Re: [PATCH] Interface to read and write the mount_runtime_t directory.

Chris PeBenito <pebenito@xxxxxxxx> · Wed, 16 Jan 2019 18:06:04 -0500

On 1/14/19 10:20 PM, Sugar, David wrote:
I see this denial when mounting media.  I'm running mount_exec_t
from my domain, not transitioning.

type=AVC msg=audit(1547086778.470:331): avc:  denied  { read write } for  pid=11172 comm="mount" name="mount" dev="tmpfs" ino=9470 scontext=sysadm_u:sysadm_r:settings_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_runtime_t:s0 tclass=dir permissive=1

Seems like there is a leaked file descriptor.


Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
  policy/modules/system/mount.if | 18 ++++++++++++++++++
  1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index bf9a8bf3..31475bde 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -220,3 +220,21 @@ interface(`mount_rw_runtime_files',`
  	rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
  ')
  
+########################################
+## <summary>
+##	Read and write mount runtime directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_rw_runtime_dir',`
+	gen_require(`
+		type mount_runtime_t;
+	')
+
+	allow $1 mount_runtime_t:dir rw_dir_perms;
+')
+



--
Chris PeBenito






