Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3484059ybi; Tue, 2 Jul 2019 08:32:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqxWb3XCOcBNTz5qVfdo63G8MGAKNolKFunPChaNbCA0M/9gbBS3GiLbHl7TyfegtjCr1IsZ X-Received: by 2002:a17:902:7247:: with SMTP id c7mr35641490pll.202.1562081524504; Tue, 02 Jul 2019 08:32:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562081524; cv=none; d=google.com; s=arc-20160816; b=RW1P/6MpmwhTrpTyC/ApR6EoGT8zvSyYxQz9Sv4FEr1jIseAn7noN0Ls9IiSnc06AE +m9eyYVrzn0diXjidPKwKjq6tpvAUivhFpBO5Xf4qfTtVXELUA4GyJvbcHd8XG1ATy6h v12kPCWwE9wEGXV6nKM7cqS7m/QCI5qtkmBzkxT/rkzFaRGBpEw7przh+2zTWzxkhWMD 7mznjG65MdDxbufqu/9wU4p/KUL8nAqJ2bRYL9g8HJRlSkm08CedBurLhbVnKUTs3TjV ggpsKIAsZDXIuabLrVaMrklmdlYiJbGcr9+Pz8Rm7yJskmlztrxzvcOcMm9qaNvre+8P QO8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:message-id:date:thread-index :thread-topic:subject:to:from:dkim-signature; bh=fL3J0LBNQILvHD+j5NgAfwvDo1ysaFHYgnPb0AGCIQk=; b=I/v0+OckkniNLTlFz73EVOk7h2X655EWScoTfJ1y86Ud9WUaXSepLzXDeqkg6iK8PO Y+bqPzIJiu7CGY0+7NVWWJD2h5aU8D+JUt0xfPFfu1CjyAJuoewZUq01cwttr3tRb19e ZxC/gfd2IJ5YifyKZ9GX/D/uuBrZPt+rzOWz+lLHqFefI4QhqYp4Ti3oZEK2VSCv8rmq XkBFswuXYmqXMYH+H//rJwfABViM6X+2dEpqRnuOFK7RzYqzoLS9rdrnt5UEhdKCLTg2 gWHffysqy1zguEgzWwsDhv0VUEmyUbclMy0KL3/ojNb6m3LIHoUm1A9V3rZQ0AwFcHVg /kzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=DxpXVjPq; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t186si14293703pfb.19.2019.07.02.08.32.02; Tue, 02 Jul 2019 08:32:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=DxpXVjPq; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726283AbfGBPcB (ORCPT + 11 others); Tue, 2 Jul 2019 11:32:01 -0400 Received: from mail-eopbgr740112.outbound.protection.outlook.com ([40.107.74.112]:28421 "EHLO NAM01-BN3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725972AbfGBPcB (ORCPT ); Tue, 2 Jul 2019 11:32:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fL3J0LBNQILvHD+j5NgAfwvDo1ysaFHYgnPb0AGCIQk=; b=DxpXVjPqT++Tuv0+B/09qxfdxAhxOYuVUFzjxo8SalxnSzI097/l4vSVoZK67azvfFNOWvidDGrArbWU5bUVLrHES/Ijq3OQu2so/vWg7flC+C44/ZmJZMI1gDRy3CvAPzR3iqT6irrVPgCoKX1fDjxEGHJuas7QyrDnmqMI5m4= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1346.namprd15.prod.outlook.com (10.172.149.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.18; Tue, 2 Jul 2019 15:31:58 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::80fc:6403:1abc:cb23]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::80fc:6403:1abc:cb23%6]) with mapi id 15.20.2032.019; Tue, 2 Jul 2019 15:31:58 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH 1/1] grant permission to map security_t Thread-Topic: [PATCH 1/1] grant permission to map security_t Thread-Index: AQHVMOtJzApjrTLcTkGs6fy+6usUWA== Date: Tue, 2 Jul 2019 15:31:58 +0000 Message-ID: <20190702153128.14244-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] x-clientproxiedby: BN4PR12CA0022.namprd12.prod.outlook.com (2603:10b6:403:2::32) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.21.0 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 97ba94c3-2d99-4e22-6bb2-08d6ff026b41 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020);SRVR:BN6PR15MB1346; x-ms-traffictypediagnostic: BN6PR15MB1346: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:4941; x-forefront-prvs: 008663486A x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(396003)(376002)(39830400003)(136003)(346002)(366004)(189003)(199004)(66066001)(73956011)(486006)(476003)(99286004)(53936002)(81156014)(71190400001)(256004)(71200400001)(14444005)(386003)(6506007)(2616005)(36756003)(66946007)(6916009)(66556008)(316002)(6512007)(7736002)(66446008)(14454004)(26005)(66476007)(2501003)(50226002)(68736007)(64756008)(2906002)(8936002)(186003)(5640700003)(508600001)(305945005)(52116002)(2351001)(6436002)(3846002)(6116002)(102836004)(1076003)(86362001)(81166006)(8676002)(15650500001)(25786009)(6486002)(5660300002);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1346;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: IPtzJJZmHWfDsR5STM3eGQhYXAWTKLeq85ZtgvUJ9orH991v45bFzHQV//Iu/O/BTjSzbFRieMCrVk8oHaplIheanb+ZRtg0jAAHlAVzpmb0i30DR/pm/BHxgQ+PA33uFn/toMERzvz6ZTfHrhYdL5XtVwihpUwjXcZu3TH29KHbzg0wTeNBaFBYM9yl3mDmYHlA7a7bx4Zr41cJOQl5F8XbwKHuIMdhYRyNsKZR+XYgVmSOlgmVGEHwSizZtziqkNWgvMSAV/L2ySiULJq1YMbjEATAXq+aiO2K2Eqn6qQPf9qpHMtLGenk/QnQyffMRTpejibL4Vm2gvIv/fxlyK5yHhActVPbV+FtejfmICCHc45MJgRswcxZB9A8hMJRwlNrqI43tBgo6WzHPzUx/5BBdriocz0sgSfvuDAAkSk= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 97ba94c3-2d99-4e22-6bb2-08d6ff026b41 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2019 15:31:58.1527 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: dsugar@tresys.com X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1346 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I'm seeing the following denial while installing RPMs. =20 type=3DAVC msg=3Daudit(1560944462.698:217): avc: denied { map } for pid= =3D1265 comm=3D"rpm" path=3D"/sys/fs/selinux/status" dev=3D"selinuxfs" ino= =3D19 scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsystem_u:object_r:se= curity_t:s0 tclass=3Dfile permissive=3D1 The RedHat targeted policy has the change in this patch. I'm not sure if t= his is preferred, or if it would be better to create a new interface 'selinux_map_security_files= ' (or similar). Signed-off-by: Dave Sugar --- policy/modules/kernel/selinux.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selin= ux.if index 6790e5d0..f0504613 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -492,7 +492,7 @@ interface(`selinux_validate_context',` =20 dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file { map rw_file_perms }; allow $1 security_t:security check_context; ') =20 --=20 2.21.0