2019-07-02 15:32:04

by Sugar, David

[permalink] [raw]
Subject: [PATCH 1/1] grant permission to map security_t

I'm seeing the following denial while installing RPMs.

type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1

The RedHat targeted policy has the change in this patch. I'm not sure if this is preferred, or
if it would be better to create a new interface 'selinux_map_security_files' (or similar).

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/kernel/selinux.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 6790e5d0..f0504613 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -492,7 +492,7 @@ interface(`selinux_validate_context',`

dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file rw_file_perms;
+ allow $1 security_t:file { map rw_file_perms };
allow $1 security_t:security check_context;
')

--
2.21.0


2019-07-09 00:55:29

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH 1/1] grant permission to map security_t

On 7/2/19 11:31 AM, Sugar, David wrote:
> I'm seeing the following denial while installing RPMs.
>
> type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
>
> The RedHat targeted policy has the change in this patch. I'm not sure if this is preferred, or
> if it would be better to create a new interface 'selinux_map_security_files' (or similar).

That would be preferred, as this is not a typical behavior.


> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/kernel/selinux.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
> index 6790e5d0..f0504613 100644
> --- a/policy/modules/kernel/selinux.if
> +++ b/policy/modules/kernel/selinux.if
> @@ -492,7 +492,7 @@ interface(`selinux_validate_context',`
>
> dev_search_sysfs($1)
> allow $1 security_t:dir list_dir_perms;
> - allow $1 security_t:file rw_file_perms;
> + allow $1 security_t:file { map rw_file_perms };
> allow $1 security_t:security check_context;
> ')
>
>


--
Chris PeBenito