From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 4 Apr 2014 16:00:14 -0400
Subject: [refpolicy] [PATCH 4/5] The security_t file system can be at
 /sys/fs/selinux
In-Reply-To: <1395779408-29213-5-git-send-email-sven.vermeulen@siphos.be>
References: <1395779408-29213-1-git-send-email-sven.vermeulen@siphos.be>
	<1395779408-29213-5-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <533F0F4E.7000201@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/25/2014 04:30 PM, Sven Vermeulen wrote:
> Because it is no longer a top-level file system, we need to enhance some
> of the interfaces with the appropriate rights towards sysfs_t.
> 
> First set to allow getattr rights on the file system, which now also
> means getattr on the sysfs_t file system as well as search privileges in
> sysfs_t.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/devices.if | 18 ++++++++++++++++++
>  policy/modules/kernel/selinux.if | 10 ++++++++++
>  2 files changed, 28 insertions(+)
> 
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index c2d0f08..b887197 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -3873,6 +3873,24 @@ interface(`dev_getattr_sysfs_dirs',`
>  
>  ########################################
>  ## <summary>
> +##	Get the attributes of sysfs filesystem
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_getattr_sysfs_fs',`

I think if we simplify this to dev_getattr_sysfs(), also the similar change in patch 5, it can be merged.


> +	gen_require(`
> +		type sysfs_t;
> +	')
> +
> +	allow $1 sysfs_t:filesystem getattr;
> +')
> +
> +########################################
> +## <summary>
>  ##	Search the sysfs directories.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
> index 6d0811d..4d654d1 100644
> --- a/policy/modules/kernel/selinux.if
> +++ b/policy/modules/kernel/selinux.if
> @@ -63,6 +63,10 @@ interface(`selinux_get_fs_mount',`
>  	# (/selinux) is already a selinuxfs
>  	allow $1 security_t:filesystem getattr;
>  
> +	# Same for /sys/fs/selinux
> +	dev_getattr_sysfs_fs($1)
> +	dev_search_sysfs($1)
> +
>  	# read /proc/filesystems to see if selinuxfs is supported
>  	# then read /proc/self/mount to see where selinuxfs is mounted
>  	kernel_read_system_state($1)
> @@ -165,6 +169,9 @@ interface(`selinux_getattr_fs',`
>  	')
>  
>  	allow $1 security_t:filesystem getattr;
> +
> +	dev_getattr_sysfs_fs($1)
> +	dev_search_sysfs($1)
>  ')
>  
>  ########################################
> @@ -184,6 +191,9 @@ interface(`selinux_dontaudit_getattr_fs',`
>  	')
>  
>  	dontaudit $1 security_t:filesystem getattr;
> +
> +	dev_dontaudit_getattr_sysfs_fs($1)
> +	dev_dontaudit_search_sysfs($1)
>  ')
>  
>  ########################################
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com