On 7/9/19 11:15 AM, Sugar, David wrote:
type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
v2 - Create new interface to allow mapping security_t and use this interface by rpm_t
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/admin/rpm.te | 1 +
policy/modules/kernel/selinux.if | 20 ++++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 3c5968f9..082052fa 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -185,6 +185,7 @@ selinux_compute_access_vector(rpm_t)
selinux_compute_create_context(rpm_t)
selinux_compute_relabel_context(rpm_t)
selinux_compute_user_contexts(rpm_t)
+selinux_map_security_files(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
storage_raw_read_fixed_disk(rpm_t)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 6790e5d0..81d8f918 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -635,6 +635,26 @@ interface(`selinux_compute_user_contexts',`
allow $1 security_t:security compute_user;
')
+########################################
+## <summary>
+## Allows caller to map secuirty_t files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+
+interface(`selinux_map_security_files',`
+ gen_require(`
+ type security_t;
+ ')
+
+ dev_search_sysfs($1)
+ allow $1 security_t:file map;
+')
+
########################################
## <summary>
## Unconfined access to the SELinux kernel security server.
Merged.
--
Chris PeBenito
