1 |
commit: 6b169e5b3fea0ec900448db18586475269f21612 |
2 |
Author: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Nov 20 22:44:53 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Nov 21 22:38:58 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b169e5b |
7 |
|
8 |
selinux: Add map perms |
9 |
|
10 |
Lots of libselinux functions now map /sys/fs/selinux/status so add map |
11 |
perms to other interfaces as well. |
12 |
|
13 |
$ passwd user1 |
14 |
passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running' |
15 |
failed. |
16 |
Aborted |
17 |
|
18 |
avc: denied { map } for pid=325 comm="passwd" |
19 |
path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root: |
20 |
sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file |
21 |
permissive=1 |
22 |
|
23 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
24 |
|
25 |
policy/modules/kernel/selinux.if | 18 +++++++++--------- |
26 |
policy/modules/kernel/selinux.te | 8 ++++---- |
27 |
2 files changed, 13 insertions(+), 13 deletions(-) |
28 |
|
29 |
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if |
30 |
index 13aa1e05..cb610c44 100644 |
31 |
--- a/policy/modules/kernel/selinux.if |
32 |
+++ b/policy/modules/kernel/selinux.if |
33 |
@@ -295,7 +295,7 @@ interface(`selinux_get_enforce_mode',` |
34 |
|
35 |
dev_search_sysfs($1) |
36 |
allow $1 security_t:dir list_dir_perms; |
37 |
- allow $1 security_t:file read_file_perms; |
38 |
+ allow $1 security_t:file mmap_read_file_perms; |
39 |
') |
40 |
|
41 |
######################################## |
42 |
@@ -363,7 +363,7 @@ interface(`selinux_read_policy',` |
43 |
|
44 |
dev_search_sysfs($1) |
45 |
allow $1 security_t:dir list_dir_perms; |
46 |
- allow $1 security_t:file read_file_perms; |
47 |
+ allow $1 security_t:file mmap_read_file_perms; |
48 |
allow $1 security_t:security read_policy; |
49 |
') |
50 |
|
51 |
@@ -533,7 +533,7 @@ interface(`selinux_validate_context',` |
52 |
|
53 |
dev_search_sysfs($1) |
54 |
allow $1 security_t:dir list_dir_perms; |
55 |
- allow $1 security_t:file rw_file_perms; |
56 |
+ allow $1 security_t:file mmap_rw_file_perms; |
57 |
allow $1 security_t:security check_context; |
58 |
') |
59 |
|
60 |
@@ -554,7 +554,7 @@ interface(`selinux_dontaudit_validate_context',` |
61 |
') |
62 |
|
63 |
dontaudit $1 security_t:dir list_dir_perms; |
64 |
- dontaudit $1 security_t:file rw_file_perms; |
65 |
+ dontaudit $1 security_t:file mmap_rw_file_perms; |
66 |
dontaudit $1 security_t:security check_context; |
67 |
') |
68 |
|
69 |
@@ -577,7 +577,7 @@ interface(`selinux_compute_access_vector',` |
70 |
dev_search_sysfs($1) |
71 |
allow $1 self:netlink_selinux_socket create_socket_perms; |
72 |
allow $1 security_t:dir list_dir_perms; |
73 |
- allow $1 security_t:file rw_file_perms; |
74 |
+ allow $1 security_t:file mmap_rw_file_perms; |
75 |
allow $1 security_t:security compute_av; |
76 |
') |
77 |
|
78 |
@@ -599,7 +599,7 @@ interface(`selinux_compute_create_context',` |
79 |
|
80 |
dev_search_sysfs($1) |
81 |
allow $1 security_t:dir list_dir_perms; |
82 |
- allow $1 security_t:file rw_file_perms; |
83 |
+ allow $1 security_t:file mmap_rw_file_perms; |
84 |
allow $1 security_t:security compute_create; |
85 |
') |
86 |
|
87 |
@@ -621,7 +621,7 @@ interface(`selinux_compute_member',` |
88 |
|
89 |
dev_search_sysfs($1) |
90 |
allow $1 security_t:dir list_dir_perms; |
91 |
- allow $1 security_t:file rw_file_perms; |
92 |
+ allow $1 security_t:file mmap_rw_file_perms; |
93 |
allow $1 security_t:security compute_member; |
94 |
') |
95 |
|
96 |
@@ -651,7 +651,7 @@ interface(`selinux_compute_relabel_context',` |
97 |
|
98 |
dev_search_sysfs($1) |
99 |
allow $1 security_t:dir list_dir_perms; |
100 |
- allow $1 security_t:file rw_file_perms; |
101 |
+ allow $1 security_t:file mmap_rw_file_perms; |
102 |
allow $1 security_t:security compute_relabel; |
103 |
') |
104 |
|
105 |
@@ -672,7 +672,7 @@ interface(`selinux_compute_user_contexts',` |
106 |
|
107 |
dev_search_sysfs($1) |
108 |
allow $1 security_t:dir list_dir_perms; |
109 |
- allow $1 security_t:file rw_file_perms; |
110 |
+ allow $1 security_t:file mmap_rw_file_perms; |
111 |
allow $1 security_t:security compute_user; |
112 |
') |
113 |
|
114 |
|
115 |
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te |
116 |
index 0726fc44..707517e5 100644 |
117 |
--- a/policy/modules/kernel/selinux.te |
118 |
+++ b/policy/modules/kernel/selinux.te |
119 |
@@ -53,7 +53,7 @@ genfscon securityfs / gen_context(system_u:object_r:security_t,s0) |
120 |
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; |
121 |
|
122 |
allow can_setenforce security_t:dir list_dir_perms; |
123 |
-allow can_setenforce security_t:file rw_file_perms; |
124 |
+allow can_setenforce security_t:file mmap_rw_file_perms; |
125 |
|
126 |
dev_search_sysfs(can_setenforce) |
127 |
|
128 |
@@ -71,7 +71,7 @@ if(secure_mode_policyload) { |
129 |
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; |
130 |
|
131 |
allow can_load_policy security_t:dir list_dir_perms; |
132 |
-allow can_load_policy security_t:file rw_file_perms; |
133 |
+allow can_load_policy security_t:file mmap_rw_file_perms; |
134 |
|
135 |
dev_search_sysfs(can_load_policy) |
136 |
|
137 |
@@ -89,7 +89,7 @@ if(secure_mode_policyload) { |
138 |
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; |
139 |
|
140 |
allow can_setsecparam security_t:dir list_dir_perms; |
141 |
-allow can_setsecparam security_t:file rw_file_perms; |
142 |
+allow can_setsecparam security_t:file mmap_rw_file_perms; |
143 |
allow can_setsecparam security_t:security setsecparam; |
144 |
auditallow can_setsecparam security_t:security setsecparam; |
145 |
|
146 |
@@ -102,7 +102,7 @@ dev_search_sysfs(can_setsecparam) |
147 |
|
148 |
# use SELinuxfs |
149 |
allow selinux_unconfined_type security_t:dir list_dir_perms; |
150 |
-allow selinux_unconfined_type security_t:file rw_file_perms; |
151 |
+allow selinux_unconfined_type security_t:file mmap_rw_file_perms; |
152 |
allow selinux_unconfined_type boolean_type:file read_file_perms; |
153 |
|
154 |
# Access the security API. |