* [PATCH 1/2] Add interface to read efivarfs_t directory
@ 2019-12-17 23:34 Sugar, David
2019-12-17 23:34 ` [PATCH 2/2] Fix indent to match the rest of the file (space -> tab) Sugar, David
2019-12-26 17:00 ` [PATCH 1/2] Add interface to read efivarfs_t directory Chris PeBenito
0 siblings, 2 replies; 4+ messages in thread
From: Sugar, David @ 2019-12-17 23:34 UTC (permalink / raw)
To: selinux-refpolicy
I'm seeing the following denial when using 'efivars --list'. This
interface grants access
2019-12-17T15:22:06-05:00 ip-tsc-black tag_audit_log: type=AVC msg=audit(1576596109.149:95): avc: denied { read } for pid=2329 comm="efivar" name="/" dev="efivarfs" ino=11266 scontext=system_u:system_r:my_app_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 62911f12..98f3af5d 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1982,6 +1982,24 @@ interface(`fs_manage_dos_files',`
manage_files_pattern($1, dosfs_t, dosfs_t)
')
+########################################
+## <summary>
+## List dirs in efivarfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_efivars',`
+ gen_require(`
+ type efivarfs_t;
+ ')
+
+ list_dirs_pattern($1, efivarfs_t, efivarfs_t)
+')
+
#######################################
## <summary>
## Read files in efivarfs
--
2.23.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] Fix indent to match the rest of the file (space -> tab)
2019-12-17 23:34 [PATCH 1/2] Add interface to read efivarfs_t directory Sugar, David
@ 2019-12-17 23:34 ` Sugar, David
2019-12-26 17:00 ` Chris PeBenito
2019-12-26 17:00 ` [PATCH 1/2] Add interface to read efivarfs_t directory Chris PeBenito
1 sibling, 1 reply; 4+ messages in thread
From: Sugar, David @ 2019-12-17 23:34 UTC (permalink / raw)
To: selinux-refpolicy
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/kernel/filesystem.if | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 98f3af5d..3e6324e7 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2013,11 +2013,11 @@ interface(`fs_list_efivars',`
## <rolecap/>
#
interface(`fs_read_efivarfs_files',`
- gen_require(`
- type efivarfs_t;
- ')
+ gen_require(`
+ type efivarfs_t;
+ ')
- read_files_pattern($1, efivarfs_t, efivarfs_t)
+ read_files_pattern($1, efivarfs_t, efivarfs_t)
')
########################################
--
2.23.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] Add interface to read efivarfs_t directory
2019-12-17 23:34 [PATCH 1/2] Add interface to read efivarfs_t directory Sugar, David
2019-12-17 23:34 ` [PATCH 2/2] Fix indent to match the rest of the file (space -> tab) Sugar, David
@ 2019-12-26 17:00 ` Chris PeBenito
1 sibling, 0 replies; 4+ messages in thread
From: Chris PeBenito @ 2019-12-26 17:00 UTC (permalink / raw)
To: Sugar, David, selinux-refpolicy
On 12/17/19 6:34 PM, Sugar, David wrote:
> I'm seeing the following denial when using 'efivars --list'. This
> interface grants access
> 2019-12-17T15:22:06-05:00 ip-tsc-black tag_audit_log: type=AVC msg=audit(1576596109.149:95): avc: denied { read } for pid=2329 comm="efivar" name="/" dev="efivarfs" ino=11266 scontext=system_u:system_r:my_app_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 62911f12..98f3af5d 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -1982,6 +1982,24 @@ interface(`fs_manage_dos_files',`
> manage_files_pattern($1, dosfs_t, dosfs_t)
> ')
>
> +########################################
> +## <summary>
> +## List dirs in efivarfs filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_list_efivars',`
> + gen_require(`
> + type efivarfs_t;
> + ')
> +
> + list_dirs_pattern($1, efivarfs_t, efivarfs_t)
> +')
> +
> #######################################
> ## <summary>
> ## Read files in efivarfs
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] Fix indent to match the rest of the file (space -> tab)
2019-12-17 23:34 ` [PATCH 2/2] Fix indent to match the rest of the file (space -> tab) Sugar, David
@ 2019-12-26 17:00 ` Chris PeBenito
0 siblings, 0 replies; 4+ messages in thread
From: Chris PeBenito @ 2019-12-26 17:00 UTC (permalink / raw)
To: Sugar, David, selinux-refpolicy
On 12/17/19 6:34 PM, Sugar, David wrote:
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/kernel/filesystem.if | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 98f3af5d..3e6324e7 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -2013,11 +2013,11 @@ interface(`fs_list_efivars',`
> ## <rolecap/>
> #
> interface(`fs_read_efivarfs_files',`
> - gen_require(`
> - type efivarfs_t;
> - ')
> + gen_require(`
> + type efivarfs_t;
> + ')
>
> - read_files_pattern($1, efivarfs_t, efivarfs_t)
> + read_files_pattern($1, efivarfs_t, efivarfs_t)
> ')
>
> ########################################
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-12-26 17:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-17 23:34 [PATCH 1/2] Add interface to read efivarfs_t directory Sugar, David
2019-12-17 23:34 ` [PATCH 2/2] Fix indent to match the rest of the file (space -> tab) Sugar, David
2019-12-26 17:00 ` Chris PeBenito
2019-12-26 17:00 ` [PATCH 1/2] Add interface to read efivarfs_t directory Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).