[refpolicy] [PATCH 32/34]: patch to allow mount use kernel file descriptors
Guido Trentalancia
guido at trentalancia.com
Tue Mar 1 15:08:35 CST 2011
On Tue, 01/03/2011 at 14.10 -0500, Christopher J. PeBenito wrote:
> On 02/28/11 14:16, Guido Trentalancia wrote:
> > On Mon, 28/02/2011 at 10.05 -0500, Christopher J. PeBenito wrote:
> >> On 02/16/11 01:42, Guido Trentalancia wrote:
> >>> This patch allows mount to use kernel file descriptors.
> >>>
> >>> diff -pruN refpolicy-git-15022011-test/policy/modules/system/mount.te refpolicy-git-15022011-test-new/policy/modules/system/mount.te
> >>> --- refpolicy-git-15022011-test/policy/modules/system/mount.te 2011-02-16 02:34:33.253189215 +0100
> >>> +++ refpolicy-git-15022011-test-new/policy/modules/system/mount.te 2011-02-16 03:54:18.732023725 +0100
> >>> @@ -51,6 +51,7 @@ can_exec(mount_t, mount_exec_t)
> >>>
> >>> files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
> >>>
> >>> +kernel_use_fds(mount_t)
> >>> kernel_read_system_state(mount_t)
> >>> kernel_read_kernel_sysctls(mount_t)
> >>> kernel_dontaudit_getattr_core_if(mount_t)
> >>
> >> How did you come across this?
> >
> > type=1400 audit(1295758153.958:3): avc: denied { use } for pid=1429
> > comm="mount" path="/dev/pts/0" dev=devpts ino=3
> > scontext=system_u:system_r:mount_t:s0
> > tcontext=system_u:system_r:kernel_t:s0 tclass=fd
>
> Can you provide more detail? What was happening on the system?
Unfortunately I cannot provide more details now. I believe it's
happening at boot-up. I am also quite sure it's not critical. And the
only "uncommon" thing that I am using is the /sbin/mount.tmpfs script
from Fedora (will be obsoleted soon by the way).
You could just drop it for the time being...
Regards,
Guido
More information about the refpolicy
mailing list