Subject: [PATCH] fix for new SELINUXMNT in /sys

SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should
add rules to access sysfs.

Upstream-Status: Inappropriate [only for Poky]

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
 policy/modules/kernel/selinux.if |   40 ++++++++++++++++++++++++++++++++++++++
 1 files changed, 40 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 81440c5..b57ec34 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',`
 		type security_t;
 	')
 
+	# SELINUXMNT is now /sys/fs/selinux, so we should add rules to 
+	# access sysfs
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	# starting in libselinux 2.0.5, init_selinuxmnt() will
 	# attempt to short circuit by checking if SELINUXMNT
 	# (/selinux) is already a selinuxfs
@@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_mount',`
 		type security_t;
 	')
 
+	dev_dontaudit_search_sysfs($1)
 	# starting in libselinux 2.0.5, init_selinuxmnt() will
 	# attempt to short circuit by checking if SELINUXMNT
 	# (/selinux) is already a selinuxfs
@@ -109,6 +114,8 @@ interface(`selinux_mount_fs',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:filesystem mount;
 ')
 
@@ -128,6 +135,8 @@ interface(`selinux_remount_fs',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:filesystem remount;
 ')
 
@@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:filesystem unmount;
 ')
 
@@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:filesystem getattr;
 ')
 
@@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',`
 		type security_t;
 	')
 
+	dev_dontaudit_search_sysfs($1)
 	dontaudit $1 security_t:filesystem getattr;
 ')
 
@@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir',`
 		type security_t;
 	')
 
+	dev_dontaudit_search_sysfs($1)
 	dontaudit $1 security_t:dir getattr;
 ')
 
@@ -220,6 +235,8 @@ interface(`selinux_search_fs',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:dir search_dir_perms;
 ')
 
@@ -238,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',`
 		type security_t;
 	')
 
+	dev_dontaudit_search_sysfs($1)
 	dontaudit $1 security_t:dir search_dir_perms;
 ')
 
@@ -257,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',`
 		type security_t;
 	')
 
+	dev_dontaudit_search_sysfs($1)
 	dontaudit $1 security_t:dir search_dir_perms;
 	dontaudit $1 security_t:file read_file_perms;
 ')
@@ -342,6 +361,8 @@ interface(`selinux_load_policy',`
 		bool secure_mode_policyload;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	typeattribute $1 can_load_policy;
@@ -371,6 +392,8 @@ interface(`selinux_read_policy',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file read_file_perms;
 	allow $1 security_t:security read_policy;
@@ -435,6 +458,8 @@ interface(`selinux_set_generic_booleans',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 
@@ -475,6 +500,8 @@ interface(`selinux_set_all_booleans',`
 		bool secure_mode_policyload;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
 	allow $1 secure_mode_policyload_t:file read_file_perms;
@@ -519,6 +546,8 @@ interface(`selinux_set_parameters',`
 		attribute can_setsecparam;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security setsecparam;
@@ -563,6 +592,7 @@ interface(`selinux_dontaudit_validate_context',`
 		type security_t;
 	')
 
+	dev_dontaudit_search_sysfs($1)
 	dontaudit $1 security_t:dir list_dir_perms;
 	dontaudit $1 security_t:file rw_file_perms;
 	dontaudit $1 security_t:security check_context;
@@ -584,6 +614,8 @@ interface(`selinux_compute_access_vector',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_av;
@@ -605,6 +637,8 @@ interface(`selinux_compute_create_context',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_create;
@@ -626,6 +660,8 @@ interface(`selinux_compute_member',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_member;
@@ -655,6 +691,8 @@ interface(`selinux_compute_relabel_context',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_relabel;
@@ -675,6 +713,8 @@ interface(`selinux_compute_user_contexts',`
 		type security_t;
 	')
 
+	dev_getattr_sysfs_dirs($1)
+	dev_search_sysfs($1)
 	allow $1 security_t:dir list_dir_perms;
 	allow $1 security_t:file rw_file_perms;
 	allow $1 security_t:security compute_user;
-- 
1.7.5.4