[selinux-policy: 1853/3172] trunk: Add interface for libselinux constructor, for libselinux-linked SELinux-enabled programs.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:45:16 UTC 2010
commit eeef8dc4515206e9067f51e92fb2a2af1f4c470d
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Nov 16 14:58:17 2007 +0000
trunk: Add interface for libselinux constructor, for libselinux-linked SELinux-enabled programs.
Changelog | 2 +
policy/modules/kernel/selinux.if | 30 +++++++++++++++++-
policy/modules/kernel/selinux.te | 2 +-
policy/modules/system/selinuxutil.if | 54 ++++++++++++++++++++++++++++++++++
policy/modules/system/selinuxutil.te | 38 +++++++++---------------
5 files changed, 99 insertions(+), 27 deletions(-)
---
diff --git a/Changelog b/Changelog
index 759e435..6869c6e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Add interface for libselinux constructor, for libselinux-linked
+ SELinux-enabled programs.
- Patch to restructure user role templates to create restricted user roles
from Dan Walsh.
- Russian man page translations from Andrey Markelov.
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index ed24ad2..b75d251 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -7,11 +7,11 @@
########################################
## <summary>
-## Gets the caller the mountpoint of the selinuxfs filesystem.
+## Get the mountpoint of the selinuxfs filesystem.
## </summary>
## <param name="domain">
## <summary>
-## The process type requesting the selinuxfs mountpoint.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -32,6 +32,32 @@ interface(`selinux_get_fs_mount',`
########################################
## <summary>
+## Do not audit attempts to get the mountpoint
+## of the selinuxfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`selinux_dontaudit_get_fs_mount',`
+ gen_require(`
+ type security_t;
+ ')
+
+ # starting in libselinux 2.0.5, init_selinuxmnt() will
+ # attempt to short circuit by checking if SELINUXMNT
+ # (/selinux) is already a selinuxfs
+ dontaudit $1 security_t:filesystem getattr;
+
+ # read /proc/filesystems to see if selinuxfs is supported
+ # then read /proc/self/mount to see where selinuxfs is mounted
+ kernel_dontaudit_read_system_state($1)
+')
+
+########################################
+## <summary>
## Get the attributes of the selinuxfs filesystem
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 2a25d0a..aee7cda 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -1,5 +1,5 @@
-policy_module(selinux,1.4.0)
+policy_module(selinux,1.4.1)
########################################
#
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 811178a..9bf41d4 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1058,3 +1058,57 @@ interface(`seutil_get_semanage_trans_lock',`
files_search_etc($1)
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')
+
+########################################
+## <summary>
+## SELinux-enabled program access for
+## libselinux-linked programs.
+## </summary>
+## <desc>
+## <p>
+## SELinux-enabled programs are typically
+## linked to the libselinux library. This
+## interface will allow access required for
+## the libselinux constructor to function.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_libselinux_linked',`
+ selinux_get_fs_mount($1)
+ seutil_read_config($1)
+')
+
+########################################
+## <summary>
+## Do not audit SELinux-enabled program access for
+## libselinux-linked programs.
+## </summary>
+## <desc>
+## <p>
+## SELinux-enabled programs are typically
+## linked to the libselinux library. This
+## interface will dontaudit access required for
+## the libselinux constructor to function.
+## </p>
+## <p>
+## Generally this should not be used on anything
+## but simple SELinux-enabled programs that do not
+## rely on data initialized by the libselinux
+## constructor.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_dontaudit_libselinux_linked',`
+ selinux_dontaudit_get_fs_mount($1)
+ seutil_dontaudit_read_config($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 2b4bc5b..3b18326 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.7.1)
+policy_module(selinuxutil,1.7.2)
gen_require(`
bool secure_mode;
@@ -160,9 +160,6 @@ allow load_policy_t self:capability dac_override;
# only allow read of policy config files
read_files_pattern(load_policy_t,{ policy_src_t policy_config_t },policy_config_t)
-read_files_pattern(load_policy_t,selinux_config_t,selinux_config_t)
-read_lnk_files_pattern(load_policy_t,selinux_config_t,selinux_config_t)
-
domain_use_interactive_fds(load_policy_t)
# for mcs.conf
@@ -173,7 +170,6 @@ fs_getattr_xattr_fs(load_policy_t)
mls_file_read_all_levels(load_policy_t)
-selinux_get_fs_mount(load_policy_t)
selinux_load_policy(load_policy_t)
selinux_set_boolean(load_policy_t)
@@ -188,6 +184,8 @@ libs_use_shared_libs(load_policy_t)
miscfiles_read_localization(load_policy_t)
+seutil_libselinux_linked(load_policy_t)
+
userdom_use_all_users_fds(load_policy_t)
ifdef(`hide_broken_symptoms',`
@@ -217,9 +215,6 @@ allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
-read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
-
read_files_pattern(newrole_t,default_context_t,default_context_t)
read_lnk_files_pattern(newrole_t,default_context_t,default_context_t)
@@ -238,7 +233,6 @@ mls_file_downgrade(newrole_t)
mls_process_set_level(newrole_t)
mls_fd_share_all_levels(newrole_t)
-selinux_get_fs_mount(newrole_t)
selinux_validate_context(newrole_t)
selinux_compute_access_vector(newrole_t)
selinux_compute_create_context(newrole_t)
@@ -277,6 +271,8 @@ logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
+seutil_libselinux_linked(newrole_t)
+
userdom_use_unpriv_users_fds(newrole_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_all_users_home_content(newrole_t)
@@ -309,7 +305,6 @@ optional_policy(`
allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms;
-allow restorecond_t self:netlink_route_socket r_netlink_socket_perms;
allow restorecond_t restorecond_var_run_t:file manage_file_perms;
files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
@@ -323,7 +318,6 @@ fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
fs_list_inotifyfs(restorecond_t)
-selinux_get_fs_mount(restorecond_t)
selinux_validate_context(restorecond_t)
selinux_compute_access_vector(restorecond_t)
selinux_compute_create_context(restorecond_t)
@@ -343,14 +337,10 @@ logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t)
-optional_policy(`
- rpm_use_script_fds(restorecond_t)
-')
+seutil_libselinux_linked(restorecond_t)
optional_policy(`
- # restorecond watches for users logging in,
- # so it getspwnam when a user logs in to find his homedir
- nis_use_ypbind(restorecond_t)
+ rpm_use_script_fds(restorecond_t)
')
#################################
@@ -385,7 +375,6 @@ domain_use_interactive_fds(run_init_t)
files_read_etc_files(run_init_t)
files_dontaudit_search_all_dirs(run_init_t)
-selinux_get_fs_mount(run_init_t)
selinux_validate_context(run_init_t)
selinux_compute_access_vector(run_init_t)
selinux_compute_create_context(run_init_t)
@@ -401,7 +390,7 @@ init_rw_utmp(run_init_t)
libs_use_ld_so(run_init_t)
libs_use_shared_libs(run_init_t)
-seutil_read_config(run_init_t)
+seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
miscfiles_read_localization(run_init_t)
@@ -476,11 +465,11 @@ logging_send_syslog_msg(semanage_t)
miscfiles_read_localization(semanage_t)
+seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_selinux_config(semanage_t)
seutil_domtrans_setfiles(semanage_t)
seutil_domtrans_loadpolicy(semanage_t)
-seutil_read_config(semanage_t)
seutil_manage_bin_policy(semanage_t)
seutil_use_newrole_fds(semanage_t)
seutil_manage_module_store(semanage_t)
@@ -517,9 +506,9 @@ allow setfiles_t self:capability { dac_override dac_read_search fowner };
dontaudit setfiles_t self:capability sys_tty_config;
allow setfiles_t self:fifo_file rw_file_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir list_dir_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file read_file_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
+allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
+allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
@@ -545,7 +534,6 @@ mls_file_write_all_levels(setfiles_t)
mls_file_upgrade(setfiles_t)
mls_file_downgrade(setfiles_t)
-selinux_get_fs_mount(setfiles_t)
selinux_validate_context(setfiles_t)
selinux_compute_access_vector(setfiles_t)
selinux_compute_create_context(setfiles_t)
@@ -579,6 +567,8 @@ logging_send_syslog_msg(setfiles_t)
miscfiles_read_localization(setfiles_t)
+seutil_libselinux_linked(setfiles_t)
+
userdom_use_all_users_fds(setfiles_t)
# for config files in a home directory
userdom_read_all_users_home_content_files(setfiles_t)
More information about the scm-commits
mailing list