From 718bf84b85f0b834552e0a0f694d39d821f2a93d Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 18 Jun 2014 10:31:27 -0400
Subject: [PATCH] Allow mounting of usbfs.

Addresses denials such as:
avc:  denied  { mount } for  pid=5 comm="kworker/u:0" name="/" dev=usbfs ino=3234 scontext=u:r:kernel:s0 tcontext=u:object_r:usbfs:s0 tclass=filesystem

Change-Id: I1db52193e6a2548c37a7809ef44cf7fd3357326d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 kernel.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel.te b/kernel.te
index 1faa9db80..0de0ab894 100644
--- a/kernel.te
+++ b/kernel.te
@@ -11,6 +11,9 @@ unconfined_domain(kernel)
 # cgroup filesystem initialization prior to setting the cgroup root directory label.
 allow kernel unlabeled:dir search;
 
+# Mount usbfs.
+allow kernel usbfs:filesystem mount;
+
 # init direct restorecon calls prior to switching to init domain
 # /dev and /dev/socket
 allow kernel { device socket_device }:dir relabelto;
-- 
GitLab