From: gentoo+selinux@lerya.net (Vincent Brillault) Date: Sat, 2 Aug 2014 20:35:35 +0200 Subject: [refpolicy] [PATCH 1/2] Allow all domains to read /proc/sys/vm/overcommit_memory In-Reply-To: <1407004536-2301-1-git-send-email-gentoo+selinux@lerya.net> References: <1407004536-2301-1-git-send-email-gentoo+selinux@lerya.net> Message-ID: <1407004536-2301-2-git-send-email-gentoo+selinux@lerya.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Vincent Brillault glibc malloc read this file since commit 9fab36eb (https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb) Patch adapted from commit 343c0887514718387f36ee8ead2b941ba9bfb894 on fedora selinux-policy made by Dan Walsh --- policy/modules/kernel/domain.te | 4 +++ policy/modules/kernel/kernel.if | 57 +++++++++++++++++++++++++++++++++++++++++ policy/modules/kernel/kernel.te | 4 +++ 3 files changed, 65 insertions(+) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 4af7dbd..b95c75d 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -99,6 +99,10 @@ allow domain self:process { fork sigchld }; # glibc get_nprocs requires read access to /sys/devices/system/cpu/online dev_read_cpu_online(domain) +# glibc malloc requires access to /proc/sys/vm/overcommit_memory +# see https://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb +kernel_read_vm_overcommit_sysctls(domain) + # Use trusted objects in /dev dev_rw_null(domain) dev_rw_zero(domain) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 18cef42..122d560 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -3209,3 +3209,60 @@ interface(`kernel_unconfined',` typeattribute $1 kern_unconfined; kernel_load_module($1) ') + +######################################## +## +## Allow caller to search virtual memory overcommit sysctls. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_search_vm_overcommit_sysctl',` + gen_require(` + type proc_t, sysctl_t, sysctl_vm_overcommit_t; + ') + + search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) +') + +######################################## +## +## Allow caller to read virtual memory overcommit sysctls. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_read_vm_overcommit_sysctls',` + gen_require(` + type proc_t, sysctl_t, sysctl_vm_overcommit_t; + ') + + read_files_pattern($1, { proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) +') + +######################################## +## +## Read and write virtual memory overcommit sysctls. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`kernel_rw_vm_overcommit_sysctls',` + gen_require(` + type proc_t, sysctl_t, sysctl_vm_overcommit_t; + ') + + rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_overcommit_t }, sysctl_vm_overcommit_t) + list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_overcommit_t) +') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 5d6da7f..ca50f10 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -153,6 +153,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) +# /proc/sys/vm/overcommit_memory +type sysctl_vm_overcommit_t, sysctl_type; +genfscon proc /sys/vm/overcommit_memory gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0) + # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -- 1.8.5.5