commit: 6b169e5b3fea0ec900448db18586475269f21612
Author: Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Sat Nov 20 22:44:53 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 21 22:38:58 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b169e5b
selinux: Add map perms
Lots of libselinux functions now map /sys/fs/selinux/status so add map
perms to other interfaces as well.
$ passwd user1
passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running'
failed.
Aborted
avc: denied { map } for pid=325 comm="passwd"
path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root:
sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file
permissive=1
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/selinux.if | 18 +++++++++---------
policy/modules/kernel/selinux.te | 8 ++++----
2 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 13aa1e05..cb610c44 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -295,7 +295,7 @@ interface(`selinux_get_enforce_mode',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
+ allow $1 security_t:file mmap_read_file_perms;
')
########################################
@@ -363,7 +363,7 @@ interface(`selinux_read_policy',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
+ allow $1 security_t:file mmap_read_file_perms;
allow $1 security_t:security read_policy;
')
@@ -533,7 +533,7 @@ interface(`selinux_validate_context',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security check_context;
')
@@ -554,7 +554,7 @@ interface(`selinux_dontaudit_validate_context',`
')
dontaudit $1 security_t:dir list_dir_perms;
- dontaudit $1 security_t:file rw_file_perms;
+ dontaudit $1 security_t:file mmap_rw_file_perms;
dontaudit $1 security_t:security check_context;
')
@@ -577,7 +577,7 @@ interface(`selinux_compute_access_vector',`
dev_search_sysfs($1)
allow $1 self:netlink_selinux_socket create_socket_perms;
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_av;
')
@@ -599,7 +599,7 @@ interface(`selinux_compute_create_context',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_create;
')
@@ -621,7 +621,7 @@ interface(`selinux_compute_member',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_member;
')
@@ -651,7 +651,7 @@ interface(`selinux_compute_relabel_context',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_relabel;
')
@@ -672,7 +672,7 @@ interface(`selinux_compute_user_contexts',`
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_user;
')
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 0726fc44..707517e5 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -53,7 +53,7 @@ genfscon securityfs /
gen_context(system_u:object_r:security_t,s0)
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security
setenforce;
allow can_setenforce security_t:dir list_dir_perms;
-allow can_setenforce security_t:file rw_file_perms;
+allow can_setenforce security_t:file mmap_rw_file_perms;
dev_search_sysfs(can_setenforce)
@@ -71,7 +71,7 @@ if(secure_mode_policyload) {
neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security
load_policy;
allow can_load_policy security_t:dir list_dir_perms;
-allow can_load_policy security_t:file rw_file_perms;
+allow can_load_policy security_t:file mmap_rw_file_perms;
dev_search_sysfs(can_load_policy)
@@ -89,7 +89,7 @@ if(secure_mode_policyload) {
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security
setsecparam;
allow can_setsecparam security_t:dir list_dir_perms;
-allow can_setsecparam security_t:file rw_file_perms;
+allow can_setsecparam security_t:file mmap_rw_file_perms;
allow can_setsecparam security_t:security setsecparam;
auditallow can_setsecparam security_t:security setsecparam;
@@ -102,7 +102,7 @@ dev_search_sysfs(can_setsecparam)
# use SELinuxfs
allow selinux_unconfined_type security_t:dir list_dir_perms;
-allow selinux_unconfined_type security_t:file rw_file_perms;
+allow selinux_unconfined_type security_t:file mmap_rw_file_perms;
allow selinux_unconfined_type boolean_type:file read_file_perms;
# Access the security API.
