From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 23 Apr 2012 09:33:39 -0400
Subject: [refpolicy] [PATCH 1/1] Marking debugfs and securityfs as
	mountpoints
In-Reply-To: <20120325124237.GC13219@siphos.be>
References: <20120325123929.GA13219@siphos.be>
	<20120325124237.GC13219@siphos.be>
Message-ID: <4F955A33.2030004@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/25/12 08:42, Sven Vermeulen wrote:
> The locations for debugfs_t (/sys/kernel/debug) and security_t
> (/selinux or /sys/fs/selinux) should be marked as mountpoints as well.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/kernel.te  |    1 +
>  policy/modules/kernel/selinux.te |    1 +
>  2 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 8340ca8..f9c3513 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -56,6 +56,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
>  #
>  
>  type debugfs_t;
> +files_mountpoint(debugfs_t)
>  fs_type(debugfs_t)
>  allow debugfs_t self:filesystem associate;
>  genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
> diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
> index 0e51e12..2e5aef4 100644
> --- a/policy/modules/kernel/selinux.te
> +++ b/policy/modules/kernel/selinux.te
> @@ -29,6 +29,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
>  # applied to selinuxfs inodes.
>  #
>  type security_t, boolean_type;
> +files_mountpoint(security_t)
>  fs_type(security_t)
>  mls_trusted_object(security_t)
>  sid security gen_context(system_u:object_r:security_t,mls_systemhigh)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com