From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 25 Mar 2014 21:30:08 +0100 Subject: [refpolicy] [PATCH 5/5] Dontaudit access on security_t file system at /sys/fs/selinux In-Reply-To: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be> References: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1395779408-29213-6-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Second part of the support of security_t under /sys/fs/selinux - when asked not to audit getting attributes on the selinux file system, have this propagate to the sysfs parts as well. Signed-off-by: Sven Vermeulen --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/kernel/selinux.if | 4 ++++ 2 files changed, 22 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index b887197..6a6d284 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -3891,6 +3891,24 @@ interface(`dev_getattr_sysfs_fs',` ######################################## ## +## Do not audit getting the attributes of sysfs filesystem +## +## +## +## Domain to dontaudit access from +## +## +# +interface(`dev_dontaudit_getattr_sysfs_fs',` + gen_require(` + type sysfs_t; + ') + + dontaudit $1 sysfs_t:filesystem getattr; +') + +######################################## +## ## Search the sysfs directories. ## ## diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 4d654d1..e76b650 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -93,6 +93,10 @@ interface(`selinux_dontaudit_get_fs_mount',` # (/selinux) is already a selinuxfs dontaudit $1 security_t:filesystem getattr; + # Same for /sys/fs/selinux + dev_dontaudit_getattr_sysfs_fs($1) + dev_dontaudit_search_sysfs($1) + # read /proc/filesystems to see if selinuxfs is supported # then read /proc/self/mount to see where selinuxfs is mounted kernel_dontaudit_read_system_state($1) -- 1.8.3.2