[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Sven Vermeulen]

commit:     7016d9a6b6505eea13d0c4cb7a4d94d096ef07ee
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jan  6 14:05:00 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:39:37 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7016d9a6

update mount module

* rename mount_var_run_t to mount_runtime_t
* delete kernel_read_unlabeled_files(mount_t)
* add selinux_getattr_fs(mount_t)

 policy/modules/system/mount.fc |  4 ++--
 policy/modules/system/mount.te | 19 +++++++++----------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 9cfb93a..182d0fd 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -2,7 +2,7 @@
 /bin/mount.*                   --      
gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/umount.*                  --      
gen_context(system_u:object_r:mount_exec_t,s0)
 
-/sbin/mount\.zfs                       --      
gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount\.zfs               --      
gen_context(system_u:object_r:mount_exec_t,s0)
 /sbin/zfs                      --      
gen_context(system_u:object_r:mount_exec_t,s0)
 /sbin/zpool                    --      
gen_context(system_u:object_r:mount_exec_t,s0)
 
@@ -14,4 +14,4 @@
 /usr/sbin/zfs                  --      
gen_context(system_u:object_r:mount_exec_t,s0)
 /usr/sbin/zpool                        --      
gen_context(system_u:object_r:mount_exec_t,s0)
 
-/run/mount(/.*)?                       
gen_context(system_u:object_r:mount_var_run_t,s0)
+/run/mount(/.*)?                       
gen_context(system_u:object_r:mount_runtime_t,s0)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index a2ed9b7..4bfb93b 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -23,12 +23,13 @@ role mount_roles types mount_t;
 type mount_loopback_t; # customizable
 files_type(mount_loopback_t)
 
+type mount_runtime_t;
+typealias mount_runtime_t alias mount_var_run_t;
+files_pid_file(mount_runtime_t)
+
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)
 
-type mount_var_run_t;
-files_pid_file(mount_var_run_t)
-
 # causes problems with interfaces when
 # this is optionally declared in monolithic
 # policy--duplicate type declaration
@@ -55,10 +56,10 @@ can_exec(mount_t, mount_exec_t)
 
 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 
-create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
+create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
 
 kernel_read_system_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
@@ -68,9 +69,6 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
 kernel_dontaudit_write_proc_dirs(mount_t)
 # To load binfmt_misc kernel module
 kernel_request_load_module(mount_t)
-# for when /etc/mtab loses its type
-# cjp: this seems wrong, the type should probably be etc
-kernel_read_unlabeled_files(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_bin(mount_t)
@@ -142,6 +140,7 @@ miscfiles_read_localization(mount_t)
 sysnet_use_portmap(mount_t)
 
 seutil_read_config(mount_t)
+selinux_getattr_fs(mount_t)
 
 userdom_use_all_users_fds(mount_t)