From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-688746-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 27FCC138A1F
	for <garchives@archives.gentoo.org>; Mon, 21 Apr 2014 15:25:22 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id AD61FE0963;
	Mon, 21 Apr 2014 15:25:19 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 30D61E0980
	for <gentoo-commits@lists.gentoo.org>; Mon, 21 Apr 2014 15:25:19 +0000 (UTC)
Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 482DA33FE5F
	for <gentoo-commits@lists.gentoo.org>; Mon, 21 Apr 2014 15:25:18 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by spoonbill.gentoo.org (Postfix) with ESMTP id C079218743
	for <gentoo-commits@lists.gentoo.org>; Mon, 21 Apr 2014 15:25:16 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1398093411.49a43dd34f9a50207ae012a26f3fe941a66ebdbc.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/kernel/devices.if policy/modules/kernel/selinux.if
X-VCS-Directories: policy/modules/kernel/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 49a43dd34f9a50207ae012a26f3fe941a66ebdbc
X-VCS-Branch: master
Date: Mon, 21 Apr 2014 15:25:16 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 6a9eaec5-c1ba-4b96-8b4c-f3232c22c90d
X-Archives-Hash: 45d800ede64330af4b754f21437ee5e7

commit:     49a43dd34f9a50207ae012a26f3fe941a66ebdbc
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 11 18:01:42 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 21 15:16:51 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=49a43dd3

Dontaudit access on security_t file system at /sys/fs/selinux

Second part of the support of security_t under /sys/fs/selinux - when
asked not to audit getting attributes on the selinux file system, have
this propagate to the sysfs parts as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/kernel/selinux.if |  4 ++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 60a3f46..1ae060c 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3891,6 +3891,24 @@ interface(`dev_getattr_sysfs',`
 
 ########################################
 ## <summary>
+##	Do not audit getting the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit access from
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_sysfs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
 ##	Search the sysfs directories.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 31706ac..9192d23 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -94,7 +94,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
 	dontaudit $1 security_t:filesystem getattr;
 
 	# Same for /sys/fs/selinux
-	dev_dontaudit_getattr_sysfs_fs($1)
+	dev_dontaudit_getattr_sysfs($1)
 	dev_dontaudit_search_sysfs($1)
 
 	# read /proc/filesystems to see if selinuxfs is supported
@@ -196,7 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',`
 
 	dontaudit $1 security_t:filesystem getattr;
 
-	dev_dontaudit_getattr_sysfs_fs($1)
+	dev_dontaudit_getattr_sysfs($1)
 	dev_dontaudit_search_sysfs($1)
 ')