Subject: [PATCH] fix for new SELINUXMNT in /sys SELINUXMNT is now from /selinux to /sys/fs/selinux, so we should add rules to access sysfs. Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang --- policy/modules/kernel/selinux.if | 40 ++++++++++++++++++++++++++++++++++++++ 1 files changed, 40 insertions(+), 0 deletions(-) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 81440c5..b57ec34 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -58,6 +58,10 @@ interface(`selinux_get_fs_mount',` type security_t; ') + # SELINUXMNT is now /sys/fs/selinux, so we should add rules to + # access sysfs + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) # starting in libselinux 2.0.5, init_selinuxmnt() will # attempt to short circuit by checking if SELINUXMNT # (/selinux) is already a selinuxfs @@ -84,6 +88,7 @@ interface(`selinux_dontaudit_get_fs_mount',` type security_t; ') + dev_dontaudit_search_sysfs($1) # starting in libselinux 2.0.5, init_selinuxmnt() will # attempt to short circuit by checking if SELINUXMNT # (/selinux) is already a selinuxfs @@ -109,6 +114,8 @@ interface(`selinux_mount_fs',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:filesystem mount; ') @@ -128,6 +135,8 @@ interface(`selinux_remount_fs',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:filesystem remount; ') @@ -146,6 +155,8 @@ interface(`selinux_unmount_fs',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:filesystem unmount; ') @@ -164,6 +175,8 @@ interface(`selinux_getattr_fs',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:filesystem getattr; ') @@ -183,6 +196,7 @@ interface(`selinux_dontaudit_getattr_fs',` type security_t; ') + dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:filesystem getattr; ') @@ -202,6 +216,7 @@ interface(`selinux_dontaudit_getattr_dir',` type security_t; ') + dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:dir getattr; ') @@ -220,6 +235,8 @@ interface(`selinux_search_fs',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:dir search_dir_perms; ') @@ -238,6 +255,7 @@ interface(`selinux_dontaudit_search_fs',` type security_t; ') + dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:dir search_dir_perms; ') @@ -257,6 +275,7 @@ interface(`selinux_dontaudit_read_fs',` type security_t; ') + dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; ') @@ -342,6 +361,8 @@ interface(`selinux_load_policy',` bool secure_mode_policyload; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; typeattribute $1 can_load_policy; @@ -371,6 +392,8 @@ interface(`selinux_read_policy',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; allow $1 security_t:security read_policy; @@ -435,6 +458,8 @@ interface(`selinux_set_generic_booleans',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; @@ -475,6 +500,8 @@ interface(`selinux_set_all_booleans',` bool secure_mode_policyload; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; allow $1 secure_mode_policyload_t:file read_file_perms; @@ -519,6 +546,8 @@ interface(`selinux_set_parameters',` attribute can_setsecparam; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security setsecparam; @@ -563,6 +592,7 @@ interface(`selinux_dontaudit_validate_context',` type security_t; ') + dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:dir list_dir_perms; dontaudit $1 security_t:file rw_file_perms; dontaudit $1 security_t:security check_context; @@ -584,6 +614,8 @@ interface(`selinux_compute_access_vector',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_av; @@ -605,6 +637,8 @@ interface(`selinux_compute_create_context',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_create; @@ -626,6 +660,8 @@ interface(`selinux_compute_member',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_member; @@ -655,6 +691,8 @@ interface(`selinux_compute_relabel_context',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_relabel; @@ -675,6 +713,8 @@ interface(`selinux_compute_user_contexts',` type security_t; ') + dev_getattr_sysfs_dirs($1) + dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_user; -- 1.7.5.4