From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-922903-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 7C25C139085
	for <garchives@archives.gentoo.org>; Fri, 13 Jan 2017 18:43:42 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5B8F2234063;
	Fri, 13 Jan 2017 18:43:20 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 2B42B234063
	for <gentoo-commits@lists.gentoo.org>; Fri, 13 Jan 2017 18:43:15 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 4162634180D
	for <gentoo-commits@lists.gentoo.org>; Fri, 13 Jan 2017 18:43:13 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 31D492636
	for <gentoo-commits@lists.gentoo.org>; Fri, 13 Jan 2017 18:43:10 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1484332777.7016d9a6b6505eea13d0c4cb7a4d94d096ef07ee.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/mount.fc policy/modules/system/mount.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 7016d9a6b6505eea13d0c4cb7a4d94d096ef07ee
X-VCS-Branch: master
Date: Fri, 13 Jan 2017 18:43:10 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 5d0ece88-fcbc-48cd-846d-4e760366ed16
X-Archives-Hash: dba174957f4aafc4f197e0e06451e2d9

commit:     7016d9a6b6505eea13d0c4cb7a4d94d096ef07ee
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jan  6 14:05:00 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:39:37 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7016d9a6

update mount module

* rename mount_var_run_t to mount_runtime_t
* delete kernel_read_unlabeled_files(mount_t)
* add selinux_getattr_fs(mount_t)

 policy/modules/system/mount.fc |  4 ++--
 policy/modules/system/mount.te | 19 +++++++++----------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 9cfb93a..182d0fd 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -2,7 +2,7 @@
 /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
-/sbin/mount\.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount\.zfs		--	gen_context(system_u:object_r:mount_exec_t,s0)
 /sbin/zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /sbin/zpool			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
@@ -14,4 +14,4 @@
 /usr/sbin/zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /usr/sbin/zpool			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
-/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
+/run/mount(/.*)?			gen_context(system_u:object_r:mount_runtime_t,s0)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index a2ed9b7..4bfb93b 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -23,12 +23,13 @@ role mount_roles types mount_t;
 type mount_loopback_t; # customizable
 files_type(mount_loopback_t)
 
+type mount_runtime_t;
+typealias mount_runtime_t alias mount_var_run_t;
+files_pid_file(mount_runtime_t)
+
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)
 
-type mount_var_run_t;
-files_pid_file(mount_var_run_t)
-
 # causes problems with interfaces when
 # this is optionally declared in monolithic
 # policy--duplicate type declaration
@@ -55,10 +56,10 @@ can_exec(mount_t, mount_exec_t)
 
 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 
-create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
+create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
 
 kernel_read_system_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
@@ -68,9 +69,6 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
 kernel_dontaudit_write_proc_dirs(mount_t)
 # To load binfmt_misc kernel module
 kernel_request_load_module(mount_t)
-# for when /etc/mtab loses its type
-# cjp: this seems wrong, the type should probably be etc
-kernel_read_unlabeled_files(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_bin(mount_t)
@@ -142,6 +140,7 @@ miscfiles_read_localization(mount_t)
 sysnet_use_portmap(mount_t)
 
 seutil_read_config(mount_t)
+selinux_getattr_fs(mount_t)
 
 userdom_use_all_users_fds(mount_t)