[refpolicy] two fixups for mount_t: uses mount.tmpfs and manage lock files

HarryCiao harrytaurus2002 at hotmail.com
Mon Dec 20 21:16:54 CST 2010



1. Since the mount program would make use of the shell script of mount.tmpfs
to preserve the mountpoint's security context across mounting if it ever
makes sense, the mount domain should have been able to execute the shell
and rw its fifo files.
 
type=1400 audit(1292851031.156:19): avc: denied { execute } for pid=513 comm="mount" name="bash" dev=sda ino=98324 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=1400 audit(1288069794.081:6): avc: denied { getattr } for pid=92 comm="mount.tmpfs" path="pipe:[2444]" dev=pipefs ino=2444 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=fifo_file
type=1400 audit(1288069794.085:7): avc: denied { write } for pid=92 comm="mount.tmpfs" path="pipe:[2444]" dev=pipefs ino=2444 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=fifo_file
type=1400 audit(1288069794.149:8): avc: denied { read } for pid=93 comm="grep" path="pipe:[2444]" dev=pipefs ino=2444 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=fifo_file
type=1400 audit(1288069794.225:9): avc: denied { ioctl } for pid=95 comm="ls" path="pipe:[2446]" dev=pipefs ino=2446 scontext=system_u:system_r:mount_t tcontext=system_u:system_r:mount_t tclass=fifo_file
 
 
2. While the mount program writes into /etc/mtab, it needs to create
a lock file under /var/lock/, otherwise the /etc/mtab would be empty.
 
type=1400 audit(1287984885.601:19): avc: denied { write } for pid=471 comm="mount" name="lock" dev=sda ino=114693 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:var_lock_t tclass=dir
can't create lock file /var/lock/mtab~471: Permission denied (use -n flag to override) 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/958c011d/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-mount_t-uses-tmpfs-helper.patch
Type: application/octet-stream
Size: 2551 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/958c011d/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-mount_t-manage-lock-files.patch
Type: application/octet-stream
Size: 1290 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101221/958c011d/attachment-0001.obj 


More information about the refpolicy mailing list