diff mbox series

[1/2] selinux: Add map perms

Message ID 20211121203231.3625-1-jason@perfinion.com (mailing list archive)
State New, archived
Headers show
Series [1/2] selinux: Add map perms | expand

Commit Message

Jason Zaman Nov. 21, 2021, 8:32 p.m. UTC 
Lots of libselinux functions now map /sys/fs/selinux/status so add map
perms to other interfaces as well.

$ passwd user1
passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running'
failed.
Aborted

avc: denied { map } for pid=325 comm="passwd"
path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root:
sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file
permissive=1

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policy/modules/kernel/selinux.if | 18 +++++++++---------
 policy/modules/kernel/selinux.te |  8 ++++----
 2 files changed, 13 insertions(+), 13 deletions(-)
diff mbox series

Patch

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 13aa1e052..cb610c449 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -295,7 +295,7 @@  interface(`selinux_get_enforce_mode',`
 
 	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file read_file_perms;
+	allow $1 security_t:file mmap_read_file_perms;
 ')
 
 ########################################
@@ -363,7 +363,7 @@  interface(`selinux_read_policy',`
 
 	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file read_file_perms;
+	allow $1 security_t:file mmap_read_file_perms;
 	allow $1 security_t:security read_policy;
 ')
 
@@ -533,7 +533,7 @@  interface(`selinux_validate_context',`
 
 	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:file mmap_rw_file_perms;
 	allow $1 security_t:security check_context;
 ')
 
@@ -554,7 +554,7 @@  interface(`selinux_dontaudit_validate_context',`
 	')
 
 	dontaudit $1 security_t:dir list_dir_perms;
-	dontaudit $1 security_t:file rw_file_perms;
+	dontaudit $1 security_t:file mmap_rw_file_perms;
 	dontaudit $1 security_t:security check_context;
 ')
 
@@ -577,7 +577,7 @@  interface(`selinux_compute_access_vector',`
 	dev_search_sysfs($1)
 	allow $1 self:netlink_selinux_socket create_socket_perms;
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:file mmap_rw_file_perms;
 	allow $1 security_t:security compute_av;
 ')
 
@@ -599,7 +599,7 @@  interface(`selinux_compute_create_context',`
 
 	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:file mmap_rw_file_perms;
 	allow $1 security_t:security compute_create;
 ')
 
@@ -621,7 +621,7 @@  interface(`selinux_compute_member',`
 
 	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:file mmap_rw_file_perms;
 	allow $1 security_t:security compute_member;
 ')
 
@@ -651,7 +651,7 @@  interface(`selinux_compute_relabel_context',`
 
 	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:file mmap_rw_file_perms;
 	allow $1 security_t:security compute_relabel;
 ')
 
@@ -672,7 +672,7 @@  interface(`selinux_compute_user_contexts',`
 
 	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:file mmap_rw_file_perms;
 	allow $1 security_t:security compute_user;
 ')
 
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 0726fc448..707517e52 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -53,7 +53,7 @@  genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
 neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
 
 allow can_setenforce security_t:dir list_dir_perms;
-allow can_setenforce security_t:file rw_file_perms;
+allow can_setenforce security_t:file mmap_rw_file_perms;
 
 dev_search_sysfs(can_setenforce)
 
@@ -71,7 +71,7 @@  if(secure_mode_policyload) {
 neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
 
 allow can_load_policy security_t:dir list_dir_perms;
-allow can_load_policy security_t:file rw_file_perms;
+allow can_load_policy security_t:file mmap_rw_file_perms;
 
 dev_search_sysfs(can_load_policy)
 
@@ -89,7 +89,7 @@  if(secure_mode_policyload) {
 neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
 
 allow can_setsecparam security_t:dir list_dir_perms;
-allow can_setsecparam security_t:file rw_file_perms;
+allow can_setsecparam security_t:file mmap_rw_file_perms;
 allow can_setsecparam security_t:security setsecparam;
 auditallow can_setsecparam security_t:security setsecparam;
 
@@ -102,7 +102,7 @@  dev_search_sysfs(can_setsecparam)
 
 # use SELinuxfs
 allow selinux_unconfined_type security_t:dir list_dir_perms;
-allow selinux_unconfined_type security_t:file rw_file_perms;
+allow selinux_unconfined_type security_t:file mmap_rw_file_perms;
 allow selinux_unconfined_type boolean_type:file read_file_perms;
 
 # Access the security API.