[refpolicy] [PATCH 1/1] Marking debugfs and securityfs as mountpoints

[Christopher J. PeBenito]

On 03/25/12 08:42, Sven Vermeulen wrote:
> The locations for debugfs_t (/sys/kernel/debug) and security_t
> (/selinux or /sys/fs/selinux) should be marked as mountpoints as well.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> ---
>  policy/modules/kernel/kernel.te  |    1 +
>  policy/modules/kernel/selinux.te |    1 +
>  2 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 8340ca8..f9c3513 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -56,6 +56,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
>  #
>  
>  type debugfs_t;
> +files_mountpoint(debugfs_t)
>  fs_type(debugfs_t)
>  allow debugfs_t self:filesystem associate;
>  genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
> diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
> index 0e51e12..2e5aef4 100644
> --- a/policy/modules/kernel/selinux.te
> +++ b/policy/modules/kernel/selinux.te
> @@ -29,6 +29,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
>  # applied to selinuxfs inodes.
>  #
>  type security_t, boolean_type;
> +files_mountpoint(security_t)
>  fs_type(security_t)
>  mls_trusted_object(security_t)
>  sid security gen_context(system_u:object_r:security_t,mls_systemhigh)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com