[refpolicy] [PATCH 3/3] Grant kernel_t necessary permissions for loopback mounts

Christopher J. PeBenito cpebenito at tresys.com
Fri Jan 31 22:32:44 EST 2014


On 1/29/2014 5:45 PM, Luis Ressel wrote:
> For loopback mounts to work, the kernel requires access permissions to
> fd's passed in by mount and to the source files (labeled mount_loopback_t).
> ---
>  policy/modules/kernel/kernel.te | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 6a2e170..0742a0c 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -287,6 +287,10 @@ files_list_etc(kernel_t)
>  files_list_home(kernel_t)
>  files_read_usr_files(kernel_t)
>  
> +allow kernel_t mount_t:fd use;

The interface that exists in the mount module should be used for this access.

> +allow kernel_t mount_loopback_t:fd use;

mount_loopback_t is not a process so this has no effect.

> +allow kernel_t mount_loopback_t:file read_file_perms;

An interface needs to be created and used for this access.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list