1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
From 00d81a825519cac67d88e513d75e82ab3269124c Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe_macdonald@mentor.com>
Date: Fri, 29 Mar 2019 11:16:37 -0400
Subject: [PATCH 26/34] policy/module/sysfs: fix for new SELINUXMNT in /sys
SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
add rules to access sysfs.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/kernel/selinux.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 6790e5d0..2c95db81 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -117,6 +117,9 @@ interface(`selinux_mount_fs',`
type security_t;
')
+ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
allow $1 security_t:filesystem mount;
')
@@ -136,6 +139,9 @@ interface(`selinux_remount_fs',`
type security_t;
')
+ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
+
allow $1 security_t:filesystem remount;
')
@@ -155,6 +161,9 @@ interface(`selinux_unmount_fs',`
')
allow $1 security_t:filesystem unmount;
+
+ dev_getattr_sysfs($1)
+ dev_search_sysfs($1)
')
########################################
@@ -217,6 +226,8 @@ interface(`selinux_dontaudit_getattr_dir',`
')
dontaudit $1 security_t:dir getattr;
+ dev_dontaudit_getattr_sysfs($1)
+ dev_dontaudit_search_sysfs($1)
')
########################################
@@ -253,6 +264,7 @@ interface(`selinux_dontaudit_search_fs',`
type security_t;
')
+ dev_dontaudit_search_sysfs($1)
dontaudit $1 security_t:dir search_dir_perms;
')
@@ -272,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
+ dev_dontaudit_getattr_sysfs($1)
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
@@ -361,6 +374,7 @@ interface(`selinux_read_policy',`
type security_t;
')
+ dev_getattr_sysfs($1)
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
@@ -394,6 +408,7 @@ interface(`selinux_set_generic_booleans',`
type security_t;
')
+ dev_getattr_sysfs($1)
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
@@ -431,6 +446,7 @@ interface(`selinux_set_all_booleans',`
bool secure_mode_policyload;
')
+ dev_getattr_sysfs($1)
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
@@ -512,6 +528,7 @@ interface(`selinux_dontaudit_validate_context',`
type security_t;
')
+ dev_dontaudit_search_sysfs($1)
dontaudit $1 security_t:dir list_dir_perms;
dontaudit $1 security_t:file rw_file_perms;
dontaudit $1 security_t:security check_context;
@@ -533,6 +550,7 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
+ dev_getattr_sysfs($1)
dev_search_sysfs($1)
allow $1 self:netlink_selinux_socket create_socket_perms;
allow $1 security_t:dir list_dir_perms;
@@ -629,6 +647,7 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
+ dev_getattr_sysfs($1)
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
--
2.19.1
|