[refpolicy] [PATCH 1/1] Support semanage permissive mode

[refpolicy] [PATCH 1/1] Support semanage permissive mode

[Sven Vermeulen]

The semanage application supports a "semanage permissive" feature,
allowing certain domains to be marked for running permissive (rather
than the entire system).

To support this feature, we introduce a selinux_var_lib_t type for the
location where semanage will keep its permissive_<domain>.* files, and
allow semanage_t to work with fifo_files (needed for the command to
work).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/selinuxutil.fc |    5 +++++
 policy/modules/system/selinuxutil.te |    8 ++++++++
 2 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2cc4bda..a9abc81 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -43,6 +43,11 @@
 /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 #
+# /var/lib
+#
+/var/lib/selinux(/.*)?			gen_context(system_u:object_r:selinux_var_lib_t,s0)
+
+#
 # /var/run
 #
 /var/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 508b206..54cb9ce 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
 type selinux_config_t;
 files_type(selinux_config_t)
 
+type selinux_var_lib_t;
+files_type(selinux_var_lib_t)
+
 type checkpolicy_t, can_write_binary_policy;
 type checkpolicy_exec_t;
 application_domain(checkpolicy_t, checkpolicy_exec_t)
@@ -428,6 +431,7 @@ allow semanage_t self:capability { dac_override audit_write };
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 allow semanage_t self:unix_dgram_socket create_socket_perms;
 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow semanage_t self:fifo_file rw_fifo_file_perms;
 
 allow semanage_t policy_config_t:file rw_file_perms;
 
@@ -435,6 +439,10 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 allow semanage_t semanage_tmp_t:file manage_file_perms;
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
+
 kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
 
-- 
1.7.3.4

[refpolicy] [PATCH 1/1] Support semanage permissive mode

[Christopher J. PeBenito]

On 09/04/11 07:07, Sven Vermeulen wrote:
> The semanage application supports a "semanage permissive" feature,
> allowing certain domains to be marked for running permissive (rather
> than the entire system).
> 
> To support this feature, we introduce a selinux_var_lib_t type for the
> location where semanage will keep its permissive_<domain>.* files, and
> allow semanage_t to work with fifo_files (needed for the command to
> work).
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/selinuxutil.fc |    5 +++++
>  policy/modules/system/selinuxutil.te |    8 ++++++++
>  2 files changed, 13 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
> index 2cc4bda..a9abc81 100644
> --- a/policy/modules/system/selinuxutil.fc
> +++ b/policy/modules/system/selinuxutil.fc
> @@ -43,6 +43,11 @@
>  /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
>  
>  #
> +# /var/lib
> +#
> +/var/lib/selinux(/.*)?			gen_context(system_u:object_r:selinux_var_lib_t,s0)
> +
> +#
>  # /var/run
>  #
>  /var/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 508b206..54cb9ce 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
>  type selinux_config_t;
>  files_type(selinux_config_t)
>  
> +type selinux_var_lib_t;
> +files_type(selinux_var_lib_t)
> +
>  type checkpolicy_t, can_write_binary_policy;
>  type checkpolicy_exec_t;
>  application_domain(checkpolicy_t, checkpolicy_exec_t)

I'd prefer that this be named semanage_var_lib_t instead, as this is a semanage-only data file.  Also move the decl down in proper order.

> @@ -428,6 +431,7 @@ allow semanage_t self:capability { dac_override audit_write };
>  allow semanage_t self:unix_stream_socket create_stream_socket_perms;
>  allow semanage_t self:unix_dgram_socket create_socket_perms;
>  allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
> +allow semanage_t self:fifo_file rw_fifo_file_perms;
>  
>  allow semanage_t policy_config_t:file rw_file_perms;
>  
> @@ -435,6 +439,10 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms;
>  allow semanage_t semanage_tmp_t:file manage_file_perms;
>  files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
>  
> +manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
> +manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
> +
> +
>  kernel_read_system_state(semanage_t)
>  kernel_read_kernel_sysctls(semanage_t)
  
Please don't add superfluous whitespace.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com