[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

Mon, 21 Apr 2014 08:25:42 -0700 

commit:     a8e2799f72cad0f2b12ba6d60dfcda183d8bb580
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 11 18:01:41 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 21 15:14:11 2014 +0000
URL:        
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a8e2799f

The security_t file system can be at /sys/fs/selinux

Because it is no longer a top-level file system, we need to enhance some
of the interfaces with the appropriate rights towards sysfs_t.

First set to allow getattr rights on the file system, which now also
means getattr on the sysfs_t file system as well as search privileges in
sysfs_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/kernel/selinux.if |  5 +++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 8c14b43..60a3f46 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3873,6 +3873,24 @@ interface(`dev_getattr_sysfs_dirs',`
 
 ########################################
 ## <summary>
+##     Get the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_getattr_sysfs',`
+       gen_require(`
+               type sysfs_t;
+       ')
+
+       allow $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
 ##     Search the sysfs directories.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index c5b9bd0..31706ac 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -64,7 +64,7 @@ interface(`selinux_get_fs_mount',`
        allow $1 security_t:filesystem getattr;
 
        # Same for /sys/fs/selinux
-       dev_getattr_sysfs_fs($1)
+       dev_getattr_sysfs($1)
        dev_search_sysfs($1)
 
        # read /proc/filesystems to see if selinuxfs is supported
@@ -173,7 +173,8 @@ interface(`selinux_getattr_fs',`
        ')
 
        allow $1 security_t:filesystem getattr;
-       dev_getattr_sysfs_fs($1)
+
+       dev_getattr_sysfs($1)
        dev_search_sysfs($1)
 ')

Reply via email to