type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
v2 - Create new interface to allow mapping security_t and use this interface by rpm_t
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/admin/rpm.te | 1 +
policy/modules/kernel/selinux.if | 20 ++++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 3c5968f9..082052fa 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -185,6 +185,7 @@ selinux_compute_access_vector(rpm_t)
selinux_compute_create_context(rpm_t)
selinux_compute_relabel_context(rpm_t)
selinux_compute_user_contexts(rpm_t)
+selinux_map_security_files(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
storage_raw_read_fixed_disk(rpm_t)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 6790e5d0..81d8f918 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -635,6 +635,26 @@ interface(`selinux_compute_user_contexts',`
allow $1 security_t:security compute_user;
')
+########################################
+## <summary>
+## Allows caller to map secuirty_t files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+
+interface(`selinux_map_security_files',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dev_search_sysfs($1)
+ allow $1 security_t:file map;
+')
+
########################################
## <summary>
## Unconfined access to the SELinux kernel security server.
--
2.21.0
On 7/9/19 11:15 AM, Sugar, David wrote:
> type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
>
> v2 - Create new interface to allow mapping security_t and use this interface by rpm_t
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/admin/rpm.te | 1 +
> policy/modules/kernel/selinux.if | 20 ++++++++++++++++++++
> 2 files changed, 21 insertions(+)
>
> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
> index 3c5968f9..082052fa 100644
> --- a/policy/modules/admin/rpm.te
> +++ b/policy/modules/admin/rpm.te
> @@ -185,6 +185,7 @@ selinux_compute_access_vector(rpm_t)
> selinux_compute_create_context(rpm_t)
> selinux_compute_relabel_context(rpm_t)
> selinux_compute_user_contexts(rpm_t)
> +selinux_map_security_files(rpm_t)
>
> storage_raw_write_fixed_disk(rpm_t)
> storage_raw_read_fixed_disk(rpm_t)
> diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
> index 6790e5d0..81d8f918 100644
> --- a/policy/modules/kernel/selinux.if
> +++ b/policy/modules/kernel/selinux.if
> @@ -635,6 +635,26 @@ interface(`selinux_compute_user_contexts',`
> allow $1 security_t:security compute_user;
> ')
>
> +########################################
> +## <summary>
> +## Allows caller to map secuirty_t files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +
> +interface(`selinux_map_security_files',`
> + gen_require(`
> + type security_t;
> + ')
> +
> + dev_search_sysfs($1)
> + allow $1 security_t:file map;
> +')
> +
> ########################################
> ## <summary>
> ## Unconfined access to the SELinux kernel security server.
Merged.
--
Chris PeBenito