From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 17 Aug 2013 20:51:44 +0200 Subject: [refpolicy] [PATCH 5/7] Dontaudit access on security_t file system at /sys/fs/selinux In-Reply-To: <1376765506-28924-1-git-send-email-sven.vermeulen@siphos.be> References: <1376765506-28924-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1376765506-28924-6-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Second part of the support of security_t under /sys/fs/selinux - when asked not to audit getting attributes on the selinux file system, have this propagate to the sysfs parts as well. Signed-off-by: Sven Vermeulen --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/kernel/selinux.if | 4 ++++ 2 files changed, 22 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index a0a2a0d..2a4a3ca 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -3871,6 +3871,24 @@ interface(`dev_getattr_sysfs_fs',` allow $1 sysfs_t:filesystem getattr; ') +####################################### +## +## Do not audit getting the attributes of sysfs filesystem +## +## +## +## Domain to dontaudit access from +## +## +# +interface(`dev_dontaudit_getattr_sysfs_fs',` + gen_require(` + type sysfs_t; + ') + + dontaudit $1 sysfs_t:filesystem getattr; +') + ######################################## ## ## Search the sysfs directories. diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 9623a80..a62ac8f 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -93,6 +93,10 @@ interface(`selinux_dontaudit_get_fs_mount',` # (/selinux) is already a selinuxfs dontaudit $1 security_t:filesystem getattr; + # Same for /sys/fs/selinux + dev_dontaudit_getattr_sysfs_fs($1) + dev_dontaudit_search_sysfs($1) + # read /proc/filesystems to see if selinuxfs is supported # then read /proc/self/mount to see where selinuxfs is mounted kernel_dontaudit_read_system_state($1) -- 1.8.1.5