Re: [PATCH] Add interface to allow relabeling of iso 9660 filesystems.

"Sugar, David" <dsugar@xxxxxxxxxx> · Wed, 6 Mar 2019 14:18:26 +0000

On 3/6/19 3:20 AM, Dominick Grift wrote:
> "Sugar, David" <dsugar@xxxxxxxxxx> writes:
> 
>> I have a case where I'm labeling media with my own types to control
>> access.  But that is requiring that I relabel from iso9660_t to my
>> own type.  This interface allows that relabel.
> 
> Not sure why you would want this as iso9600 is read-only any way, I
> suppose you want to block read access for entities that can already read iso9660.
> 

In what I am working on I have to support encrypted USB devices.  Many 
of these devices work by first presenting a read-only partition.  It 
shows up as /dev/sr#.  This partition is used to unlock the encrypted 
partition (which then shows up as /dev/sd*#).

When mounting the read-only partition I'm providing a specific context 
to the mount command.  I think during the mount it initially gets the 
context iso9660_t and then relabels from that to my context.  Note that 
I am not transitioning to the call to mount, but running mount in my domain.

And I kind of do want to keep other domains from accessing this mounted 
partition.

>>
>> type=AVC msg=audit(1551621984.372:919): avc:  denied  { relabelfrom } for  pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0
>>
>> Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
>> ---
>>   policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
>>   1 file changed, 19 insertions(+)
>>
>> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
>> index 048b9d65..a22cb6ba 100644
>> --- a/policy/modules/kernel/filesystem.if
>> +++ b/policy/modules/kernel/filesystem.if
>> @@ -2505,6 +2505,25 @@ interface(`fs_remount_iso9660_fs',`
>>   	allow $1 iso9660_t:filesystem remount;
>>   ')
>>   
>> +########################################
>> +## <summary>
>> +##	Allow changing of the label of a
>> +##	filesystem with iso9660 type
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`fs_relabelfrom_iso9660_fs',`
>> +	gen_require(`
>> +		type iso9660_t;
>> +	')
>> +
>> +	allow $1 iso9660_t:filesystem relabelfrom;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##	Unmount an iso9660 filesystem, which
> 