From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=aHJ+=VG=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id DB960C73C46
	for <selinux-refpolicy@archiver.kernel.org>; Tue,  9 Jul 2019 15:15:41 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id A2AB72166E
	for <selinux-refpolicy@archiver.kernel.org>; Tue,  9 Jul 2019 15:15:41 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="JbLR0slT"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726211AbfGIPPl (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Tue, 9 Jul 2019 11:15:41 -0400
Received: from mail-eopbgr700127.outbound.protection.outlook.com ([40.107.70.127]:50945
        "EHLO NAM04-SN1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726055AbfGIPPl (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 9 Jul 2019 11:15:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=ZcNxJEXMc3+cj7I+O2GwB+CXaoV/8q1yl+PxTl0KI10=;
 b=JbLR0slTEeS57mySNNqTeUdrmv7tqdpJbPFfddJ8a+leYlkDc3k95jP4nPThLtWUhqfxad6djb1MVTMrM+0gF3i2x5hewM0NCyph/6yXstua3KBjrz2NBCBBi+3cdmUBJ6PnqdiMIiPrBZc5c85NvrE9gHX8v53LDEdwIsgZXcw=
Received: from CY4PR15MB1509.namprd15.prod.outlook.com (10.172.160.141) by
 CY4PR15MB1576.namprd15.prod.outlook.com (10.172.155.17) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2052.19; Tue, 9 Jul 2019 15:15:38 +0000
Received: from CY4PR15MB1509.namprd15.prod.outlook.com
 ([fe80::e40b:869:f07:ec5e]) by CY4PR15MB1509.namprd15.prod.outlook.com
 ([fe80::e40b:869:f07:ec5e%10]) with mapi id 15.20.2052.020; Tue, 9 Jul 2019
 15:15:38 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH 1/1 v2] grant rpm_t permission to map security_t
Thread-Topic: [PATCH 1/1 v2] grant rpm_t permission to map security_t
Thread-Index: AQHVNmkqXg9mOUtMx0ymXEPqfFgoFw==
Date:   Tue, 9 Jul 2019 15:15:38 +0000
Message-ID: <20190709151527.13582-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [96.244.17.66]
x-clientproxiedby: BN6PR03CA0083.namprd03.prod.outlook.com
 (2603:10b6:405:6f::21) To CY4PR15MB1509.namprd15.prod.outlook.com
 (2603:10b6:903:fd::13)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.21.0
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 64ce1740-96ff-4ec7-a282-08d704804c74
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020);SRVR:CY4PR15MB1576;
x-ms-traffictypediagnostic: CY4PR15MB1576:
x-microsoft-antispam-prvs: <CY4PR15MB1576B95F991E336FAE7E8FCAB9F10@CY4PR15MB1576.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2512;
x-forefront-prvs: 0093C80C01
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(346002)(136003)(396003)(376002)(366004)(39840400004)(199004)(189003)(7736002)(50226002)(305945005)(14444005)(256004)(5640700003)(71190400001)(68736007)(71200400001)(2616005)(476003)(486006)(86362001)(1076003)(2501003)(6506007)(316002)(6486002)(26005)(186003)(15650500001)(52116002)(6916009)(102836004)(386003)(99286004)(2351001)(66066001)(14454004)(81166006)(8936002)(64756008)(66556008)(25786009)(66446008)(81156014)(2906002)(508600001)(6512007)(66946007)(73956011)(5660300002)(36756003)(8676002)(3846002)(53936002)(6116002)(6436002)(66476007);DIR:OUT;SFP:1102;SCL:1;SRVR:CY4PR15MB1576;H:CY4PR15MB1509.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 1aHKEf/Ye4Hy5fqOqhMO6TBKT2vMoaPVWI45o+uaDQJDiULAxZzce8TNELIAJG8NnVo/cpbx0oXH+or/3lF7do/TCpVDQpeQhv9Gvxj+qOtMhcBy+h05omhvEhYT2qpVrrrYXeMcJXhUJyheMv+ddFjEqt8DOVUONcqWCvpIDD1afH+9TCne4lDq1DDee+4UArbFZ901oABict94jcly5c2Kzq4E9m1ZSc9yed7hdTjykgOc7stWBBO6yLnyXdyo9envqBPZSXW7enpY45ZvyG+D9lzUw4eWypVrDKjs/WAGm3HSqljBNQrIcQ+KjxfZLRfSRFvC3Jm83r1iACbePGBQXAh91qLfrzmbs8bmeBhAQQqApbX2UNueTizJy3wC9Kzklp7hmEB7Gtd802PwUDOXTbmEkt/tykyZqEgEq58=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 64ce1740-96ff-4ec7-a282-08d704804c74
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2019 15:15:38.4984
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dsugar@tresys.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR15MB1576
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

type=3DAVC msg=3Daudit(1560944462.698:217): avc:  denied  { map } for pid=
=3D1265 comm=3D"rpm" path=3D"/sys/fs/selinux/status" dev=3D"selinuxfs" ino=
=3D19 scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsystem_u:object_r:se=
curity_t:s0 tclass=3Dfile permissive=3D1

v2 - Create new interface to allow mapping security_t and use this interfac=
e by rpm_t

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/admin/rpm.te      |  1 +
 policy/modules/kernel/selinux.if | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 3c5968f9..082052fa 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -185,6 +185,7 @@ selinux_compute_access_vector(rpm_t)
 selinux_compute_create_context(rpm_t)
 selinux_compute_relabel_context(rpm_t)
 selinux_compute_user_contexts(rpm_t)
+selinux_map_security_files(rpm_t)
=20
 storage_raw_write_fixed_disk(rpm_t)
 storage_raw_read_fixed_disk(rpm_t)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selin=
ux.if
index 6790e5d0..81d8f918 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -635,6 +635,26 @@ interface(`selinux_compute_user_contexts',`
 	allow $1 security_t:security compute_user;
 ')
=20
+########################################
+## <summary>
+##	Allows caller to map secuirty_t files.
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+
+interface(`selinux_map_security_files',`
+	gen_require(`
+		type security_t;
+	')
+
+	dev_search_sysfs($1)
+	allow $1 security_t:file map;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to the SELinux kernel security server.
--=20
2.21.0