From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 6 Sep 2011 14:25:55 -0400 Subject: [refpolicy] [PATCH 1/1] Support semanage permissive mode In-Reply-To: <20110904110718.GA2510@siphos.be> References: <20110904110718.GA2510@siphos.be> Message-ID: <4E6665B3.5050904@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/04/11 07:07, Sven Vermeulen wrote: > The semanage application supports a "semanage permissive" feature, > allowing certain domains to be marked for running permissive (rather > than the entire system). > > To support this feature, we introduce a selinux_var_lib_t type for the > location where semanage will keep its permissive_.* files, and > allow semanage_t to work with fifo_files (needed for the command to > work). > > Signed-off-by: Sven Vermeulen > --- > policy/modules/system/selinuxutil.fc | 5 +++++ > policy/modules/system/selinuxutil.te | 8 ++++++++ > 2 files changed, 13 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc > index 2cc4bda..a9abc81 100644 > --- a/policy/modules/system/selinuxutil.fc > +++ b/policy/modules/system/selinuxutil.fc > @@ -43,6 +43,11 @@ > /usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0) > > # > +# /var/lib > +# > +/var/lib/selinux(/.*)? gen_context(system_u:object_r:selinux_var_lib_t,s0) > + > +# > # /var/run > # > /var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0) > diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te > index 508b206..54cb9ce 100644 > --- a/policy/modules/system/selinuxutil.te > +++ b/policy/modules/system/selinuxutil.te > @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; > type selinux_config_t; > files_type(selinux_config_t) > > +type selinux_var_lib_t; > +files_type(selinux_var_lib_t) > + > type checkpolicy_t, can_write_binary_policy; > type checkpolicy_exec_t; > application_domain(checkpolicy_t, checkpolicy_exec_t) I'd prefer that this be named semanage_var_lib_t instead, as this is a semanage-only data file. Also move the decl down in proper order. > @@ -428,6 +431,7 @@ allow semanage_t self:capability { dac_override audit_write }; > allow semanage_t self:unix_stream_socket create_stream_socket_perms; > allow semanage_t self:unix_dgram_socket create_socket_perms; > allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; > +allow semanage_t self:fifo_file rw_fifo_file_perms; > > allow semanage_t policy_config_t:file rw_file_perms; > > @@ -435,6 +439,10 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms; > allow semanage_t semanage_tmp_t:file manage_file_perms; > files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) > > +manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) > +manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) > + > + > kernel_read_system_state(semanage_t) > kernel_read_kernel_sysctls(semanage_t) Please don't add superfluous whitespace. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com