Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3484059ybi;
        Tue, 2 Jul 2019 08:32:04 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxWb3XCOcBNTz5qVfdo63G8MGAKNolKFunPChaNbCA0M/9gbBS3GiLbHl7TyfegtjCr1IsZ
X-Received: by 2002:a17:902:7247:: with SMTP id c7mr35641490pll.202.1562081524504;
        Tue, 02 Jul 2019 08:32:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1562081524; cv=none;
        d=google.com; s=arc-20160816;
        b=RW1P/6MpmwhTrpTyC/ApR6EoGT8zvSyYxQz9Sv4FEr1jIseAn7noN0Ls9IiSnc06AE
         +m9eyYVrzn0diXjidPKwKjq6tpvAUivhFpBO5Xf4qfTtVXELUA4GyJvbcHd8XG1ATy6h
         v12kPCWwE9wEGXV6nKM7cqS7m/QCI5qtkmBzkxT/rkzFaRGBpEw7przh+2zTWzxkhWMD
         7mznjG65MdDxbufqu/9wU4p/KUL8nAqJ2bRYL9g8HJRlSkm08CedBurLhbVnKUTs3TjV
         ggpsKIAsZDXIuabLrVaMrklmdlYiJbGcr9+Pz8Rm7yJskmlztrxzvcOcMm9qaNvre+8P
         QO8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :content-language:accept-language:message-id:date:thread-index
         :thread-topic:subject:to:from:dkim-signature;
        bh=fL3J0LBNQILvHD+j5NgAfwvDo1ysaFHYgnPb0AGCIQk=;
        b=I/v0+OckkniNLTlFz73EVOk7h2X655EWScoTfJ1y86Ud9WUaXSepLzXDeqkg6iK8PO
         Y+bqPzIJiu7CGY0+7NVWWJD2h5aU8D+JUt0xfPFfu1CjyAJuoewZUq01cwttr3tRb19e
         ZxC/gfd2IJ5YifyKZ9GX/D/uuBrZPt+rzOWz+lLHqFefI4QhqYp4Ti3oZEK2VSCv8rmq
         XkBFswuXYmqXMYH+H//rJwfABViM6X+2dEpqRnuOFK7RzYqzoLS9rdrnt5UEhdKCLTg2
         gWHffysqy1zguEgzWwsDhv0VUEmyUbclMy0KL3/ojNb6m3LIHoUm1A9V3rZQ0AwFcHVg
         /kzw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=DxpXVjPq;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t186si14293703pfb.19.2019.07.02.08.32.02;
        Tue, 02 Jul 2019 08:32:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=DxpXVjPq;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726283AbfGBPcB (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Tue, 2 Jul 2019 11:32:01 -0400
Received: from mail-eopbgr740112.outbound.protection.outlook.com ([40.107.74.112]:28421
        "EHLO NAM01-BN3-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1725972AbfGBPcB (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 2 Jul 2019 11:32:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=fL3J0LBNQILvHD+j5NgAfwvDo1ysaFHYgnPb0AGCIQk=;
 b=DxpXVjPqT++Tuv0+B/09qxfdxAhxOYuVUFzjxo8SalxnSzI097/l4vSVoZK67azvfFNOWvidDGrArbWU5bUVLrHES/Ijq3OQu2so/vWg7flC+C44/ZmJZMI1gDRy3CvAPzR3iqT6irrVPgCoKX1fDjxEGHJuas7QyrDnmqMI5m4=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1346.namprd15.prod.outlook.com (10.172.149.144) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2032.18; Tue, 2 Jul 2019 15:31:58 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::80fc:6403:1abc:cb23]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::80fc:6403:1abc:cb23%6]) with mapi id 15.20.2032.019; Tue, 2 Jul 2019
 15:31:58 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH 1/1] grant permission to map security_t
Thread-Topic: [PATCH 1/1] grant permission to map security_t
Thread-Index: AQHVMOtJzApjrTLcTkGs6fy+6usUWA==
Date:   Tue, 2 Jul 2019 15:31:58 +0000
Message-ID: <20190702153128.14244-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [96.244.17.66]
x-clientproxiedby: BN4PR12CA0022.namprd12.prod.outlook.com
 (2603:10b6:403:2::32) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.21.0
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 97ba94c3-2d99-4e22-6bb2-08d6ff026b41
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020);SRVR:BN6PR15MB1346;
x-ms-traffictypediagnostic: BN6PR15MB1346:
x-microsoft-antispam-prvs: <BN6PR15MB134601ECC2C945D0607A532CB9F80@BN6PR15MB1346.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4941;
x-forefront-prvs: 008663486A
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(396003)(376002)(39830400003)(136003)(346002)(366004)(189003)(199004)(66066001)(73956011)(486006)(476003)(99286004)(53936002)(81156014)(71190400001)(256004)(71200400001)(14444005)(386003)(6506007)(2616005)(36756003)(66946007)(6916009)(66556008)(316002)(6512007)(7736002)(66446008)(14454004)(26005)(66476007)(2501003)(50226002)(68736007)(64756008)(2906002)(8936002)(186003)(5640700003)(508600001)(305945005)(52116002)(2351001)(6436002)(3846002)(6116002)(102836004)(1076003)(86362001)(81166006)(8676002)(15650500001)(25786009)(6486002)(5660300002);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1346;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: IPtzJJZmHWfDsR5STM3eGQhYXAWTKLeq85ZtgvUJ9orH991v45bFzHQV//Iu/O/BTjSzbFRieMCrVk8oHaplIheanb+ZRtg0jAAHlAVzpmb0i30DR/pm/BHxgQ+PA33uFn/toMERzvz6ZTfHrhYdL5XtVwihpUwjXcZu3TH29KHbzg0wTeNBaFBYM9yl3mDmYHlA7a7bx4Zr41cJOQl5F8XbwKHuIMdhYRyNsKZR+XYgVmSOlgmVGEHwSizZtziqkNWgvMSAV/L2ySiULJq1YMbjEATAXq+aiO2K2Eqn6qQPf9qpHMtLGenk/QnQyffMRTpejibL4Vm2gvIv/fxlyK5yHhActVPbV+FtejfmICCHc45MJgRswcxZB9A8hMJRwlNrqI43tBgo6WzHPzUx/5BBdriocz0sgSfvuDAAkSk=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 97ba94c3-2d99-4e22-6bb2-08d6ff026b41
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2019 15:31:58.1527
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dsugar@tresys.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1346
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

I'm seeing the following denial while installing RPMs. =20

type=3DAVC msg=3Daudit(1560944462.698:217): avc:  denied  { map } for pid=
=3D1265 comm=3D"rpm" path=3D"/sys/fs/selinux/status" dev=3D"selinuxfs" ino=
=3D19 scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsystem_u:object_r:se=
curity_t:s0 tclass=3Dfile permissive=3D1

The RedHat targeted policy has the change in this patch.  I'm not sure if t=
his is preferred, or
if it would be better to create a new interface 'selinux_map_security_files=
' (or similar).

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/kernel/selinux.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selin=
ux.if
index 6790e5d0..f0504613 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -492,7 +492,7 @@ interface(`selinux_validate_context',`
=20
 	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
-	allow $1 security_t:file rw_file_perms;
+	allow $1 security_t:file { map rw_file_perms };
 	allow $1 security_t:security check_context;
 ')
=20
--=20
2.21.0