commit: 98f3eac837bb8fa985f1f3fe7090e17573c9f3a9
Author: Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Mar 5 22:32:44 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98f3eac8
Add interface to allow relabeling of iso 9660 filesystems.
I have a case where I'm labeling media with my own types to control
access. But that is requiring that I relabel from iso9660_t to my
own type. This interface allows that relabel.
type=AVC msg=audit(1551621984.372:919): avc: denied { relabelfrom } for
pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023
tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if
b/policy/modules/kernel/filesystem.if
index 6da7cc22..603bfc28 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2505,6 +2505,25 @@ interface(`fs_remount_iso9660_fs',`
allow $1 iso9660_t:filesystem remount;
')
+########################################
+## <summary>
+## Allow changing of the label of a
+## filesystem with iso9660 type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabelfrom_iso9660_fs',`
+ gen_require(`
+ type iso9660_t;
+ ')
+
+ allow $1 iso9660_t:filesystem relabelfrom;
+')
+
########################################
## <summary>
## Unmount an iso9660 filesystem, which
