[selinux-policy: 1853/3172] trunk: Add interface for libselinux constructor, for libselinux-linked SELinux-enabled programs.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:45:16 UTC 2010 

commit eeef8dc4515206e9067f51e92fb2a2af1f4c470d
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Nov 16 14:58:17 2007 +0000

    trunk: Add interface for libselinux constructor, for libselinux-linked SELinux-enabled programs.

 Changelog                            |    2 +
 policy/modules/kernel/selinux.if     |   30 +++++++++++++++++-
 policy/modules/kernel/selinux.te     |    2 +-
 policy/modules/system/selinuxutil.if |   54 ++++++++++++++++++++++++++++++++++
 policy/modules/system/selinuxutil.te |   38 +++++++++---------------
 5 files changed, 99 insertions(+), 27 deletions(-)
---
diff --git a/Changelog b/Changelog
index 759e435..6869c6e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Add interface for libselinux constructor, for libselinux-linked
+  SELinux-enabled programs.
 - Patch to restructure user role templates to create restricted user roles
   from Dan Walsh.
 - Russian man page translations from Andrey Markelov.
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index ed24ad2..b75d251 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -7,11 +7,11 @@
 
 ########################################
 ## <summary>
-##	Gets the caller the mountpoint of the selinuxfs filesystem.
+##	Get the mountpoint of the selinuxfs filesystem.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The process type requesting the selinuxfs mountpoint.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -32,6 +32,32 @@ interface(`selinux_get_fs_mount',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to get the mountpoint
+##	of the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`selinux_dontaudit_get_fs_mount',`
+	gen_require(`
+		type security_t;
+	')
+
+	# starting in libselinux 2.0.5, init_selinuxmnt() will
+	# attempt to short circuit by checking if SELINUXMNT
+	# (/selinux) is already a selinuxfs
+	dontaudit $1 security_t:filesystem getattr;
+
+	# read /proc/filesystems to see if selinuxfs is supported
+	# then read /proc/self/mount to see where selinuxfs is mounted
+	kernel_dontaudit_read_system_state($1)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the selinuxfs filesystem
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 2a25d0a..aee7cda 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -1,5 +1,5 @@
 
-policy_module(selinux,1.4.0)
+policy_module(selinux,1.4.1)
 
 ########################################
 #
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 811178a..9bf41d4 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1058,3 +1058,57 @@ interface(`seutil_get_semanage_trans_lock',`
 	files_search_etc($1)
 	rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
 ')
+
+########################################
+## <summary>
+##	SELinux-enabled program access for
+##	libselinux-linked programs.
+## </summary>
+## <desc>
+##	<p>
+##	SELinux-enabled programs are typically
+##	linked to the libselinux library.  This
+##	interface will allow access required for
+##	the libselinux constructor to function.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_libselinux_linked',`
+	selinux_get_fs_mount($1)
+	seutil_read_config($1)
+')
+
+########################################
+## <summary>
+##	Do not audit SELinux-enabled program access for
+##	libselinux-linked programs.
+## </summary>
+## <desc>
+##	<p>
+##	SELinux-enabled programs are typically
+##	linked to the libselinux library.  This
+##	interface will dontaudit access required for
+##	the libselinux constructor to function.
+##	</p>
+##	<p>
+##	Generally this should not be used on anything
+##	but simple SELinux-enabled programs that do not
+##	rely on data initialized by the libselinux
+##	constructor.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_dontaudit_libselinux_linked',`
+	selinux_dontaudit_get_fs_mount($1)
+	seutil_dontaudit_read_config($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 2b4bc5b..3b18326 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.7.1)
+policy_module(selinuxutil,1.7.2)
 
 gen_require(`
 	bool secure_mode;
@@ -160,9 +160,6 @@ allow load_policy_t self:capability dac_override;
 # only allow read of policy config files
 read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t)
 
-read_files_pattern(load_policy_t,selinux_config_t,selinux_config_t)
-read_lnk_files_pattern(load_policy_t,selinux_config_t,selinux_config_t)
-
 domain_use_interactive_fds(load_policy_t)
 
 # for mcs.conf
@@ -173,7 +170,6 @@ fs_getattr_xattr_fs(load_policy_t)
 
 mls_file_read_all_levels(load_policy_t)
 
-selinux_get_fs_mount(load_policy_t)
 selinux_load_policy(load_policy_t)
 selinux_set_boolean(load_policy_t)
 
@@ -188,6 +184,8 @@ libs_use_shared_libs(load_policy_t)
 
 miscfiles_read_localization(load_policy_t)
 
+seutil_libselinux_linked(load_policy_t)
+
 userdom_use_all_users_fds(load_policy_t)
 
 ifdef(`hide_broken_symptoms',`
@@ -217,9 +215,6 @@ allow newrole_t self:unix_dgram_socket sendto;
 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
-read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
-read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
-
 read_files_pattern(newrole_t,default_context_t,default_context_t)
 read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)
 
@@ -238,7 +233,6 @@ mls_file_downgrade(newrole_t)
 mls_process_set_level(newrole_t)
 mls_fd_share_all_levels(newrole_t)
 
-selinux_get_fs_mount(newrole_t)
 selinux_validate_context(newrole_t)
 selinux_compute_access_vector(newrole_t)
 selinux_compute_create_context(newrole_t)
@@ -277,6 +271,8 @@ logging_send_syslog_msg(newrole_t)
 
 miscfiles_read_localization(newrole_t)
 
+seutil_libselinux_linked(newrole_t)
+
 userdom_use_unpriv_users_fds(newrole_t)
 # for some PAM modules and for cwd
 userdom_dontaudit_search_all_users_home_content(newrole_t)
@@ -309,7 +305,6 @@ optional_policy(`
 
 allow restorecond_t self:capability { dac_override dac_read_search fowner };
 allow restorecond_t self:fifo_file rw_fifo_file_perms;
-allow restorecond_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow restorecond_t restorecond_var_run_t:file manage_file_perms;
 files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
@@ -323,7 +318,6 @@ fs_dontaudit_list_nfs(restorecond_t)
 fs_getattr_xattr_fs(restorecond_t)
 fs_list_inotifyfs(restorecond_t)
 
-selinux_get_fs_mount(restorecond_t)
 selinux_validate_context(restorecond_t)
 selinux_compute_access_vector(restorecond_t)
 selinux_compute_create_context(restorecond_t)
@@ -343,14 +337,10 @@ logging_send_syslog_msg(restorecond_t)
 
 miscfiles_read_localization(restorecond_t)
 
-optional_policy(`
-	rpm_use_script_fds(restorecond_t)
-')
+seutil_libselinux_linked(restorecond_t)
 
 optional_policy(`
-	# restorecond watches for users logging in, 
-	# so it getspwnam when a user logs in to find his homedir
-	nis_use_ypbind(restorecond_t)
+	rpm_use_script_fds(restorecond_t)
 ')
 
 #################################
@@ -385,7 +375,6 @@ domain_use_interactive_fds(run_init_t)
 files_read_etc_files(run_init_t)
 files_dontaudit_search_all_dirs(run_init_t)
 
-selinux_get_fs_mount(run_init_t)
 selinux_validate_context(run_init_t)
 selinux_compute_access_vector(run_init_t)
 selinux_compute_create_context(run_init_t)
@@ -401,7 +390,7 @@ init_rw_utmp(run_init_t)
 libs_use_ld_so(run_init_t)
 libs_use_shared_libs(run_init_t)
 
-seutil_read_config(run_init_t)
+seutil_libselinux_linked(run_init_t)
 seutil_read_default_contexts(run_init_t)
 
 miscfiles_read_localization(run_init_t)
@@ -476,11 +465,11 @@ logging_send_syslog_msg(semanage_t)
 
 miscfiles_read_localization(semanage_t)
 
+seutil_libselinux_linked(semanage_t)
 seutil_manage_file_contexts(semanage_t)
 seutil_manage_selinux_config(semanage_t)
 seutil_domtrans_setfiles(semanage_t)
 seutil_domtrans_loadpolicy(semanage_t)
-seutil_read_config(semanage_t)
 seutil_manage_bin_policy(semanage_t)
 seutil_use_newrole_fds(semanage_t)
 seutil_manage_module_store(semanage_t)
@@ -517,9 +506,9 @@ allow setfiles_t self:capability { dac_override dac_read_search fowner };
 dontaudit setfiles_t self:capability sys_tty_config;
 allow setfiles_t self:fifo_file rw_file_perms;
 
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir list_dir_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file read_file_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
 
 kernel_read_system_state(setfiles_t)
 kernel_relabelfrom_unlabeled_dirs(setfiles_t)
@@ -545,7 +534,6 @@ mls_file_write_all_levels(setfiles_t)
 mls_file_upgrade(setfiles_t)
 mls_file_downgrade(setfiles_t)
 
-selinux_get_fs_mount(setfiles_t)
 selinux_validate_context(setfiles_t)
 selinux_compute_access_vector(setfiles_t)
 selinux_compute_create_context(setfiles_t)
@@ -579,6 +567,8 @@ logging_send_syslog_msg(setfiles_t)
 
 miscfiles_read_localization(setfiles_t)
 
+seutil_libselinux_linked(setfiles_t)
+
 userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory
 userdom_read_all_users_home_content_files(setfiles_t)

More information about the scm-commits mailing list