Allow policies to handle selinuxfs at /sys/fs/selinux
Changes since v1
----------------
- Renamed interface to dev_getattr_sysfs instead of dev_getattr_sysfs_fs
- Renamed interface to dev_dontaudit_getattr_sysfs instead of dev_dontaudit_getattr_sysfs_fs
Sven Vermeulen (2):
The security_t file system can be at /sys/fs/selinux
Dontaudit access on security_t file system at /sys/fs/selinux
policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++
policy/modules/kernel/selinux.if | 14 ++++++++++++++
2 files changed, 50 insertions(+)
--
1.8.3.2
Because it is no longer a top-level file system, we need to enhance some
of the interfaces with the appropriate rights towards sysfs_t.
First set to allow getattr rights on the file system, which now also
means getattr on the sysfs_t file system as well as search privileges in
sysfs_t.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/selinux.if | 10 ++++++++++
2 files changed, 28 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c2d0f08..fb87c76 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3873,6 +3873,24 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
+## Get the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 6d0811d..66d4352 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -63,6 +63,10 @@ interface(`selinux_get_fs_mount',`
# (/selinux) is already a selinuxfs
allow $1 security_t:filesystem getattr;
+ # Same for /sys/fs/selinux
+ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
# read /proc/filesystems to see if selinuxfs is supported
# then read /proc/self/mount to see where selinuxfs is mounted
kernel_read_system_state($1)
@@ -165,6 +169,9 @@ interface(`selinux_getattr_fs',`
')
allow $1 security_t:filesystem getattr;
+
+ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
')
########################################
@@ -184,6 +191,9 @@ interface(`selinux_dontaudit_getattr_fs',`
')
dontaudit $1 security_t:filesystem getattr;
+
+ dev_dontaudit_getattr_sysfs_fs($1)
+ dev_dontaudit_search_sysfs($1)
')
########################################
--
1.8.3.2
Second part of the support of security_t under /sys/fs/selinux - when
asked not to audit getting attributes on the selinux file system, have
this propagate to the sysfs parts as well.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/selinux.if | 6 +++++-
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index fb87c76..e9ef456 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3891,6 +3891,24 @@ interface(`dev_getattr_sysfs',`
########################################
## <summary>
+## Do not audit getting the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to dontaudit access from
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ dontaudit $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 66d4352..9192d23 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -93,6 +93,10 @@ interface(`selinux_dontaudit_get_fs_mount',`
# (/selinux) is already a selinuxfs
dontaudit $1 security_t:filesystem getattr;
+ # Same for /sys/fs/selinux
+ dev_dontaudit_getattr_sysfs($1)
+ dev_dontaudit_search_sysfs($1)
+
# read /proc/filesystems to see if selinuxfs is supported
# then read /proc/self/mount to see where selinuxfs is mounted
kernel_dontaudit_read_system_state($1)
@@ -192,7 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',`
dontaudit $1 security_t:filesystem getattr;
- dev_dontaudit_getattr_sysfs_fs($1)
+ dev_dontaudit_getattr_sysfs($1)
dev_dontaudit_search_sysfs($1)
')
--
1.8.3.2
On 04/11/2014 02:01 PM, Sven Vermeulen wrote:
>
> Allow policies to handle selinuxfs at /sys/fs/selinux
>
> Changes since v1
> ----------------
>
> - Renamed interface to dev_getattr_sysfs instead of dev_getattr_sysfs_fs
> - Renamed interface to dev_dontaudit_getattr_sysfs instead of dev_dontaudit_getattr_sysfs_fs
>
> Sven Vermeulen (2):
> The security_t file system can be at /sys/fs/selinux
> Dontaudit access on security_t file system at /sys/fs/selinux
>
> policy/modules/kernel/devices.if | 36 ++++++++++++++++++++++++++++++++++++
> policy/modules/kernel/selinux.if | 14 ++++++++++++++
> 2 files changed, 50 insertions(+)
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com