[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
Date:	Sun, 21 Nov 2021 23:02:48
Message-Id:	`1637534338.6b169e5b3fea0ec900448db18586475269f21612.perfinion@gentoo`

1

commit:     6b169e5b3fea0ec900448db18586475269f21612

2

Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

3

AuthorDate: Sat Nov 20 22:44:53 2021 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Nov 21 22:38:58 2021 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b169e5b

7

8

selinux: Add map perms

9

10

Lots of libselinux functions now map /sys/fs/selinux/status so add map

11

perms to other interfaces as well.

12

13

$ passwd user1

14

passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running'

15

failed.

16

Aborted

17

18

avc: denied { map } for pid=325 comm="passwd"

19

path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root:

20

sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file

21

permissive=1

22

23

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

24

25

 policy/modules/kernel/selinux.if | 18 +++++++++---------

26

 policy/modules/kernel/selinux.te |  8 ++++----

27

 2 files changed, 13 insertions(+), 13 deletions(-)

28

29

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if

30

index 13aa1e05..cb610c44 100644

31

--- a/policy/modules/kernel/selinux.if

32

+++ b/policy/modules/kernel/selinux.if

33

@@ -295,7 +295,7 @@ interface(`selinux_get_enforce_mode',`

34

35

 	dev_search_sysfs($1)

36

 	allow $1 security_t:dir list_dir_perms;

37

-	allow $1 security_t:file read_file_perms;

38

+	allow $1 security_t:file mmap_read_file_perms;

39

')

40

41

 ########################################

42

@@ -363,7 +363,7 @@ interface(`selinux_read_policy',`

43

44

 	dev_search_sysfs($1)

45

 	allow $1 security_t:dir list_dir_perms;

46

-	allow $1 security_t:file read_file_perms;

47

+	allow $1 security_t:file mmap_read_file_perms;

48

 	allow $1 security_t:security read_policy;

49

')

50

51

@@ -533,7 +533,7 @@ interface(`selinux_validate_context',`

52

53

 	dev_search_sysfs($1)

54

 	allow $1 security_t:dir list_dir_perms;

55

-	allow $1 security_t:file rw_file_perms;

56

+	allow $1 security_t:file mmap_rw_file_perms;

57

 	allow $1 security_t:security check_context;

58

')

59

60

@@ -554,7 +554,7 @@ interface(`selinux_dontaudit_validate_context',`

61

')

62

63

 	dontaudit $1 security_t:dir list_dir_perms;

64

-	dontaudit $1 security_t:file rw_file_perms;

65

+	dontaudit $1 security_t:file mmap_rw_file_perms;

66

 	dontaudit $1 security_t:security check_context;

67

')

68

69

@@ -577,7 +577,7 @@ interface(`selinux_compute_access_vector',`

70

 	dev_search_sysfs($1)

71

 	allow $1 self:netlink_selinux_socket create_socket_perms;

72

 	allow $1 security_t:dir list_dir_perms;

73

-	allow $1 security_t:file rw_file_perms;

74

+	allow $1 security_t:file mmap_rw_file_perms;

75

 	allow $1 security_t:security compute_av;

76

')

77

78

@@ -599,7 +599,7 @@ interface(`selinux_compute_create_context',`

79

80

 	dev_search_sysfs($1)

81

 	allow $1 security_t:dir list_dir_perms;

82

-	allow $1 security_t:file rw_file_perms;

83

+	allow $1 security_t:file mmap_rw_file_perms;

84

 	allow $1 security_t:security compute_create;

85

')

86

87

@@ -621,7 +621,7 @@ interface(`selinux_compute_member',`

88

89

 	dev_search_sysfs($1)

90

 	allow $1 security_t:dir list_dir_perms;

91

-	allow $1 security_t:file rw_file_perms;

92

+	allow $1 security_t:file mmap_rw_file_perms;

93

 	allow $1 security_t:security compute_member;

94

')

95

96

@@ -651,7 +651,7 @@ interface(`selinux_compute_relabel_context',`

97

98

 	dev_search_sysfs($1)

99

 	allow $1 security_t:dir list_dir_perms;

100

-	allow $1 security_t:file rw_file_perms;

101

+	allow $1 security_t:file mmap_rw_file_perms;

102

 	allow $1 security_t:security compute_relabel;

103

')

104

105

@@ -672,7 +672,7 @@ interface(`selinux_compute_user_contexts',`

106

107

 	dev_search_sysfs($1)

108

 	allow $1 security_t:dir list_dir_perms;

109

-	allow $1 security_t:file rw_file_perms;

110

+	allow $1 security_t:file mmap_rw_file_perms;

111

 	allow $1 security_t:security compute_user;

112

')

113

114

115

diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te

116

index 0726fc44..707517e5 100644

117

--- a/policy/modules/kernel/selinux.te

118

+++ b/policy/modules/kernel/selinux.te

119

@@ -53,7 +53,7 @@ genfscon securityfs / gen_context(system_u:object_r:security_t,s0)

120

 neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;

121

122

 allow can_setenforce security_t:dir list_dir_perms;

123

-allow can_setenforce security_t:file rw_file_perms;

124

+allow can_setenforce security_t:file mmap_rw_file_perms;

125

126

 dev_search_sysfs(can_setenforce)

127

128

@@ -71,7 +71,7 @@ if(secure_mode_policyload) {

129

 neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;

130

131

 allow can_load_policy security_t:dir list_dir_perms;

132

-allow can_load_policy security_t:file rw_file_perms;

133

+allow can_load_policy security_t:file mmap_rw_file_perms;

134

135

 dev_search_sysfs(can_load_policy)

136

137

@@ -89,7 +89,7 @@ if(secure_mode_policyload) {

138

 neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;

139

140

 allow can_setsecparam security_t:dir list_dir_perms;

141

-allow can_setsecparam security_t:file rw_file_perms;

142

+allow can_setsecparam security_t:file mmap_rw_file_perms;

143

 allow can_setsecparam security_t:security setsecparam;

144

 auditallow can_setsecparam security_t:security setsecparam;

145

146

@@ -102,7 +102,7 @@ dev_search_sysfs(can_setsecparam)

147

148

 # use SELinuxfs

149

 allow selinux_unconfined_type security_t:dir list_dir_perms;

150

-allow selinux_unconfined_type security_t:file rw_file_perms;

151

+allow selinux_unconfined_type security_t:file mmap_rw_file_perms;

152

 allow selinux_unconfined_type boolean_type:file read_file_perms;

153

154

 # Access the security API.

1	commit: 6b169e5b3fea0ec900448db18586475269f21612
2	Author: Jason Zaman <perfinion <AT> gentoo <DOT> org>
3	AuthorDate: Sat Nov 20 22:44:53 2021 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Nov 21 22:38:58 2021 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b169e5b
7
8	selinux: Add map perms
9
10	Lots of libselinux functions now map /sys/fs/selinux/status so add map
11	perms to other interfaces as well.
12
13	$ passwd user1
14	passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running'
15	failed.
16	Aborted
17
18	avc: denied { map } for pid=325 comm="passwd"
19	path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root:
20	sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file
21	permissive=1
22
23	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
24
25	policy/modules/kernel/selinux.if \| 18 +++++++++---------
26	policy/modules/kernel/selinux.te \| 8 ++++----
27	2 files changed, 13 insertions(+), 13 deletions(-)
28
29	diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
30	index 13aa1e05..cb610c44 100644
31	--- a/policy/modules/kernel/selinux.if
32	+++ b/policy/modules/kernel/selinux.if
33	@@ -295,7 +295,7 @@ interface(`selinux_get_enforce_mode',`
34
35	dev_search_sysfs($1)
36	allow $1 security_t:dir list_dir_perms;
37	- allow $1 security_t:file read_file_perms;
38	+ allow $1 security_t:file mmap_read_file_perms;
39	')
40
41	########################################
42	@@ -363,7 +363,7 @@ interface(`selinux_read_policy',`
43
44	dev_search_sysfs($1)
45	allow $1 security_t:dir list_dir_perms;
46	- allow $1 security_t:file read_file_perms;
47	+ allow $1 security_t:file mmap_read_file_perms;
48	allow $1 security_t:security read_policy;
49	')
50
51	@@ -533,7 +533,7 @@ interface(`selinux_validate_context',`
52
53	dev_search_sysfs($1)
54	allow $1 security_t:dir list_dir_perms;
55	- allow $1 security_t:file rw_file_perms;
56	+ allow $1 security_t:file mmap_rw_file_perms;
57	allow $1 security_t:security check_context;
58	')
59
60	@@ -554,7 +554,7 @@ interface(`selinux_dontaudit_validate_context',`
61	')
62
63	dontaudit $1 security_t:dir list_dir_perms;
64	- dontaudit $1 security_t:file rw_file_perms;
65	+ dontaudit $1 security_t:file mmap_rw_file_perms;
66	dontaudit $1 security_t:security check_context;
67	')
68
69	@@ -577,7 +577,7 @@ interface(`selinux_compute_access_vector',`
70	dev_search_sysfs($1)
71	allow $1 self:netlink_selinux_socket create_socket_perms;
72	allow $1 security_t:dir list_dir_perms;
73	- allow $1 security_t:file rw_file_perms;
74	+ allow $1 security_t:file mmap_rw_file_perms;
75	allow $1 security_t:security compute_av;
76	')
77
78	@@ -599,7 +599,7 @@ interface(`selinux_compute_create_context',`
79
80	dev_search_sysfs($1)
81	allow $1 security_t:dir list_dir_perms;
82	- allow $1 security_t:file rw_file_perms;
83	+ allow $1 security_t:file mmap_rw_file_perms;
84	allow $1 security_t:security compute_create;
85	')
86
87	@@ -621,7 +621,7 @@ interface(`selinux_compute_member',`
88
89	dev_search_sysfs($1)
90	allow $1 security_t:dir list_dir_perms;
91	- allow $1 security_t:file rw_file_perms;
92	+ allow $1 security_t:file mmap_rw_file_perms;
93	allow $1 security_t:security compute_member;
94	')
95
96	@@ -651,7 +651,7 @@ interface(`selinux_compute_relabel_context',`
97
98	dev_search_sysfs($1)
99	allow $1 security_t:dir list_dir_perms;
100	- allow $1 security_t:file rw_file_perms;
101	+ allow $1 security_t:file mmap_rw_file_perms;
102	allow $1 security_t:security compute_relabel;
103	')
104
105	@@ -672,7 +672,7 @@ interface(`selinux_compute_user_contexts',`
106
107	dev_search_sysfs($1)
108	allow $1 security_t:dir list_dir_perms;
109	- allow $1 security_t:file rw_file_perms;
110	+ allow $1 security_t:file mmap_rw_file_perms;
111	allow $1 security_t:security compute_user;
112	')
113
114
115	diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
116	index 0726fc44..707517e5 100644
117	--- a/policy/modules/kernel/selinux.te
118	+++ b/policy/modules/kernel/selinux.te
119	@@ -53,7 +53,7 @@ genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
120	neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
121
122	allow can_setenforce security_t:dir list_dir_perms;
123	-allow can_setenforce security_t:file rw_file_perms;
124	+allow can_setenforce security_t:file mmap_rw_file_perms;
125
126	dev_search_sysfs(can_setenforce)
127
128	@@ -71,7 +71,7 @@ if(secure_mode_policyload) {
129	neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
130
131	allow can_load_policy security_t:dir list_dir_perms;
132	-allow can_load_policy security_t:file rw_file_perms;
133	+allow can_load_policy security_t:file mmap_rw_file_perms;
134
135	dev_search_sysfs(can_load_policy)
136
137	@@ -89,7 +89,7 @@ if(secure_mode_policyload) {
138	neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
139
140	allow can_setsecparam security_t:dir list_dir_perms;
141	-allow can_setsecparam security_t:file rw_file_perms;
142	+allow can_setsecparam security_t:file mmap_rw_file_perms;
143	allow can_setsecparam security_t:security setsecparam;
144	auditallow can_setsecparam security_t:security setsecparam;
145
146	@@ -102,7 +102,7 @@ dev_search_sysfs(can_setsecparam)
147
148	# use SELinuxfs
149	allow selinux_unconfined_type security_t:dir list_dir_perms;
150	-allow selinux_unconfined_type security_t:file rw_file_perms;
151	+allow selinux_unconfined_type security_t:file mmap_rw_file_perms;
152	allow selinux_unconfined_type boolean_type:file read_file_perms;
153
154	# Access the security API.

Gentoo Archives: gentoo-commits