From: Jason Zaman <jason@perfinion.com>
To: selinux-refpolicy@vger.kernel.org
Cc: Jason Zaman <jason@perfinion.com>
Subject: [PATCH 1/2] selinux: Add map perms
Date: Sun, 21 Nov 2021 12:33:42 -0800 [thread overview]
Message-ID: <20211121203343.5910-1-jason@perfinion.com> (raw)
Lots of libselinux functions now map /sys/fs/selinux/status so add map
perms to other interfaces as well.
$ passwd user1
passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running'
failed.
Aborted
avc: denied { map } for pid=325 comm="passwd"
path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root:
sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file
permissive=1
Signed-off-by: Jason Zaman <jason@perfinion.com>
---
policy/modules/kernel/selinux.if | 18 +++++++++---------
policy/modules/kernel/selinux.te | 8 ++++----
2 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 13aa1e052..cb610c449 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -295,7 +295,7 @@ interface(`selinux_get_enforce_mode',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
+ allow $1 security_t:file mmap_read_file_perms;
')
########################################
@@ -363,7 +363,7 @@ interface(`selinux_read_policy',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
+ allow $1 security_t:file mmap_read_file_perms;
allow $1 security_t:security read_policy;
')
@@ -533,7 +533,7 @@ interface(`selinux_validate_context',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security check_context;
')
@@ -554,7 +554,7 @@ interface(`selinux_dontaudit_validate_context',`
')
dontaudit $1 security_t:dir list_dir_perms;
- dontaudit $1 security_t:file rw_file_perms;
+ dontaudit $1 security_t:file mmap_rw_file_perms;
dontaudit $1 security_t:security check_context;
')
@@ -577,7 +577,7 @@ interface(`selinux_compute_access_vector',`
dev_search_sysfs($1)
allow $1 self:netlink_selinux_socket create_socket_perms;
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_av;
')
@@ -599,7 +599,7 @@ interface(`selinux_compute_create_context',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_create;
')
@@ -621,7 +621,7 @@ interface(`selinux_compute_member',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_member;
')
@@ -651,7 +651,7 @@ interface(`selinux_compute_relabel_context',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_relabel;
')
@@ -672,7 +672,7 @@ interface(`selinux_compute_user_contexts',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_user;
')
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 0726fc448..707517e52 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -53,7 +53,7 @@ genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
allow can_setenforce security_t:dir list_dir_perms;
-allow can_setenforce security_t:file rw_file_perms;
+allow can_setenforce security_t:file mmap_rw_file_perms;
dev_search_sysfs(can_setenforce)
@@ -71,7 +71,7 @@ if(secure_mode_policyload) {
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
allow can_load_policy security_t:dir list_dir_perms;
-allow can_load_policy security_t:file rw_file_perms;
+allow can_load_policy security_t:file mmap_rw_file_perms;
dev_search_sysfs(can_load_policy)
@@ -89,7 +89,7 @@ if(secure_mode_policyload) {
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
allow can_setsecparam security_t:dir list_dir_perms;
-allow can_setsecparam security_t:file rw_file_perms;
+allow can_setsecparam security_t:file mmap_rw_file_perms;
allow can_setsecparam security_t:security setsecparam;
auditallow can_setsecparam security_t:security setsecparam;
@@ -102,7 +102,7 @@ dev_search_sysfs(can_setsecparam)
# use SELinuxfs
allow selinux_unconfined_type security_t:dir list_dir_perms;
-allow selinux_unconfined_type security_t:file rw_file_perms;
+allow selinux_unconfined_type security_t:file mmap_rw_file_perms;
allow selinux_unconfined_type boolean_type:file read_file_perms;
# Access the security API.
--
2.32.0
next reply other threads:[~2021-11-21 20:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-21 20:33 Jason Zaman [this message]
2021-11-21 20:33 ` [PATCH 2/2] dbus: Add filetrans for /tmp/dbus-* session socket Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2021-11-21 20:32 [PATCH 1/2] selinux: Add map perms Jason Zaman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211121203343.5910-1-jason@perfinion.com \
--to=jason@perfinion.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.