"Sugar, David" <dsugar@xxxxxxxxxx> writes:
> I have a case where I'm labeling media with my own types to control
> access. But that is requiring that I relabel from iso9660_t to my
> own type. This interface allows that relabel.
Not sure why you would want this as iso9600 is read-only any way, I
suppose you want to block read access for entities that can already read iso9660.
>
> type=AVC msg=audit(1551621984.372:919): avc: denied { relabelfrom } for pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0
>
> Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
> ---
> policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 048b9d65..a22cb6ba 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -2505,6 +2505,25 @@ interface(`fs_remount_iso9660_fs',`
> allow $1 iso9660_t:filesystem remount;
> ')
>
> +########################################
> +## <summary>
> +## Allow changing of the label of a
> +## filesystem with iso9660 type
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_relabelfrom_iso9660_fs',`
> + gen_require(`
> + type iso9660_t;
> + ')
> +
> + allow $1 iso9660_t:filesystem relabelfrom;
> +')
> +
> ########################################
> ## <summary>
> ## Unmount an iso9660 filesystem, which
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
