* [refpolicy] [PATCH 0/2] Marking as mountpoints
@ 2012-03-25 12:39 Sven Vermeulen
2012-03-25 12:40 ` [refpolicy] [PATCH 1/2] Many users use a separate mount for /usr/portage Sven Vermeulen
2012-03-25 12:42 ` [refpolicy] [PATCH 1/1] Marking debugfs and securityfs as mountpoints Sven Vermeulen
0 siblings, 2 replies; 5+ messages in thread
From: Sven Vermeulen @ 2012-03-25 12:39 UTC (permalink / raw)
To: refpolicy
Some file system types (like debugfs_t) are also to be marked as
mountpoints as the associated file system is mounted on the directory that
is labeled that way.
Separate patches because of contrib vs non-contrib.
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/2] Many users use a separate mount for /usr/portage
2012-03-25 12:39 [refpolicy] [PATCH 0/2] Marking as mountpoints Sven Vermeulen
@ 2012-03-25 12:40 ` Sven Vermeulen
2012-04-23 13:19 ` Christopher J. PeBenito
2012-03-25 12:42 ` [refpolicy] [PATCH 1/1] Marking debugfs and securityfs as mountpoints Sven Vermeulen
1 sibling, 1 reply; 5+ messages in thread
From: Sven Vermeulen @ 2012-03-25 12:40 UTC (permalink / raw)
To: refpolicy
The /usr/portage location in the Gentoo distribution is often used as a
separate mount.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
portage.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/portage.te b/portage.te
index 4735035..c1c2768 100644
--- a/portage.te
+++ b/portage.te
@@ -47,7 +47,7 @@ type portage_devpts_t;
term_pty(portage_devpts_t)
type portage_ebuild_t;
-files_type(portage_ebuild_t)
+files_mountpoint(portage_ebuild_t)
type portage_fetch_tmp_t;
files_tmp_file(portage_fetch_tmp_t)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] Marking debugfs and securityfs as mountpoints
2012-03-25 12:39 [refpolicy] [PATCH 0/2] Marking as mountpoints Sven Vermeulen
2012-03-25 12:40 ` [refpolicy] [PATCH 1/2] Many users use a separate mount for /usr/portage Sven Vermeulen
@ 2012-03-25 12:42 ` Sven Vermeulen
2012-04-23 13:33 ` Christopher J. PeBenito
1 sibling, 1 reply; 5+ messages in thread
From: Sven Vermeulen @ 2012-03-25 12:42 UTC (permalink / raw)
To: refpolicy
The locations for debugfs_t (/sys/kernel/debug) and security_t
(/selinux or /sys/fs/selinux) should be marked as mountpoints as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/kernel.te | 1 +
policy/modules/kernel/selinux.te | 1 +
2 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8340ca8..f9c3513 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -56,6 +56,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
#
type debugfs_t;
+files_mountpoint(debugfs_t)
fs_type(debugfs_t)
allow debugfs_t self:filesystem associate;
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 0e51e12..2e5aef4 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -29,6 +29,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
# applied to selinuxfs inodes.
#
type security_t, boolean_type;
+files_mountpoint(security_t)
fs_type(security_t)
mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/2] Many users use a separate mount for /usr/portage
2012-03-25 12:40 ` [refpolicy] [PATCH 1/2] Many users use a separate mount for /usr/portage Sven Vermeulen
@ 2012-04-23 13:19 ` Christopher J. PeBenito
0 siblings, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2012-04-23 13:19 UTC (permalink / raw)
To: refpolicy
On 03/25/12 08:40, Sven Vermeulen wrote:
> The /usr/portage location in the Gentoo distribution is often used as a
> separate mount.
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> portage.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/portage.te b/portage.te
> index 4735035..c1c2768 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -47,7 +47,7 @@ type portage_devpts_t;
> term_pty(portage_devpts_t)
>
> type portage_ebuild_t;
> -files_type(portage_ebuild_t)
> +files_mountpoint(portage_ebuild_t)
>
> type portage_fetch_tmp_t;
> files_tmp_file(portage_fetch_tmp_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/1] Marking debugfs and securityfs as mountpoints
2012-03-25 12:42 ` [refpolicy] [PATCH 1/1] Marking debugfs and securityfs as mountpoints Sven Vermeulen
@ 2012-04-23 13:33 ` Christopher J. PeBenito
0 siblings, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2012-04-23 13:33 UTC (permalink / raw)
To: refpolicy
On 03/25/12 08:42, Sven Vermeulen wrote:
> The locations for debugfs_t (/sys/kernel/debug) and security_t
> (/selinux or /sys/fs/selinux) should be marked as mountpoints as well.
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/kernel/kernel.te | 1 +
> policy/modules/kernel/selinux.te | 1 +
> 2 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 8340ca8..f9c3513 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -56,6 +56,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
> #
>
> type debugfs_t;
> +files_mountpoint(debugfs_t)
> fs_type(debugfs_t)
> allow debugfs_t self:filesystem associate;
> genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
> diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
> index 0e51e12..2e5aef4 100644
> --- a/policy/modules/kernel/selinux.te
> +++ b/policy/modules/kernel/selinux.te
> @@ -29,6 +29,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
> # applied to selinuxfs inodes.
> #
> type security_t, boolean_type;
> +files_mountpoint(security_t)
> fs_type(security_t)
> mls_trusted_object(security_t)
> sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-04-23 13:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-03-25 12:39 [refpolicy] [PATCH 0/2] Marking as mountpoints Sven Vermeulen
2012-03-25 12:40 ` [refpolicy] [PATCH 1/2] Many users use a separate mount for /usr/portage Sven Vermeulen
2012-04-23 13:19 ` Christopher J. PeBenito
2012-03-25 12:42 ` [refpolicy] [PATCH 1/1] Marking debugfs and securityfs as mountpoints Sven Vermeulen
2012-04-23 13:33 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.