* selinux_getattr patch
@ 2007-03-23 19:13 Daniel J Walsh
2007-04-11 19:45 ` Christopher J. PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2007-03-23 19:13 UTC (permalink / raw)
To: Christopher J. PeBenito, SE Linux
[-- Attachment #1: Type: text/plain, Size: 113 bytes --]
Some apps doing a getattr of all files in / generate avc messages on
/selinux
This patch removes those avc's.
[-- Attachment #2: selinux_getattr.patch --]
[-- Type: text/x-patch, Size: 1674 bytes --]
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-02-27 14:37:10.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/kernel/selinux.if 2007-03-22 15:06:58.000000000 -0400
@@ -51,6 +51,44 @@
########################################
## <summary>
+## Do not audit attempts to get the
+## attributes of the selinuxfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_dontaudit_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dontaudit $1 security_t:filesystem getattr;
+')
+
+########################################
+## <summary>
+## Allow domain to get the
+## attributes of the selinuxfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_getattr_fs',`
+ gen_require(`
+ type security_t;
+ ')
+
+ allow $1 security_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Search selinuxfs.
## </summary>
## <param name="domain">
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/system/selinuxutil.if 2007-03-22 15:06:59.000000000 -0400
@@ -616,7 +616,7 @@
gen_require(`
type selinux_config_t;
')
-
+ selinux_dontaudit_getattr_fs($1)
dontaudit $1 selinux_config_t:dir search;
dontaudit $1 selinux_config_t:file { getattr read };
')
@@ -637,6 +637,8 @@
type selinux_config_t;
')
+ selinux_getattr_fs($1)
+
files_search_etc($1)
allow $1 selinux_config_t:dir list_dir_perms;
read_files_pattern($1,selinux_config_t,selinux_config_t)
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: selinux_getattr patch
2007-03-23 19:13 selinux_getattr patch Daniel J Walsh
@ 2007-04-11 19:45 ` Christopher J. PeBenito
2007-04-11 20:20 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2007-04-11 19:45 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
On Fri, 2007-03-23 at 15:13 -0400, Daniel J Walsh wrote:
> Some apps doing a getattr of all files in / generate avc messages on
> /selinux
>
> This patch removes those avc's.
This looks more like something to do with the libselinux constructor.
Perhaps we should have interfaces for selinux aware programs, for
allowing and dontauditing the constructor, at least.
>
>
>
>
>
> differences
> between files
> attachment
> (selinux_getattr.patch), "selinux_getattr.patch"
>
> --- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-02-27 14:37:10.000000000 -0500
> +++ serefpolicy-2.5.10/policy/modules/kernel/selinux.if 2007-03-22 15:06:58.000000000 -0400
> @@ -51,6 +51,44 @@
>
> ########################################
> ## <summary>
> +## Do not audit attempts to get the
> +## attributes of the selinuxfs filesystem
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`selinux_dontaudit_getattr_fs',`
> + gen_require(`
> + type security_t;
> + ')
> +
> + dontaudit $1 security_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
> +## Allow domain to get the
> +## attributes of the selinuxfs filesystem
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`selinux_getattr_fs',`
> + gen_require(`
> + type security_t;
> + ')
> +
> + allow $1 security_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Search selinuxfs.
> ## </summary>
> ## <param name="domain">
> --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-01-02 12:57:49.000000000 -0500
> +++ serefpolicy-2.5.10/policy/modules/system/selinuxutil.if 2007-03-22 15:06:59.000000000 -0400
> @@ -616,7 +616,7 @@
> gen_require(`
> type selinux_config_t;
> ')
> -
> + selinux_dontaudit_getattr_fs($1)
> dontaudit $1 selinux_config_t:dir search;
> dontaudit $1 selinux_config_t:file { getattr read };
> ')
> @@ -637,6 +637,8 @@
> type selinux_config_t;
> ')
>
> + selinux_getattr_fs($1)
> +
> files_search_etc($1)
> allow $1 selinux_config_t:dir list_dir_perms;
> read_files_pattern($1,selinux_config_t,selinux_config_t)
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: selinux_getattr patch
2007-04-11 19:45 ` Christopher J. PeBenito
@ 2007-04-11 20:20 ` Daniel J Walsh
0 siblings, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2007-04-11 20:20 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: SE Linux
Christopher J. PeBenito wrote:
> On Fri, 2007-03-23 at 15:13 -0400, Daniel J Walsh wrote:
>
>> Some apps doing a getattr of all files in / generate avc messages on
>> /selinux
>>
>> This patch removes those avc's.
>>
>
> This looks more like something to do with the libselinux constructor.
> Perhaps we should have interfaces for selinux aware programs, for
> allowing and dontauditing the constructor, at least.
>
>
This works for me.
>>
>>
>>
>> differences
>> between files
>> attachment
>> (selinux_getattr.patch), "selinux_getattr.patch"
>>
>> --- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-02-27 14:37:10.000000000 -0500
>> +++ serefpolicy-2.5.10/policy/modules/kernel/selinux.if 2007-03-22 15:06:58.000000000 -0400
>> @@ -51,6 +51,44 @@
>>
>> ########################################
>> ## <summary>
>> +## Do not audit attempts to get the
>> +## attributes of the selinuxfs filesystem
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain to not audit.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`selinux_dontaudit_getattr_fs',`
>> + gen_require(`
>> + type security_t;
>> + ')
>> +
>> + dontaudit $1 security_t:filesystem getattr;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Allow domain to get the
>> +## attributes of the selinuxfs filesystem
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain to not audit.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`selinux_getattr_fs',`
>> + gen_require(`
>> + type security_t;
>> + ')
>> +
>> + allow $1 security_t:filesystem getattr;
>> +')
>> +
>> +########################################
>> +## <summary>
>> ## Search selinuxfs.
>> ## </summary>
>> ## <param name="domain">
>> --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-01-02 12:57:49.000000000 -0500
>> +++ serefpolicy-2.5.10/policy/modules/system/selinuxutil.if 2007-03-22 15:06:59.000000000 -0400
>> @@ -616,7 +616,7 @@
>> gen_require(`
>> type selinux_config_t;
>> ')
>> -
>> + selinux_dontaudit_getattr_fs($1)
>> dontaudit $1 selinux_config_t:dir search;
>> dontaudit $1 selinux_config_t:file { getattr read };
>> ')
>> @@ -637,6 +637,8 @@
>> type selinux_config_t;
>> ')
>>
>> + selinux_getattr_fs($1)
>> +
>> files_search_etc($1)
>> allow $1 selinux_config_t:dir list_dir_perms;
>> read_files_pattern($1,selinux_config_t,selinux_config_t)
>>
>>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-04-11 20:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-23 19:13 selinux_getattr patch Daniel J Walsh
2007-04-11 19:45 ` Christopher J. PeBenito
2007-04-11 20:20 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.