I see this denial when mounting media. I'm running mount_exec_t
from my domain, not transitioning.
type=AVC msg=audit(1547086778.470:331): avc: denied { read write } for pid=11172 comm="mount" name="mount" dev="tmpfs" ino=9470 scontext=sysadm_u:sysadm_r:settings_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=dir permissive=1
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/system/mount.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index bf9a8bf3..31475bde 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -220,3 +220,21 @@ interface(`mount_rw_runtime_files',`
rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
')
+########################################
+## <summary>
+## Read and write mount runtime directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_rw_runtime_dir',`
+ gen_require(`
+ type mount_runtime_t;
+ ')
+
+ allow $1 mount_runtime_t:dir rw_dir_perms;
+')
+
--
2.20.1
