From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Fri, 11 Apr 2014 20:01:42 +0200 Subject: [refpolicy] [PATCH v2 2/2] Dontaudit access on security_t file system at /sys/fs/selinux In-Reply-To: <1397239302-5665-1-git-send-email-sven.vermeulen@siphos.be> References: <1397239302-5665-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1397239302-5665-3-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Second part of the support of security_t under /sys/fs/selinux - when asked not to audit getting attributes on the selinux file system, have this propagate to the sysfs parts as well. Signed-off-by: Sven Vermeulen --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/kernel/selinux.if | 6 +++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index fb87c76..e9ef456 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -3891,6 +3891,24 @@ interface(`dev_getattr_sysfs',` ######################################## ## +## Do not audit getting the attributes of sysfs filesystem +## +## +## +## Domain to dontaudit access from +## +## +# +interface(`dev_dontaudit_getattr_sysfs',` + gen_require(` + type sysfs_t; + ') + + dontaudit $1 sysfs_t:filesystem getattr; +') + +######################################## +## ## Search the sysfs directories. ## ## diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 66d4352..9192d23 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -93,6 +93,10 @@ interface(`selinux_dontaudit_get_fs_mount',` # (/selinux) is already a selinuxfs dontaudit $1 security_t:filesystem getattr; + # Same for /sys/fs/selinux + dev_dontaudit_getattr_sysfs($1) + dev_dontaudit_search_sysfs($1) + # read /proc/filesystems to see if selinuxfs is supported # then read /proc/self/mount to see where selinuxfs is mounted kernel_dontaudit_read_system_state($1) @@ -192,7 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',` dontaudit $1 security_t:filesystem getattr; - dev_dontaudit_getattr_sysfs_fs($1) + dev_dontaudit_getattr_sysfs($1) dev_dontaudit_search_sysfs($1) ') -- 1.8.3.2