[refpolicy] [PATCHv2 1/1] Support semanage permissive mode

[refpolicy] [PATCHv2 1/1] Support semanage permissive mode

[Sven Vermeulen]

The semanage application supports a "semanage permissive" feature,
allowing certain domains to be marked for running permissive (rather
than the entire system).

To support this feature, we introduce a semanage_var_lib_t type for the
location where semanage will keep its permissive_<domain>.* files, and
allow semanage_t to work with fifo_files (needed for the command to
work).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/selinuxutil.fc |    5 +++++
 policy/modules/system/selinuxutil.te |    7 +++++++
 2 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2cc4bda..83848fc 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -43,6 +43,11 @@
 /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 #
+# /var/lib
+#
+/var/lib/selinux(/.*)?			gen_context(system_u:object_r:semanage_var_lib_t,s0)
+
+#
 # /var/run
 #
 /var/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 3ac9e80..d842562 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -103,6 +103,9 @@ files_tmp_file(semanage_tmp_t)
 type semanage_trans_lock_t;
 files_type(semanage_trans_lock_t)
 
+type semanage_var_lib_t;
+files_type(semanage_var_lib_t)
+
 type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
 type setfiles_exec_t alias restorecon_exec_t;
 init_system_domain(setfiles_t, setfiles_exec_t)
@@ -430,6 +433,7 @@ allow semanage_t self:capability { dac_override audit_write };
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 allow semanage_t self:unix_dgram_socket create_socket_perms;
 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow semanage_t self:fifo_file rw_fifo_file_perms;
 
 allow semanage_t policy_config_t:file rw_file_perms;
 
@@ -437,6 +441,9 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 allow semanage_t semanage_tmp_t:file manage_file_perms;
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 
+manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
+manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
+
 kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
 
-- 
1.7.3.4

[refpolicy] [PATCHv2 1/1] Support semanage permissive mode

[Christopher J. PeBenito]

On 09/09/11 15:36, Sven Vermeulen wrote:
> The semanage application supports a "semanage permissive" feature,
> allowing certain domains to be marked for running permissive (rather
> than the entire system).
> 
> To support this feature, we introduce a semanage_var_lib_t type for the
> location where semanage will keep its permissive_<domain>.* files, and
> allow semanage_t to work with fifo_files (needed for the command to
> work).
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/selinuxutil.fc |    5 +++++
>  policy/modules/system/selinuxutil.te |    7 +++++++
>  2 files changed, 12 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
> index 2cc4bda..83848fc 100644
> --- a/policy/modules/system/selinuxutil.fc
> +++ b/policy/modules/system/selinuxutil.fc
> @@ -43,6 +43,11 @@
>  /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
>  
>  #
> +# /var/lib
> +#
> +/var/lib/selinux(/.*)?			gen_context(system_u:object_r:semanage_var_lib_t,s0)
> +
> +#
>  # /var/run
>  #
>  /var/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 3ac9e80..d842562 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -103,6 +103,9 @@ files_tmp_file(semanage_tmp_t)
>  type semanage_trans_lock_t;
>  files_type(semanage_trans_lock_t)
>  
> +type semanage_var_lib_t;
> +files_type(semanage_var_lib_t)
> +
>  type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
>  type setfiles_exec_t alias restorecon_exec_t;
>  init_system_domain(setfiles_t, setfiles_exec_t)
> @@ -430,6 +433,7 @@ allow semanage_t self:capability { dac_override audit_write };
>  allow semanage_t self:unix_stream_socket create_stream_socket_perms;
>  allow semanage_t self:unix_dgram_socket create_socket_perms;
>  allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
> +allow semanage_t self:fifo_file rw_fifo_file_perms;
>  
>  allow semanage_t policy_config_t:file rw_file_perms;
>  
> @@ -437,6 +441,9 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms;
>  allow semanage_t semanage_tmp_t:file manage_file_perms;
>  files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
>  
> +manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
> +manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
> +
>  kernel_read_system_state(semanage_t)
>  kernel_read_kernel_sysctls(semanage_t)
  
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com