The kernel domain should be able to mounton default directories

during switch_root.

Corresponding suspicious permissions are removed from the init
domain, however this might need further testing on a wider number
of systems.

Signed-off-by: Guido Trentalancia <[email protected]>
---
 policy/modules/kernel/kernel.te |    1 +
 policy/modules/system/init.te   |    4 ----
 2 files changed, 1 insertion(+), 4 deletions(-)

policy/modules/kernel/kernel.te

@@ -365,6 +365,7 @@ files_getattr_etc_runtime_dirs(kernel_t)
 files_mounton_etc_runtime_dirs(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
+files_mounton_default(kernel_t)
 
 mcs_process_set_categories(kernel_t)
 

policy/modules/system/init.te

@@ -850,10 +850,6 @@ files_exec_etc_files(initrc_t)
 files_read_usr_files(initrc_t)
 files_manage_urandom_seed(initrc_t)
 files_manage_generic_spool(initrc_t)
-# Mount and unmount file systems.
-# cjp: not sure why these are here; should use mount policy
-files_list_default(initrc_t)
-files_mounton_default(initrc_t)
 files_manage_mnt_dirs(initrc_t)
 files_manage_mnt_files(initrc_t)