I have a case where I'm labeling media with my own types to control
access. But that is requiring that I relabel from iso9660_t to my
own type. This interface allows that relabel.
type=AVC msg=audit(1551621984.372:919): avc: denied { relabelfrom } for pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 048b9d65..a22cb6ba 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2505,6 +2505,25 @@ interface(`fs_remount_iso9660_fs',`
allow $1 iso9660_t:filesystem remount;
')
+########################################
+## <summary>
+## Allow changing of the label of a
+## filesystem with iso9660 type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_iso9660_fs',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:filesystem relabelfrom;
+')
+
########################################
## <summary>
## Unmount an iso9660 filesystem, which
--
2.20.1
