From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id B33471393EB for ; Mon, 21 Apr 2014 15:25:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0EE80E0980; Mon, 21 Apr 2014 15:25:20 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2C2A3E0968 for ; Mon, 21 Apr 2014 15:25:19 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id DED1D33FE2C for ; Mon, 21 Apr 2014 15:25:17 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 98F6E18181 for ; Mon, 21 Apr 2014 15:25:16 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1398093251.a8e2799f72cad0f2b12ba6d60dfcda183d8bb580.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/devices.if policy/modules/kernel/selinux.if X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: a8e2799f72cad0f2b12ba6d60dfcda183d8bb580 X-VCS-Branch: master Date: Mon, 21 Apr 2014 15:25:16 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: b2aa467e-7865-4ab4-a933-94e16635a977 X-Archives-Hash: 332027d7189616e5b653136f2be259f8 commit: a8e2799f72cad0f2b12ba6d60dfcda183d8bb580 Author: Sven Vermeulen siphos be> AuthorDate: Fri Apr 11 18:01:41 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Mon Apr 21 15:14:11 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a8e2799f The security_t file system can be at /sys/fs/selinux Because it is no longer a top-level file system, we need to enhance some of the interfaces with the appropriate rights towards sysfs_t. First set to allow getattr rights on the file system, which now also means getattr on the sysfs_t file system as well as search privileges in sysfs_t. Signed-off-by: Sven Vermeulen siphos.be> --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/kernel/selinux.if | 5 +++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 8c14b43..60a3f46 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -3873,6 +3873,24 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## +## Get the attributes of sysfs filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem getattr; +') + +######################################## +## ## Search the sysfs directories. ## ## diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index c5b9bd0..31706ac 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -64,7 +64,7 @@ interface(`selinux_get_fs_mount',` allow $1 security_t:filesystem getattr; # Same for /sys/fs/selinux - dev_getattr_sysfs_fs($1) + dev_getattr_sysfs($1) dev_search_sysfs($1) # read /proc/filesystems to see if selinuxfs is supported @@ -173,7 +173,8 @@ interface(`selinux_getattr_fs',` ') allow $1 security_t:filesystem getattr; - dev_getattr_sysfs_fs($1) + + dev_getattr_sysfs($1) dev_search_sysfs($1) ')