From: Jason Zaman <jason@perfinion.com>
To: selinux-refpolicy@vger.kernel.org
Cc: Jason Zaman <jason@perfinion.com>
Subject: [PATCH 1/2] selinux: Add map perms
Date: Sun, 21 Nov 2021 12:33:42 -0800 [thread overview]
Message-ID: <20211121203343.5910-1-jason@perfinion.com> (raw)
Lots of libselinux functions now map /sys/fs/selinux/status so add map
perms to other interfaces as well.
$ passwd user1
passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running'
failed.
Aborted
avc: denied { map } for pid=325 comm="passwd"
path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root:
sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file
permissive=1
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
policy/modules/kernel/selinux.if | 18 +++++++++---------
policy/modules/kernel/selinux.te | 8 ++++----
2 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 13aa1e052..cb610c449 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -295,7 +295,7 @@ interface(`selinux_get_enforce_mode',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
+ allow $1 security_t:file mmap_read_file_perms;
')
########################################
@@ -363,7 +363,7 @@ interface(`selinux_read_policy',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
+ allow $1 security_t:file mmap_read_file_perms;
allow $1 security_t:security read_policy;
')
@@ -533,7 +533,7 @@ interface(`selinux_validate_context',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security check_context;
')
@@ -554,7 +554,7 @@ interface(`selinux_dontaudit_validate_context',`
')
dontaudit $1 security_t:dir list_dir_perms;
- dontaudit $1 security_t:file rw_file_perms;
+ dontaudit $1 security_t:file mmap_rw_file_perms;
dontaudit $1 security_t:security check_context;
')
@@ -577,7 +577,7 @@ interface(`selinux_compute_access_vector',`
dev_search_sysfs($1)
allow $1 self:netlink_selinux_socket create_socket_perms;
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_av;
')
@@ -599,7 +599,7 @@ interface(`selinux_compute_create_context',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_create;
')
@@ -621,7 +621,7 @@ interface(`selinux_compute_member',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_member;
')
@@ -651,7 +651,7 @@ interface(`selinux_compute_relabel_context',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_relabel;
')
@@ -672,7 +672,7 @@ interface(`selinux_compute_user_contexts',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_user;
')
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 0726fc448..707517e52 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -53,7 +53,7 @@ genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
allow can_setenforce security_t:dir list_dir_perms;
-allow can_setenforce security_t:file rw_file_perms;
+allow can_setenforce security_t:file mmap_rw_file_perms;
dev_search_sysfs(can_setenforce)
@@ -71,7 +71,7 @@ if(secure_mode_policyload) {
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
allow can_load_policy security_t:dir list_dir_perms;
-allow can_load_policy security_t:file rw_file_perms;
+allow can_load_policy security_t:file mmap_rw_file_perms;
dev_search_sysfs(can_load_policy)
@@ -89,7 +89,7 @@ if(secure_mode_policyload) {
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
allow can_setsecparam security_t:dir list_dir_perms;
-allow can_setsecparam security_t:file rw_file_perms;
+allow can_setsecparam security_t:file mmap_rw_file_perms;
allow can_setsecparam security_t:security setsecparam;
auditallow can_setsecparam security_t:security setsecparam;
@@ -102,7 +102,7 @@ dev_search_sysfs(can_setsecparam)
# use SELinuxfs
allow selinux_unconfined_type security_t:dir list_dir_perms;
-allow selinux_unconfined_type security_t:file rw_file_perms;
+allow selinux_unconfined_type security_t:file mmap_rw_file_perms;
allow selinux_unconfined_type boolean_type:file read_file_perms;
# Access the security API.
--
2.32.0
next reply other threads:[~2021-11-21 20:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-21 20:33 Jason Zaman [this message]
2021-11-21 20:33 ` [PATCH 2/2] dbus: Add filetrans for /tmp/dbus-* session socket Jason Zaman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211121203343.5910-1-jason@perfinion.com \
--to=jason@perfinion.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).