[refpolicy] [PATCH 4/5] The security_t file system can be at /sys/fs/selinux

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 4/5] The security_t file system can be at /sys/fs/selinux
Date: Fri, 4 Apr 2014 16:00:14 -0400	[thread overview]
Message-ID: <533F0F4E.7000201@tresys.com> (raw)
In-Reply-To: <1395779408-29213-5-git-send-email-sven.vermeulen@siphos.be>

On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
> Because it is no longer a top-level file system, we need to enhance some
> of the interfaces with the appropriate rights towards sysfs_t.
> 
> First set to allow getattr rights on the file system, which now also
> means getattr on the sysfs_t file system as well as search privileges in
> sysfs_t.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>  policy/modules/kernel/selinux.if | 10 ++++++++++
>  2 files changed, 28 insertions(+)
> 
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index c2d0f08..b887197 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -3873,6 +3873,24 @@ interface(`dev_getattr_sysfs_dirs',`
>  
>  ########################################
>  ## <summary>
> +##	Get the attributes of sysfs filesystem
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_getattr_sysfs_fs',`

I think if we simplify this to dev_getattr_sysfs(), also the similar change in patch 5, it can be merged.


> +	gen_require(`
> +		type sysfs_t;
> +	')
> +
> +	allow $1 sysfs_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
>  ##	Search the sysfs directories.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
> index 6d0811d..4d654d1 100644
> --- a/policy/modules/kernel/selinux.if
> +++ b/policy/modules/kernel/selinux.if
> @@ -63,6 +63,10 @@ interface(`selinux_get_fs_mount',`
>  	# (/selinux) is already a selinuxfs
>  	allow $1 security_t:filesystem getattr;
>  
> +	# Same for /sys/fs/selinux
> +	dev_getattr_sysfs_fs($1)
> +	dev_search_sysfs($1)
> +
>  	# read /proc/filesystems to see if selinuxfs is supported
>  	# then read /proc/self/mount to see where selinuxfs is mounted
>  	kernel_read_system_state($1)
> @@ -165,6 +169,9 @@ interface(`selinux_getattr_fs',`
>  	')
>  
>  	allow $1 security_t:filesystem getattr;
> +
> +	dev_getattr_sysfs_fs($1)
> +	dev_search_sysfs($1)
>  ')
>  
>  ########################################
> @@ -184,6 +191,9 @@ interface(`selinux_dontaudit_getattr_fs',`
>  	')
>  
>  	dontaudit $1 security_t:filesystem getattr;
> +
> +	dev_dontaudit_getattr_sysfs_fs($1)
> +	dev_dontaudit_search_sysfs($1)
>  ')
>  
>  ########################################
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

next prev parent reply	other threads:[~2014-04-04 20:00 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-25 20:30 [refpolicy] [PATCH 0/5] Upstreaming Gentoo policy updates Sven Vermeulen
2014-03-25 20:30 ` [refpolicy] [PATCH 1/5] Hide getattr denials upon sudo invocation Sven Vermeulen
2014-04-04 20:09   ` Christopher J. PeBenito
2014-03-25 20:30 ` [refpolicy] [PATCH 2/5] Fix avc_context_to_raw assertion (avc_running) failure upon running groupadd or useradd Sven Vermeulen
2014-04-04 20:07   ` Christopher J. PeBenito
2014-04-09 16:52     ` Sven Vermeulen
2014-04-11 12:57       ` Christopher J. PeBenito
2014-03-25 20:30 ` [refpolicy] [PATCH 3/5] Support /sys/devices/system/cpu/online Sven Vermeulen
2014-04-04 20:09   ` Christopher J. PeBenito
2014-03-25 20:30 ` [refpolicy] [PATCH 4/5] The security_t file system can be at /sys/fs/selinux Sven Vermeulen
2014-04-04 20:00   ` Christopher J. PeBenito [this message]
2014-03-25 20:30 ` [refpolicy] [PATCH 5/5] Dontaudit access on security_t file system " Sven Vermeulen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=533F0F4E.7000201@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.