2017-09-11 06:40:50

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/4] libraries: ldconfig maps its "aux-cache" during cache updates

---
policy/modules/system/libraries.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 1476641b..a44eb02e 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -60,6 +60,7 @@ optional_policy(`
allow ldconfig_t self:capability { dac_override sys_chroot };

manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
+allow ldconfig_t ldconfig_cache_t:file map;

allow ldconfig_t ld_so_cache_t:file manage_file_perms;
files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
--
2.14.1


2017-09-11 06:40:51

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/4] userdomain: Add various interfaces granting the map permission

---
policy/modules/system/userdomain.if | 54 +++++++++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 06783cfe..78e821eb 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1891,6 +1891,24 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
dontaudit $1 user_home_t:file setattr_file_perms;
')

+########################################
+## <summary>
+## Map user home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_map_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ allow $1 user_home_t:file map;
+')
+
########################################
## <summary>
## Mmap user home files.
@@ -2516,6 +2534,24 @@ interface(`userdom_read_user_tmp_files',`
userdom_search_user_runtime($1)
')

+########################################
+## <summary>
+## Map user temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_map_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file map;
+')
+
########################################
## <summary>
## Do not audit attempts to read users
@@ -2787,6 +2823,24 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')

+########################################
+## <summary>
+## Map user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_map_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ allow $1 user_tmpfs_t:file map;
+')
+
########################################
## <summary>
## Read user tmpfs files.
--
2.14.1

2017-09-11 06:40:52

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/4] files: Create files_map_usr_files interface

---
policy/modules/kernel/files.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 1b10d466..72097584 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4838,6 +4838,25 @@ interface(`files_getattr_usr_files',`
getattr_files_pattern($1, usr_t, usr_t)
')

+########################################
+## <summary>
+## Map generic files in /usr.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_map_usr_files',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:file map;
+')
+
########################################
## <summary>
## Read generic files in /usr.
--
2.14.1

2017-09-11 06:40:53

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 4/4] selinuxutil: Add map permissions neccessary for semanage

---
policy/modules/system/selinuxutil.if | 2 ++
policy/modules/system/selinuxutil.te | 3 +++
2 files changed, 5 insertions(+)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 34c0b465..20024993 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1043,6 +1043,7 @@ interface(`seutil_read_module_store',`
list_dirs_pattern($1, selinux_config_t, semanage_store_t)
list_dirs_pattern($1, semanage_store_t, semanage_store_t)
read_files_pattern($1, semanage_store_t, semanage_store_t)
+ allow $1 semanage_store_t:file map;
read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
')

@@ -1067,6 +1068,7 @@ interface(`seutil_manage_module_store',`
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_dirs_pattern($1, semanage_store_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
+ allow $1 semanage_store_t:file map;
manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
')

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ebf72de8..23b6fc70 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -500,6 +500,7 @@ domain_use_interactive_fds(semanage_t)

files_read_etc_files(semanage_t)
files_read_etc_runtime_files(semanage_t)
+files_map_usr_files(semanage_t)
files_read_usr_files(semanage_t)
files_list_pids(semanage_t)

@@ -536,7 +537,9 @@ seutil_manage_default_contexts(semanage_t)

# Handle pp files created in homedir and /tmp
userdom_read_user_home_content_files(semanage_t)
+userdom_map_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
+userdom_map_user_tmp_files(semanage_t)

ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
--
2.14.1