[refpolicy] [PATCH 1/1] Allow mount to work on all file locations

Christopher J. PeBenito cpebenito at tresys.com
Tue Sep 6 13:36:52 CDT 2011


On 09/04/11 08:21, Sven Vermeulen wrote:
> In order for mount to work with all file locations, it needs
> relabelfrom privileges as well (next to the relabelto ones).
> 
> The same patch is also already present in fedora's repository.

I don't understand this, can you explain further?  This rule is for context mounts, in which it would be relabeling from any filesystem type to a file type.  When would it relabel from a file type?

> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> ---
>  policy/modules/system/mount.te |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 57d7294..429596f 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -77,7 +77,7 @@ files_etc_filetrans_etc_runtime(mount_t, file)
>  files_mounton_all_mountpoints(mount_t)
>  files_unmount_rootfs(mount_t)
>  # These rules need to be generalized.  Only admin, initrc should have it:
> -files_relabelto_all_file_type_fs(mount_t)
> +files_relabel_all_file_type_fs(mount_t)
>  files_mount_all_file_type_fs(mount_t)
>  files_unmount_all_file_type_fs(mount_t)
>  # for when /etc/mtab loses its type


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list