[refpolicy] [PATCH 1/1] Marking debugfs and securityfs as mountpoints
Sven Vermeulen
sven.vermeulen at siphos.be
Sun Mar 25 07:42:37 CDT 2012
The locations for debugfs_t (/sys/kernel/debug) and security_t
(/selinux or /sys/fs/selinux) should be marked as mountpoints as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
policy/modules/kernel/kernel.te | 1 +
policy/modules/kernel/selinux.te | 1 +
2 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8340ca8..f9c3513 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -56,6 +56,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
#
type debugfs_t;
+files_mountpoint(debugfs_t)
fs_type(debugfs_t)
allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 0e51e12..2e5aef4 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -29,6 +29,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
# applied to selinuxfs inodes.
#
type security_t, boolean_type;
+files_mountpoint(security_t)
fs_type(security_t)
mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
--
1.7.3.4
More information about the refpolicy
mailing list