Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp7250784ybi; Mon, 8 Jul 2019 17:55:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqyoEaLteszeh8NsBM+VcMHQxeuNo9TczU1r5aQkVqn4YY022cBjRF1vaG5IOL4V496pdAK7 X-Received: by 2002:a63:221f:: with SMTP id i31mr27753968pgi.251.1562633729600; Mon, 08 Jul 2019 17:55:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562633729; cv=none; d=google.com; s=arc-20160816; b=eYzbsUABX7CbaeIyBg+0augpGbdbEFSQDH5d3LBJBQT0OCg6hYZtrKUgdw0q8MQc1a LRCpAtF0V0z31Izjjb+k1iCWoJ9VbzjlV+Ag7c1XHkWcjExxsC3ct/XI1dYhKG1b9rnS QxdlzUI1cCHTnYybbaFDyT1A4H4qJ1QYD/g/3MFmTsI1mUe4SgrH7gbihel8Wlvyi7+N gLzXvXpBbkpBgdD9KrlRqAROOzjAGwRTKgczxPKuPjC2YoRBveJ5M3J8XzMXW0QPuBF1 7ZergCgkcfYJR8BdX31aUONdubUQRNWCSYgkOUdWKtb94y+/hP3csHf7hmxojttUECyz 8jJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=p829mqygIoGQ6WgcWV6VgRJB+riRUWXqE3Ao9cpHGFk=; b=F5akcuNk1Hgj4itpz5Je/CZ2qcAnyRCTFwJ/dMG/UH8wjhPa9GjZO+v8eJwt/xAcJj HXwEIay0RCwjJ0GTPGr2XdAnXN8bzPoJJTp/YNX2ZaZDVzqeyeB05MYo+29gnLrqxAlG dxrZxG/qINtLI7rn7CuYKDFXlSIIqLfTw00t2Apy9uxMxMF3Tw+sqFrmc9CTnr+A2tck tR1+tYv+x9EKfIGjQ/Hm4yndgSz/aj7uu1EUeaWM0CUecb6Istp7pVg/UanSTQc9VW9v XugEq9WuahVrd87ETA9x1dEsR3HHDwU1FGXUfcfMqg8lM5mD+pFcDYJCuqQ2214w/b5h pPDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=PXr2TZ6U; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t22si20719807pgh.582.2019.07.08.17.55.16; Mon, 08 Jul 2019 17:55:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=PXr2TZ6U; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726486AbfGIAez (ORCPT + 11 others); Mon, 8 Jul 2019 20:34:55 -0400 Received: from mail-qt1-f195.google.com ([209.85.160.195]:38684 "EHLO mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725905AbfGIAez (ORCPT ); Mon, 8 Jul 2019 20:34:55 -0400 Received: by mail-qt1-f195.google.com with SMTP id n11so19933164qtl.5 for ; Mon, 08 Jul 2019 17:34:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=p829mqygIoGQ6WgcWV6VgRJB+riRUWXqE3Ao9cpHGFk=; b=PXr2TZ6Uv4TIjmx4S/5fuBz0FzwAiG2925d6pfSACbK+8YGRfoq6leKuwU0DJDPUak 1y9dfghqJ6w0pPfm3CARYutFRcImXvQS5NCeD+N+OsxdI1WpnF39WzmJQhYcNKLqBP6q 6EpzfnIqWji2XvkQRmErBGpqlWgGw5vhmSx5A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=p829mqygIoGQ6WgcWV6VgRJB+riRUWXqE3Ao9cpHGFk=; b=UtqgYvZ2GUMIegVpH65PzY4m8oO0AlyzhZFnlyKZPx4FgnIF8UBEcJZqDSBsamVo5m OxD51X+FdBzTcQZc8VXZUWk/m1tkIrcGgRFGDymlZyx+SVTrx4czoCUnhTBEV72PxPF3 zBTG9qg6+fLNdYObLxxvRFK/S47upJWiHOrxRE4Kfw2u2fuq3vSeQoeHLGoXS7uotdFC +sNQabqd44rc+XM+kHDy1UvqR5ajUPLyDFECqdvLUEnGsShFVHU86x9qviTEQxsrOS2E mez1jS3TJ1laegZ5rXA37skao0iRFAPogaV0xGe5Dezsjrc1FEaM8hPV50/vx1fItk/L PrQQ== X-Gm-Message-State: APjAAAUC85FBcGIJXR67ACbZfrT6NTM1qq+jDtoqQMNYGrGwdVjCK1Gd fdDOl5fSm0QDRyuweEbiloE2LU+gf7o= X-Received: by 2002:ac8:2181:: with SMTP id 1mr16603435qty.263.1562632494126; Mon, 08 Jul 2019 17:34:54 -0700 (PDT) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id o21sm7807623qtq.16.2019.07.08.17.34.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jul 2019 17:34:53 -0700 (PDT) Subject: Re: [PATCH 1/1] grant permission to map security_t To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20190702153128.14244-1-dsugar@tresys.com> From: Chris PeBenito Message-ID: Date: Mon, 8 Jul 2019 20:34:51 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190702153128.14244-1-dsugar@tresys.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 7/2/19 11:31 AM, Sugar, David wrote: > I'm seeing the following denial while installing RPMs. > > type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 > > The RedHat targeted policy has the change in this patch. I'm not sure if this is preferred, or > if it would be better to create a new interface 'selinux_map_security_files' (or similar). That would be preferred, as this is not a typical behavior. > Signed-off-by: Dave Sugar > --- > policy/modules/kernel/selinux.if | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if > index 6790e5d0..f0504613 100644 > --- a/policy/modules/kernel/selinux.if > +++ b/policy/modules/kernel/selinux.if > @@ -492,7 +492,7 @@ interface(`selinux_validate_context',` > > dev_search_sysfs($1) > allow $1 security_t:dir list_dir_perms; > - allow $1 security_t:file rw_file_perms; > + allow $1 security_t:file { map rw_file_perms }; > allow $1 security_t:security check_context; > ') > > -- Chris PeBenito