[refpolicy] [PATCH 1/3] Allow mount_t to follow mount_loopback_t symlinks

Christopher J. PeBenito cpebenito at tresys.com
Fri Jan 31 22:28:15 EST 2014


On 1/29/2014 5:45 PM, Luis Ressel wrote:
> This is useful for some application scenarios and doesn't harm security.
> ---
>  policy/modules/system/mount.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 03f0911..7d01431 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -44,6 +44,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
>  allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
>  
>  allow mount_t mount_loopback_t:file read_file_perms;
> +allow mount_t mount_loopback_t:lnk_file read_file_perms;
>  
>  allow mount_t mount_tmp_t:file manage_file_perms;
>  allow mount_t mount_tmp_t:dir manage_dir_perms;
 
We generally prefer not to specially label symlinks.  They don't have the security properties of the object the point to, and the permissions are checked normally on the target.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list