SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 1/1] grant permission to map security_t
@ 2019-07-02 15:31 Sugar, David
  2019-07-09  0:34 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Sugar, David @ 2019-07-02 15:31 UTC (permalink / raw)
  To: selinux-refpolicy

I'm seeing the following denial while installing RPMs.  

type=AVC msg=audit(1560944462.698:217): avc:  denied  { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1

The RedHat targeted policy has the change in this patch.  I'm not sure if this is preferred, or
if it would be better to create a new interface 'selinux_map_security_files' (or similar).

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/kernel/selinux.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 6790e5d0..f0504613 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -492,7 +492,7 @@ interface(`selinux_validate_context',`
 
 	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:file { map rw_file_perms };
 	allow $1 security_t:security check_context;
 ')
 
-- 
2.21.0


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH 1/1] grant permission to map security_t
  2019-07-02 15:31 [PATCH 1/1] grant permission to map security_t Sugar, David
@ 2019-07-09  0:34 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2019-07-09  0:34 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 7/2/19 11:31 AM, Sugar, David wrote:
> I'm seeing the following denial while installing RPMs.
> 
> type=AVC msg=audit(1560944462.698:217): avc:  denied  { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
> 
> The RedHat targeted policy has the change in this patch.  I'm not sure if this is preferred, or
> if it would be better to create a new interface 'selinux_map_security_files' (or similar).

That would be preferred, as this is not a typical behavior.


> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/kernel/selinux.if | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
> index 6790e5d0..f0504613 100644
> --- a/policy/modules/kernel/selinux.if
> +++ b/policy/modules/kernel/selinux.if
> @@ -492,7 +492,7 @@ interface(`selinux_validate_context',`
>   
>   	dev_search_sysfs($1)
>   	allow $1 security_t:dir list_dir_perms;
> -	allow $1 security_t:file rw_file_perms;
> +	allow $1 security_t:file { map rw_file_perms };
>   	allow $1 security_t:security check_context;
>   ')
>   
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-02 15:31 [PATCH 1/1] grant permission to map security_t Sugar, David
2019-07-09  0:34 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox