diff options
| author |   Sugar, David <dsugar@tresys.com> | 2019-03-05 22:32:44 +0000 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2019-03-25 18:05:25 +0800 |
| commit | 98f3eac837bb8fa985f1f3fe7090e17573c9f3a9 (patch) | |
| tree | 188f2753f1ba592f3a02d3471b206f768495bb3d | |
| parent | aide, clamav: Module version bump. (diff) | |
| download | hardened-refpolicy-98f3eac837bb8fa985f1f3fe7090e17573c9f3a9.tar.gz hardened-refpolicy-98f3eac837bb8fa985f1f3fe7090e17573c9f3a9.tar.bz2 hardened-refpolicy-98f3eac837bb8fa985f1f3fe7090e17573c9f3a9.zip | |
Add interface to allow relabeling of iso 9660 filesystems.
I have a case where I'm labeling media with my own types to control
access. But that is requiring that I relabel from iso9660_t to my
own type. This interface allows that relabel.
type=AVC msg=audit(1551621984.372:919): avc: denied { relabelfrom } for pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Signed-off-by: Jason Zaman <jason@perfinion.com>
| -rw-r--r-- | policy/modules/kernel/filesystem.if | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 6da7cc22..603bfc28 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2507,6 +2507,25 @@ interface(`fs_remount_iso9660_fs',` ######################################## ## <summary> +## Allow changing of the label of a +## filesystem with iso9660 type +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_relabelfrom_iso9660_fs',` + gen_require(` + type iso9660_t; + ') + + allow $1 iso9660_t:filesystem relabelfrom; +') + +######################################## +## <summary> ## Unmount an iso9660 filesystem, which ## is usually used on CDs. ## </summary> |