* [refpolicy] [PATCH v2 0/2] /sys/fs/selinux support
@ 2014-04-11 18:01 Sven Vermeulen
2014-04-11 18:01 ` [refpolicy] [PATCH v2 1/2] The security_t file system can be at /sys/fs/selinux Sven Vermeulen
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Sven Vermeulen @ 2014-04-11 18:01 UTC (permalink / raw)
To: refpolicy
Allow policies to handle selinuxfs at /sys/fs/selinux
Changes since v1
----------------
- Renamed interface to dev_getattr_sysfs instead of dev_getattr_sysfs_fs
- Renamed interface to dev_dontaudit_getattr_sysfs instead of dev_dontaudit_getattr_sysfs_fs
Sven Vermeulen (2):
The security_t file system can be at /sys/fs/selinux
Dontaudit access on security_t file system at /sys/fs/selinux
policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++
policy/modules/kernel/selinux.if | 14 ++++++++++++++
2 files changed, 50 insertions(+)
--
1.8.3.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH v2 1/2] The security_t file system can be at /sys/fs/selinux
2014-04-11 18:01 [refpolicy] [PATCH v2 0/2] /sys/fs/selinux support Sven Vermeulen
@ 2014-04-11 18:01 ` Sven Vermeulen
2014-04-11 18:01 ` [refpolicy] [PATCH v2 2/2] Dontaudit access on security_t file system " Sven Vermeulen
2014-04-21 12:41 ` [refpolicy] [PATCH v2 0/2] /sys/fs/selinux support Christopher J. PeBenito
2 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2014-04-11 18:01 UTC (permalink / raw)
To: refpolicy
Because it is no longer a top-level file system, we need to enhance some
of the interfaces with the appropriate rights towards sysfs_t.
First set to allow getattr rights on the file system, which now also
means getattr on the sysfs_t file system as well as search privileges in
sysfs_t.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/selinux.if | 10 ++++++++++
2 files changed, 28 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c2d0f08..fb87c76 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3873,6 +3873,24 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
+## Get the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 6d0811d..66d4352 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -63,6 +63,10 @@ interface(`selinux_get_fs_mount',`
# (/selinux) is already a selinuxfs
allow $1 security_t:filesystem getattr;
+ # Same for /sys/fs/selinux
+ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
# read /proc/filesystems to see if selinuxfs is supported
# then read /proc/self/mount to see where selinuxfs is mounted
kernel_read_system_state($1)
@@ -165,6 +169,9 @@ interface(`selinux_getattr_fs',`
')
allow $1 security_t:filesystem getattr;
+
+ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
')
########################################
@@ -184,6 +191,9 @@ interface(`selinux_dontaudit_getattr_fs',`
')
dontaudit $1 security_t:filesystem getattr;
+
+ dev_dontaudit_getattr_sysfs_fs($1)
+ dev_dontaudit_search_sysfs($1)
')
########################################
--
1.8.3.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH v2 2/2] Dontaudit access on security_t file system at /sys/fs/selinux
2014-04-11 18:01 [refpolicy] [PATCH v2 0/2] /sys/fs/selinux support Sven Vermeulen
2014-04-11 18:01 ` [refpolicy] [PATCH v2 1/2] The security_t file system can be at /sys/fs/selinux Sven Vermeulen
@ 2014-04-11 18:01 ` Sven Vermeulen
2014-04-21 12:41 ` [refpolicy] [PATCH v2 0/2] /sys/fs/selinux support Christopher J. PeBenito
2 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2014-04-11 18:01 UTC (permalink / raw)
To: refpolicy
Second part of the support of security_t under /sys/fs/selinux - when
asked not to audit getting attributes on the selinux file system, have
this propagate to the sysfs parts as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/selinux.if | 6 +++++-
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index fb87c76..e9ef456 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3891,6 +3891,24 @@ interface(`dev_getattr_sysfs',`
########################################
## <summary>
+## Do not audit getting the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access from
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ dontaudit $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 66d4352..9192d23 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -93,6 +93,10 @@ interface(`selinux_dontaudit_get_fs_mount',`
# (/selinux) is already a selinuxfs
dontaudit $1 security_t:filesystem getattr;
+ # Same for /sys/fs/selinux
+ dev_dontaudit_getattr_sysfs($1)
+ dev_dontaudit_search_sysfs($1)
+
# read /proc/filesystems to see if selinuxfs is supported
# then read /proc/self/mount to see where selinuxfs is mounted
kernel_dontaudit_read_system_state($1)
@@ -192,7 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',`
dontaudit $1 security_t:filesystem getattr;
- dev_dontaudit_getattr_sysfs_fs($1)
+ dev_dontaudit_getattr_sysfs($1)
dev_dontaudit_search_sysfs($1)
')
--
1.8.3.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH v2 0/2] /sys/fs/selinux support
2014-04-11 18:01 [refpolicy] [PATCH v2 0/2] /sys/fs/selinux support Sven Vermeulen
2014-04-11 18:01 ` [refpolicy] [PATCH v2 1/2] The security_t file system can be at /sys/fs/selinux Sven Vermeulen
2014-04-11 18:01 ` [refpolicy] [PATCH v2 2/2] Dontaudit access on security_t file system " Sven Vermeulen
@ 2014-04-21 12:41 ` Christopher J. PeBenito
2 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2014-04-21 12:41 UTC (permalink / raw)
To: refpolicy
On 04/11/2014 02:01 PM, Sven Vermeulen wrote:
>
> Allow policies to handle selinuxfs at /sys/fs/selinux
>
> Changes since v1
> ----------------
>
> - Renamed interface to dev_getattr_sysfs instead of dev_getattr_sysfs_fs
> - Renamed interface to dev_dontaudit_getattr_sysfs instead of dev_dontaudit_getattr_sysfs_fs
>
> Sven Vermeulen (2):
> The security_t file system can be at /sys/fs/selinux
> Dontaudit access on security_t file system at /sys/fs/selinux
>
> policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++
> policy/modules/kernel/selinux.if | 14 ++++++++++++++
> 2 files changed, 50 insertions(+)
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-04-21 12:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-11 18:01 [refpolicy] [PATCH v2 0/2] /sys/fs/selinux support Sven Vermeulen
2014-04-11 18:01 ` [refpolicy] [PATCH v2 1/2] The security_t file system can be at /sys/fs/selinux Sven Vermeulen
2014-04-11 18:01 ` [refpolicy] [PATCH v2 2/2] Dontaudit access on security_t file system " Sven Vermeulen
2014-04-21 12:41 ` [refpolicy] [PATCH v2 0/2] /sys/fs/selinux support Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.