /usr/bin. Otherwise, such denials are
recorded:

    type=AVC msg=audit(1576534518.220:1320): avc:  denied  { search }
    for  pid=24067 comm="cryfs" name="bin" dev="vda1" ino=524829
    scontext=sysadm_u:sysadm_r:cryfs_t tcontext=system_u:object_r:bin_t
    tclass=dir permissive=0

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 policy/modules/system/mount.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 80416d2e9..2a9a9f010 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -15,6 +15,7 @@ interface(`mount_domtrans',`
 		type mount_t, mount_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, mount_exec_t, mount_t)
 ')
 
@@ -64,6 +65,7 @@ interface(`mount_exec',`
 	allow $1 mount_exec_t:dir list_dir_perms;
 
 	allow $1 mount_exec_t:lnk_file read_lnk_file_perms;
+	corecmd_search_bin($1)
 	can_exec($1, mount_exec_t)
 ')