[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/, policy/modules/kernel/, policy/modules/system/, policy/support/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/, policy/modules/kernel/, policy/modules/system/, policy/support/
Date:	Thu, 25 May 2017 16:43:51
Message-Id:	`1495730214.b383b3a683a47119d32fee1af95d467f007a0aac.perfinion@gentoo`

1

commit:     b383b3a683a47119d32fee1af95d467f007a0aac

2

Author:     Stephen Smalley <sds <AT> tycho <DOT> nsa <DOT> gov>

3

AuthorDate: Wed May 24 19:40:18 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Thu May 25 16:36:54 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b383b3a6

7

8

refpolicy: Define and allow map permission

9

10

Kernel commit 6941857e82ae ("selinux: add a map permission check

11

for mmap") added a map permission check on mmap so that we can

12

distinguish memory mapped access (since it has different implications

13

for revocation).  The purpose of a separate map permission check on

14

mmap(2) is to permit policy to prohibit memory mapping of specific files

15

for which we need to ensure that every access is revalidated, particularly

16

useful for scenarios where we expect the file to be relabeled at runtime

17

in order to reflect state changes (e.g. cross-domain solution, assured

18

pipeline without data copying).  The kernel commit is anticipated to

19

be included in Linux 4.13.

20

21

This refpolicy change defines map permission for refpolicy.  It mirrors

22

the definition in the kernel classmap by adding it to the common

23

definitions for files and sockets.  This will break compatibility for

24

kernels that predate the dynamic class/perm mapping support (< 2.6.33,

25

< RHEL 6); on such kernels, one would instead need to add map permission

26

to the end of each file and socket access vector.

27

28

This change only allows map permission as needed, e.g. only in the

29

mmap_file_perms and exec_file_perms object permission sets

30

(since map is always required there) and only in specific interfaces

31

or modules where denials were observed in limited testing.

32

33

It is important to note that effective use of this permission requires

34

complete removal of unconfined, as otherwise unconfined domains will be

35

able to map all file types and therefore bypass the intended protection.

36

If we wanted to exclude map permission to all file types by default from

37

unconfined, we would need to add it to the list of permissions excluded from

38

files_unconfined_type in kernel/files.te.

39

40

Policies that depend on this permission not being allowed to specific file

41

types should also make use of neverallow rules to ensure that this is not

42

undermined by any allow rule, and ensure that they are performing neverallow

43

checking at policy build time (e.g. make validate) or runtime (e.g.

44

semanage.conf expand-check=1).

45

46

Signed-off-by: Stephen Smalley <sds <AT> tycho.nsa.gov>

47

48

 policy/flask/access_vectors          |  2 ++

49

 policy/modules/kernel/devices.if     | 10 ++++++----

50

 policy/modules/system/libraries.if   |  2 +-

51

 policy/modules/system/logging.if     | 37 ++++++++++++++++++++++++++++++++++++

52

 policy/modules/system/logging.te     |  1 +

53

 policy/modules/system/miscfiles.if   |  2 ++

54

 policy/modules/system/selinuxutil.if |  5 +++++

55

 policy/modules/system/selinuxutil.te |  2 ++

56

 policy/support/obj_perm_sets.spt     |  4 ++--

57

 9 files changed, 58 insertions(+), 7 deletions(-)

58

59

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors

60

index f20e5c1e..5d539e95 100644

61

--- a/policy/flask/access_vectors

62

+++ b/policy/flask/access_vectors

63

@@ -20,6 +20,7 @@ common file

64

 	relabelfrom

65

 	relabelto

66

 	append

67

+	map

68

 	unlink

69

 	link

70

 	rename

71

@@ -47,6 +48,7 @@ common socket

72

 	relabelfrom

73

 	relabelto

74

 	append

75

+	map

76

 # socket-specific

77

 	bind

78

 	connect

79

80

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if

81

index dceb9ef1..ef7b429b 100644

82

--- a/policy/modules/kernel/devices.if

83

+++ b/policy/modules/kernel/devices.if

84

@@ -1955,6 +1955,7 @@ interface(`dev_rw_dri',`

85

')

86

87

 	rw_chr_files_pattern($1, device_t, dri_device_t)

88

+	allow $1 dri_device_t:chr_file map;

89

')

90

91

 ########################################

92

@@ -2741,7 +2742,7 @@ interface(`dev_rx_raw_memory',`

93

')

94

95

 	dev_read_raw_memory($1)

96

-	allow $1 memory_device_t:chr_file execute;

97

+	allow $1 memory_device_t:chr_file { map execute };

98

')

99

100

 ########################################

101

@@ -2760,7 +2761,7 @@ interface(`dev_wx_raw_memory',`

102

')

103

104

 	dev_write_raw_memory($1)

105

-	allow $1 memory_device_t:chr_file execute;

106

+	allow $1 memory_device_t:chr_file { map execute };

107

')

108

109

 ########################################

110

@@ -3843,6 +3844,7 @@ interface(`dev_read_sound_mixer',`

111

')

112

113

 	read_chr_files_pattern($1, device_t, sound_device_t)

114

+	allow $1 sound_device_t:chr_file map;

115

')

116

117

 ########################################

118

@@ -4945,7 +4947,7 @@ interface(`dev_rwx_vmware',`

119

')

120

121

 	dev_rw_vmware($1)

122

-	allow $1 vmware_device_t:chr_file execute;

123

+	allow $1 vmware_device_t:chr_file { map execute };

124

')

125

126

 ########################################

127

@@ -5168,7 +5170,7 @@ interface(`dev_rwx_zero',`

128

')

129

130

 	dev_rw_zero($1)

131

-	allow $1 zero_device_t:chr_file execute;

132

+	allow $1 zero_device_t:chr_file { map execute };

133

')

134

135

 ########################################

136

137

diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if

138

index 24b7ef66..9e8a0448 100644

139

--- a/policy/modules/system/libraries.if

140

+++ b/policy/modules/system/libraries.if

141

@@ -86,7 +86,7 @@ interface(`libs_use_ld_so',`

142

 	read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })

143

 	mmap_files_pattern($1, lib_t, ld_so_t)

144

145

-	allow $1 ld_so_cache_t:file read_file_perms;

146

+	allow $1 ld_so_cache_t:file { map read_file_perms };

147

')

148

149

 ########################################

150

151

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if

152

index 705ed1fb..126d44b6 100644

153

--- a/policy/modules/system/logging.if

154

+++ b/policy/modules/system/logging.if

155

@@ -1103,6 +1103,25 @@ interface(`logging_read_generic_logs',`

156

157

 ########################################

158

 ## <summary>

159

+##	Map generic log files.

160

+## </summary>

161

+## <param name="domain">

162

+##	<summary>

163

+##	Domain allowed access.

164

+##	</summary>

165

+## </param>

166

+## <rolecap/>

167

+#

168

+interface(`logging_mmap_generic_logs',`

169

+	gen_require(`

170

+		type var_log_t;

171

+	')

172

+

173

+	allow $1 var_log_t:file map;

174

+')

175

+

176

+########################################

177

+## <summary>

178

 ##	Write generic log files.

179

 ## </summary>

180

 ## <param name="domain">

181

@@ -1368,3 +1387,21 @@ interface(`logging_syslog_managed_log_dir',`

182

 	logging_log_file($1)

183

 	logging_log_filetrans(syslogd_t, $1, dir, $2)

184

')

185

+

186

+#######################################

187

+## <summary>

188

+##	Map files in /run/log/journal/ directory.

189

+## </summary>

190

+## <param name="domain">

191

+##	<summary>

192

+##	Domain allowed access.

193

+##	</summary>

194

+## </param>

195

+#

196

+interface(`logging_mmap_journal',`

197

+	gen_require(`

198

+		type syslogd_var_run_t;

199

+	')

200

+

201

+	allow $1 syslogd_var_run_t:file map;

202

+')

203

204

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te

205

index bf427e5a..8086ca97 100644

206

--- a/policy/modules/system/logging.te

207

+++ b/policy/modules/system/logging.te

208

@@ -400,6 +400,7 @@ init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")

209

210

 # create/append log files.

211

 manage_files_pattern(syslogd_t, var_log_t, var_log_t)

212

+allow syslogd_t var_log_t:file map;

213

 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)

214

 files_search_spool(syslogd_t)

215

216

217

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if

218

index 204390d1..d26a982b 100644

219

--- a/policy/modules/system/miscfiles.if

220

+++ b/policy/modules/system/miscfiles.if

221

@@ -221,6 +221,7 @@ interface(`miscfiles_read_fonts',`

222

223

 	allow $1 fonts_t:dir list_dir_perms;

224

 	read_files_pattern($1, fonts_t, fonts_t)

225

+	allow $1 fonts_t:file map;

226

 	read_lnk_files_pattern($1, fonts_t, fonts_t)

227

228

 	allow $1 fonts_cache_t:dir list_dir_perms;

229

@@ -444,6 +445,7 @@ interface(`miscfiles_read_localization',`

230

 	allow $1 locale_t:dir list_dir_perms;

231

 	read_files_pattern($1, locale_t, locale_t)

232

 	read_lnk_files_pattern($1, locale_t, locale_t)

233

+	allow $1 locale_t:file map;

234

')

235

236

 ########################################

237

238

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if

239

index a8221f0e..332d5797 100644

240

--- a/policy/modules/system/selinuxutil.if

241

+++ b/policy/modules/system/selinuxutil.if

242

@@ -860,6 +860,7 @@ interface(`seutil_read_file_contexts',`

243

 	files_search_etc($1)

244

 	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;

245

 	read_files_pattern($1, file_context_t, file_context_t)

246

+	allow $1 file_context_t:file map;

247

')

248

249

 ########################################

250

@@ -880,6 +881,7 @@ interface(`seutil_dontaudit_read_file_contexts',`

251

252

 	dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms;

253

 	dontaudit $1 file_context_t:file read_file_perms;

254

+	dontaudit $1 file_context_t:file map;

255

')

256

257

 ########################################

258

@@ -900,6 +902,7 @@ interface(`seutil_rw_file_contexts',`

259

 	files_search_etc($1)

260

 	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;

261

 	rw_files_pattern($1, file_context_t, file_context_t)

262

+	allow $1 file_context_t:file map;

263

')

264

265

 ########################################

266

@@ -921,6 +924,7 @@ interface(`seutil_manage_file_contexts',`

267

 	files_search_etc($1)

268

 	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;

269

 	manage_files_pattern($1, file_context_t, file_context_t)

270

+	allow $1 file_context_t:file map;

271

')

272

273

 ########################################

274

@@ -941,6 +945,7 @@ interface(`seutil_read_bin_policy',`

275

 	files_search_etc($1)

276

 	allow $1 selinux_config_t:dir search_dir_perms;

277

 	read_files_pattern($1, policy_config_t, policy_config_t)

278

+	allow $1 policy_config_t:file map;

279

280

 	ifdef(`distro_gentoo',`

281

 		# Allow sesearch to read /etc/selinux/.../policy

282

283

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te

284

index e61d4209..557e935c 100644

285

--- a/policy/modules/system/selinuxutil.te

286

+++ b/policy/modules/system/selinuxutil.te

287

@@ -170,6 +170,7 @@ allow load_policy_t self:capability dac_override;

288

289

 # only allow read of policy config files

290

 read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)

291

+allow load_policy_t policy_config_t:file map;

292

293

 dev_read_urand(load_policy_t)

294

295

@@ -572,6 +573,7 @@ allow setfiles_t self:fifo_file rw_file_perms;

296

 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;

297

 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;

298

 allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };

299

+allow setfiles_t file_context_t:file map;

300

301

 kernel_read_system_state(setfiles_t)

302

 kernel_relabelfrom_unlabeled_dirs(setfiles_t)

303

304

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt

305

index 938a6cd7..16f549c1 100644

306

--- a/policy/support/obj_perm_sets.spt

307

+++ b/policy/support/obj_perm_sets.spt

308

@@ -155,8 +155,8 @@ define(`getattr_file_perms',`{ getattr }')

309

 define(`setattr_file_perms',`{ setattr }')

310

 define(`read_inherited_file_perms',`{ getattr read lock ioctl }')

311

 define(`read_file_perms',`{ read_inherited_file_perms open }')

312

-define(`mmap_file_perms',`{ getattr open read execute ioctl }')

313

-define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')

314

+define(`mmap_file_perms',`{ getattr open map read execute ioctl }')

315

+define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')

316

 define(`append_inherited_file_perms',` { getattr append lock ioctl }')

317

 define(`append_file_perms',`{ append_inherited_file_perms open}')

318

 define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')

1	commit: b383b3a683a47119d32fee1af95d467f007a0aac
2	Author: Stephen Smalley <sds <AT> tycho <DOT> nsa <DOT> gov>
3	AuthorDate: Wed May 24 19:40:18 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Thu May 25 16:36:54 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b383b3a6
7
8	refpolicy: Define and allow map permission
9
10	Kernel commit 6941857e82ae ("selinux: add a map permission check
11	for mmap") added a map permission check on mmap so that we can
12	distinguish memory mapped access (since it has different implications
13	for revocation). The purpose of a separate map permission check on
14	mmap(2) is to permit policy to prohibit memory mapping of specific files
15	for which we need to ensure that every access is revalidated, particularly
16	useful for scenarios where we expect the file to be relabeled at runtime
17	in order to reflect state changes (e.g. cross-domain solution, assured
18	pipeline without data copying). The kernel commit is anticipated to
19	be included in Linux 4.13.
20
21	This refpolicy change defines map permission for refpolicy. It mirrors
22	the definition in the kernel classmap by adding it to the common
23	definitions for files and sockets. This will break compatibility for
24	kernels that predate the dynamic class/perm mapping support (< 2.6.33,
25	< RHEL 6); on such kernels, one would instead need to add map permission
26	to the end of each file and socket access vector.
27
28	This change only allows map permission as needed, e.g. only in the
29	mmap_file_perms and exec_file_perms object permission sets
30	(since map is always required there) and only in specific interfaces
31	or modules where denials were observed in limited testing.
32
33	It is important to note that effective use of this permission requires
34	complete removal of unconfined, as otherwise unconfined domains will be
35	able to map all file types and therefore bypass the intended protection.
36	If we wanted to exclude map permission to all file types by default from
37	unconfined, we would need to add it to the list of permissions excluded from
38	files_unconfined_type in kernel/files.te.
39
40	Policies that depend on this permission not being allowed to specific file
41	types should also make use of neverallow rules to ensure that this is not
42	undermined by any allow rule, and ensure that they are performing neverallow
43	checking at policy build time (e.g. make validate) or runtime (e.g.
44	semanage.conf expand-check=1).
45
46	Signed-off-by: Stephen Smalley <sds <AT> tycho.nsa.gov>
47
48	policy/flask/access_vectors \| 2 ++
49	policy/modules/kernel/devices.if \| 10 ++++++----
50	policy/modules/system/libraries.if \| 2 +-
51	policy/modules/system/logging.if \| 37 ++++++++++++++++++++++++++++++++++++
52	policy/modules/system/logging.te \| 1 +
53	policy/modules/system/miscfiles.if \| 2 ++
54	policy/modules/system/selinuxutil.if \| 5 +++++
55	policy/modules/system/selinuxutil.te \| 2 ++
56	policy/support/obj_perm_sets.spt \| 4 ++--
57	9 files changed, 58 insertions(+), 7 deletions(-)
58
59	diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
60	index f20e5c1e..5d539e95 100644
61	--- a/policy/flask/access_vectors
62	+++ b/policy/flask/access_vectors
63	@@ -20,6 +20,7 @@ common file
64	relabelfrom
65	relabelto
66	append
67	+ map
68	unlink
69	link
70	rename
71	@@ -47,6 +48,7 @@ common socket
72	relabelfrom
73	relabelto
74	append
75	+ map
76	# socket-specific
77	bind
78	connect
79
80	diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
81	index dceb9ef1..ef7b429b 100644
82	--- a/policy/modules/kernel/devices.if
83	+++ b/policy/modules/kernel/devices.if
84	@@ -1955,6 +1955,7 @@ interface(`dev_rw_dri',`
85	')
86
87	rw_chr_files_pattern($1, device_t, dri_device_t)
88	+ allow $1 dri_device_t:chr_file map;
89	')
90
91	########################################
92	@@ -2741,7 +2742,7 @@ interface(`dev_rx_raw_memory',`
93	')
94
95	dev_read_raw_memory($1)
96	- allow $1 memory_device_t:chr_file execute;
97	+ allow $1 memory_device_t:chr_file { map execute };
98	')
99
100	########################################
101	@@ -2760,7 +2761,7 @@ interface(`dev_wx_raw_memory',`
102	')
103
104	dev_write_raw_memory($1)
105	- allow $1 memory_device_t:chr_file execute;
106	+ allow $1 memory_device_t:chr_file { map execute };
107	')
108
109	########################################
110	@@ -3843,6 +3844,7 @@ interface(`dev_read_sound_mixer',`
111	')
112
113	read_chr_files_pattern($1, device_t, sound_device_t)
114	+ allow $1 sound_device_t:chr_file map;
115	')
116
117	########################################
118	@@ -4945,7 +4947,7 @@ interface(`dev_rwx_vmware',`
119	')
120
121	dev_rw_vmware($1)
122	- allow $1 vmware_device_t:chr_file execute;
123	+ allow $1 vmware_device_t:chr_file { map execute };
124	')
125
126	########################################
127	@@ -5168,7 +5170,7 @@ interface(`dev_rwx_zero',`
128	')
129
130	dev_rw_zero($1)
131	- allow $1 zero_device_t:chr_file execute;
132	+ allow $1 zero_device_t:chr_file { map execute };
133	')
134
135	########################################
136
137	diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
138	index 24b7ef66..9e8a0448 100644
139	--- a/policy/modules/system/libraries.if
140	+++ b/policy/modules/system/libraries.if
141	@@ -86,7 +86,7 @@ interface(`libs_use_ld_so',`
142	read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t })
143	mmap_files_pattern($1, lib_t, ld_so_t)
144
145	- allow $1 ld_so_cache_t:file read_file_perms;
146	+ allow $1 ld_so_cache_t:file { map read_file_perms };
147	')
148
149	########################################
150
151	diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
152	index 705ed1fb..126d44b6 100644
153	--- a/policy/modules/system/logging.if
154	+++ b/policy/modules/system/logging.if
155	@@ -1103,6 +1103,25 @@ interface(`logging_read_generic_logs',`
156
157	########################################
158	## <summary>
159	+## Map generic log files.
160	+## </summary>
161	+## <param name="domain">
162	+## <summary>
163	+## Domain allowed access.
164	+## </summary>
165	+## </param>
166	+## <rolecap/>
167	+#
168	+interface(`logging_mmap_generic_logs',`
169	+ gen_require(`
170	+ type var_log_t;
171	+ ')
172	+
173	+ allow $1 var_log_t:file map;
174	+')
175	+
176	+########################################
177	+## <summary>
178	## Write generic log files.
179	## </summary>
180	## <param name="domain">
181	@@ -1368,3 +1387,21 @@ interface(`logging_syslog_managed_log_dir',`
182	logging_log_file($1)
183	logging_log_filetrans(syslogd_t, $1, dir, $2)
184	')
185	+
186	+#######################################
187	+## <summary>
188	+## Map files in /run/log/journal/ directory.
189	+## </summary>
190	+## <param name="domain">
191	+## <summary>
192	+## Domain allowed access.
193	+## </summary>
194	+## </param>
195	+#
196	+interface(`logging_mmap_journal',`
197	+ gen_require(`
198	+ type syslogd_var_run_t;
199	+ ')
200	+
201	+ allow $1 syslogd_var_run_t:file map;
202	+')
203
204	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
205	index bf427e5a..8086ca97 100644
206	--- a/policy/modules/system/logging.te
207	+++ b/policy/modules/system/logging.te
208	@@ -400,6 +400,7 @@ init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
209
210	# create/append log files.
211	manage_files_pattern(syslogd_t, var_log_t, var_log_t)
212	+allow syslogd_t var_log_t:file map;
213	rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
214	files_search_spool(syslogd_t)
215
216
217	diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
218	index 204390d1..d26a982b 100644
219	--- a/policy/modules/system/miscfiles.if
220	+++ b/policy/modules/system/miscfiles.if
221	@@ -221,6 +221,7 @@ interface(`miscfiles_read_fonts',`
222
223	allow $1 fonts_t:dir list_dir_perms;
224	read_files_pattern($1, fonts_t, fonts_t)
225	+ allow $1 fonts_t:file map;
226	read_lnk_files_pattern($1, fonts_t, fonts_t)
227
228	allow $1 fonts_cache_t:dir list_dir_perms;
229	@@ -444,6 +445,7 @@ interface(`miscfiles_read_localization',`
230	allow $1 locale_t:dir list_dir_perms;
231	read_files_pattern($1, locale_t, locale_t)
232	read_lnk_files_pattern($1, locale_t, locale_t)
233	+ allow $1 locale_t:file map;
234	')
235
236	########################################
237
238	diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
239	index a8221f0e..332d5797 100644
240	--- a/policy/modules/system/selinuxutil.if
241	+++ b/policy/modules/system/selinuxutil.if
242	@@ -860,6 +860,7 @@ interface(`seutil_read_file_contexts',`
243	files_search_etc($1)
244	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
245	read_files_pattern($1, file_context_t, file_context_t)
246	+ allow $1 file_context_t:file map;
247	')
248
249	########################################
250	@@ -880,6 +881,7 @@ interface(`seutil_dontaudit_read_file_contexts',`
251
252	dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms;
253	dontaudit $1 file_context_t:file read_file_perms;
254	+ dontaudit $1 file_context_t:file map;
255	')
256
257	########################################
258	@@ -900,6 +902,7 @@ interface(`seutil_rw_file_contexts',`
259	files_search_etc($1)
260	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
261	rw_files_pattern($1, file_context_t, file_context_t)
262	+ allow $1 file_context_t:file map;
263	')
264
265	########################################
266	@@ -921,6 +924,7 @@ interface(`seutil_manage_file_contexts',`
267	files_search_etc($1)
268	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
269	manage_files_pattern($1, file_context_t, file_context_t)
270	+ allow $1 file_context_t:file map;
271	')
272
273	########################################
274	@@ -941,6 +945,7 @@ interface(`seutil_read_bin_policy',`
275	files_search_etc($1)
276	allow $1 selinux_config_t:dir search_dir_perms;
277	read_files_pattern($1, policy_config_t, policy_config_t)
278	+ allow $1 policy_config_t:file map;
279
280	ifdef(`distro_gentoo',`
281	# Allow sesearch to read /etc/selinux/.../policy
282
283	diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
284	index e61d4209..557e935c 100644
285	--- a/policy/modules/system/selinuxutil.te
286	+++ b/policy/modules/system/selinuxutil.te
287	@@ -170,6 +170,7 @@ allow load_policy_t self:capability dac_override;
288
289	# only allow read of policy config files
290	read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
291	+allow load_policy_t policy_config_t:file map;
292
293	dev_read_urand(load_policy_t)
294
295	@@ -572,6 +573,7 @@ allow setfiles_t self:fifo_file rw_file_perms;
296	allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
297	allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
298	allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
299	+allow setfiles_t file_context_t:file map;
300
301	kernel_read_system_state(setfiles_t)
302	kernel_relabelfrom_unlabeled_dirs(setfiles_t)
303
304	diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
305	index 938a6cd7..16f549c1 100644
306	--- a/policy/support/obj_perm_sets.spt
307	+++ b/policy/support/obj_perm_sets.spt
308	@@ -155,8 +155,8 @@ define(`getattr_file_perms',`{ getattr }')
309	define(`setattr_file_perms',`{ setattr }')
310	define(`read_inherited_file_perms',`{ getattr read lock ioctl }')
311	define(`read_file_perms',`{ read_inherited_file_perms open }')
312	-define(`mmap_file_perms',`{ getattr open read execute ioctl }')
313	-define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
314	+define(`mmap_file_perms',`{ getattr open map read execute ioctl }')
315	+define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
316	define(`append_inherited_file_perms',` { getattr append lock ioctl }')
317	define(`append_file_perms',`{ append_inherited_file_perms open}')
318	define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')

Gentoo Archives: gentoo-commits