From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 57F4B158086 for ; Sun, 21 Nov 2021 23:02:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 85585E08FF; Sun, 21 Nov 2021 23:02:47 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1ABC1E08FF for ; Sun, 21 Nov 2021 23:02:47 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 2F824343286 for ; Sun, 21 Nov 2021 23:02:46 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 94ED31BD for ; Sun, 21 Nov 2021 23:02:44 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1637534338.6b169e5b3fea0ec900448db18586475269f21612.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/selinux.if policy/modules/kernel/selinux.te X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 6b169e5b3fea0ec900448db18586475269f21612 X-VCS-Branch: master Date: Sun, 21 Nov 2021 23:02:44 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 6f2cca23-965f-43c6-ae7a-28dbf5eb3c13 X-Archives-Hash: b20dceb034f70fe3e209bcdc01bf1514 commit: 6b169e5b3fea0ec900448db18586475269f21612 Author: Jason Zaman gentoo org> AuthorDate: Sat Nov 20 22:44:53 2021 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 21 22:38:58 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b169e5b selinux: Add map perms Lots of libselinux functions now map /sys/fs/selinux/status so add map perms to other interfaces as well. $ passwd user1 passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running' failed. Aborted avc: denied { map } for pid=325 comm="passwd" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root: sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file permissive=1 Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/selinux.if | 18 +++++++++--------- policy/modules/kernel/selinux.te | 8 ++++---- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 13aa1e05..cb610c44 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -295,7 +295,7 @@ interface(`selinux_get_enforce_mode',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; + allow $1 security_t:file mmap_read_file_perms; ') ######################################## @@ -363,7 +363,7 @@ interface(`selinux_read_policy',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; + allow $1 security_t:file mmap_read_file_perms; allow $1 security_t:security read_policy; ') @@ -533,7 +533,7 @@ interface(`selinux_validate_context',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file mmap_rw_file_perms; allow $1 security_t:security check_context; ') @@ -554,7 +554,7 @@ interface(`selinux_dontaudit_validate_context',` ') dontaudit $1 security_t:dir list_dir_perms; - dontaudit $1 security_t:file rw_file_perms; + dontaudit $1 security_t:file mmap_rw_file_perms; dontaudit $1 security_t:security check_context; ') @@ -577,7 +577,7 @@ interface(`selinux_compute_access_vector',` dev_search_sysfs($1) allow $1 self:netlink_selinux_socket create_socket_perms; allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file mmap_rw_file_perms; allow $1 security_t:security compute_av; ') @@ -599,7 +599,7 @@ interface(`selinux_compute_create_context',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file mmap_rw_file_perms; allow $1 security_t:security compute_create; ') @@ -621,7 +621,7 @@ interface(`selinux_compute_member',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file mmap_rw_file_perms; allow $1 security_t:security compute_member; ') @@ -651,7 +651,7 @@ interface(`selinux_compute_relabel_context',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file mmap_rw_file_perms; allow $1 security_t:security compute_relabel; ') @@ -672,7 +672,7 @@ interface(`selinux_compute_user_contexts',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file mmap_rw_file_perms; allow $1 security_t:security compute_user; ') diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 0726fc44..707517e5 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -53,7 +53,7 @@ genfscon securityfs / gen_context(system_u:object_r:security_t,s0) neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; allow can_setenforce security_t:dir list_dir_perms; -allow can_setenforce security_t:file rw_file_perms; +allow can_setenforce security_t:file mmap_rw_file_perms; dev_search_sysfs(can_setenforce) @@ -71,7 +71,7 @@ if(secure_mode_policyload) { neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; allow can_load_policy security_t:dir list_dir_perms; -allow can_load_policy security_t:file rw_file_perms; +allow can_load_policy security_t:file mmap_rw_file_perms; dev_search_sysfs(can_load_policy) @@ -89,7 +89,7 @@ if(secure_mode_policyload) { neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; allow can_setsecparam security_t:dir list_dir_perms; -allow can_setsecparam security_t:file rw_file_perms; +allow can_setsecparam security_t:file mmap_rw_file_perms; allow can_setsecparam security_t:security setsecparam; auditallow can_setsecparam security_t:security setsecparam; @@ -102,7 +102,7 @@ dev_search_sysfs(can_setsecparam) # use SELinuxfs allow selinux_unconfined_type security_t:dir list_dir_perms; -allow selinux_unconfined_type security_t:file rw_file_perms; +allow selinux_unconfined_type security_t:file mmap_rw_file_perms; allow selinux_unconfined_type boolean_type:file read_file_perms; # Access the security API.