Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp8046910ybi; Tue, 9 Jul 2019 08:17:57 -0700 (PDT) X-Google-Smtp-Source: APXvYqwbRWZYWRgHpSy4++wHPZPYeDH6SB8Cjt3nK/2ZDDUSsRel+aGIpoxrJRfi1PdiYexupE6+ X-Received: by 2002:a17:90a:db44:: with SMTP id u4mr716527pjx.52.1562685477337; Tue, 09 Jul 2019 08:17:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562685477; cv=none; d=google.com; s=arc-20160816; b=SixP3OhK74VEGTWPAAaN9KKhryMXM4XX6Sjq7FvFu8qf+0CcswjL7i84+c4YQH6z+X tfnUZZiXgNp+Qg+KdIEuIyLLcghHfrYQ/LyxYbl4ct+ZKRT+XDJU0XnQlEOig88jAcWZ PFrAggo1vVqro1wKbbIfvj1Y8CMUGy382JcgZ1YI4DkvLEislNoga2ADpqwXTH2qakMx f+MfzWLc/2kESFVX1T2S3Wjb+9hi+pXIxor5eSwqjl7Z5bzRk059A/fO0eJ3Isbg6fSi /tqbPsNIEFyPg1jOHTeZ2hmGmwYA8SIxEKfQn1ChscgE30eP2/Tedp7CT1mGaYFtYQaI 3gHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:message-id:date:thread-index :thread-topic:subject:to:from:dkim-signature; bh=ZcNxJEXMc3+cj7I+O2GwB+CXaoV/8q1yl+PxTl0KI10=; b=irijtuXfenhr05LoO5KaXXlydFu+LLIZiJg3ya6DWvN3qMJvlQ+iUFwkkhzJX5yZPI IKS6tUhY6g+EjBfBLsFbbj+c9KO5cJ7bLxx6DsdkhfCPZc1pHcDQN2ssTYVJCCSpdjrT kBYPq3uh8IQ+lAvymAT+4n07cZW+J/SSNVRYuALCnNe+yRsDujjXXdQ5IveuopAeumsw NT7hB6OC8H1eisWj1/aP9r+UoniSMg7Xxn4MIcyC7WjoWg1dlLFkKqjOyz6XgrjAcgN2 +znyJIQNoH5jJwk8JCoyvQboay0LgOREp43GEWgmcJ7FTBjX+TDKo62thlCaBLhwmP25 /zOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=JbLR0slT; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z9si2964549pju.2.2019.07.09.08.17.51; Tue, 09 Jul 2019 08:17:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=JbLR0slT; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726211AbfGIPPl (ORCPT + 11 others); Tue, 9 Jul 2019 11:15:41 -0400 Received: from mail-eopbgr700127.outbound.protection.outlook.com ([40.107.70.127]:50945 "EHLO NAM04-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726055AbfGIPPl (ORCPT ); Tue, 9 Jul 2019 11:15:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZcNxJEXMc3+cj7I+O2GwB+CXaoV/8q1yl+PxTl0KI10=; b=JbLR0slTEeS57mySNNqTeUdrmv7tqdpJbPFfddJ8a+leYlkDc3k95jP4nPThLtWUhqfxad6djb1MVTMrM+0gF3i2x5hewM0NCyph/6yXstua3KBjrz2NBCBBi+3cdmUBJ6PnqdiMIiPrBZc5c85NvrE9gHX8v53LDEdwIsgZXcw= Received: from CY4PR15MB1509.namprd15.prod.outlook.com (10.172.160.141) by CY4PR15MB1576.namprd15.prod.outlook.com (10.172.155.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.19; Tue, 9 Jul 2019 15:15:38 +0000 Received: from CY4PR15MB1509.namprd15.prod.outlook.com ([fe80::e40b:869:f07:ec5e]) by CY4PR15MB1509.namprd15.prod.outlook.com ([fe80::e40b:869:f07:ec5e%10]) with mapi id 15.20.2052.020; Tue, 9 Jul 2019 15:15:38 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH 1/1 v2] grant rpm_t permission to map security_t Thread-Topic: [PATCH 1/1 v2] grant rpm_t permission to map security_t Thread-Index: AQHVNmkqXg9mOUtMx0ymXEPqfFgoFw== Date: Tue, 9 Jul 2019 15:15:38 +0000 Message-ID: <20190709151527.13582-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] x-clientproxiedby: BN6PR03CA0083.namprd03.prod.outlook.com (2603:10b6:405:6f::21) To CY4PR15MB1509.namprd15.prod.outlook.com (2603:10b6:903:fd::13) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.21.0 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 64ce1740-96ff-4ec7-a282-08d704804c74 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020);SRVR:CY4PR15MB1576; x-ms-traffictypediagnostic: CY4PR15MB1576: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:2512; x-forefront-prvs: 0093C80C01 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(346002)(136003)(396003)(376002)(366004)(39840400004)(199004)(189003)(7736002)(50226002)(305945005)(14444005)(256004)(5640700003)(71190400001)(68736007)(71200400001)(2616005)(476003)(486006)(86362001)(1076003)(2501003)(6506007)(316002)(6486002)(26005)(186003)(15650500001)(52116002)(6916009)(102836004)(386003)(99286004)(2351001)(66066001)(14454004)(81166006)(8936002)(64756008)(66556008)(25786009)(66446008)(81156014)(2906002)(508600001)(6512007)(66946007)(73956011)(5660300002)(36756003)(8676002)(3846002)(53936002)(6116002)(6436002)(66476007);DIR:OUT;SFP:1102;SCL:1;SRVR:CY4PR15MB1576;H:CY4PR15MB1509.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: 1aHKEf/Ye4Hy5fqOqhMO6TBKT2vMoaPVWI45o+uaDQJDiULAxZzce8TNELIAJG8NnVo/cpbx0oXH+or/3lF7do/TCpVDQpeQhv9Gvxj+qOtMhcBy+h05omhvEhYT2qpVrrrYXeMcJXhUJyheMv+ddFjEqt8DOVUONcqWCvpIDD1afH+9TCne4lDq1DDee+4UArbFZ901oABict94jcly5c2Kzq4E9m1ZSc9yed7hdTjykgOc7stWBBO6yLnyXdyo9envqBPZSXW7enpY45ZvyG+D9lzUw4eWypVrDKjs/WAGm3HSqljBNQrIcQ+KjxfZLRfSRFvC3Jm83r1iACbePGBQXAh91qLfrzmbs8bmeBhAQQqApbX2UNueTizJy3wC9Kzklp7hmEB7Gtd802PwUDOXTbmEkt/tykyZqEgEq58= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 64ce1740-96ff-4ec7-a282-08d704804c74 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2019 15:15:38.4984 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: dsugar@tresys.com X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR15MB1576 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org type=3DAVC msg=3Daudit(1560944462.698:217): avc: denied { map } for pid= =3D1265 comm=3D"rpm" path=3D"/sys/fs/selinux/status" dev=3D"selinuxfs" ino= =3D19 scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsystem_u:object_r:se= curity_t:s0 tclass=3Dfile permissive=3D1 v2 - Create new interface to allow mapping security_t and use this interfac= e by rpm_t Signed-off-by: Dave Sugar --- policy/modules/admin/rpm.te | 1 + policy/modules/kernel/selinux.if | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 3c5968f9..082052fa 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -185,6 +185,7 @@ selinux_compute_access_vector(rpm_t) selinux_compute_create_context(rpm_t) selinux_compute_relabel_context(rpm_t) selinux_compute_user_contexts(rpm_t) +selinux_map_security_files(rpm_t) =20 storage_raw_write_fixed_disk(rpm_t) storage_raw_read_fixed_disk(rpm_t) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selin= ux.if index 6790e5d0..81d8f918 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -635,6 +635,26 @@ interface(`selinux_compute_user_contexts',` allow $1 security_t:security compute_user; ') =20 +######################################## +## +## Allows caller to map secuirty_t files. +## +## +## +## Domain allowed access. +## +## +# + +interface(`selinux_map_security_files',` + gen_require(` + type security_t; + ') + + dev_search_sysfs($1) + allow $1 security_t:file map; +') + ######################################## ## ## Unconfined access to the SELinux kernel security server. --=20 2.21.0