grant rpm_t permission to map security_t

type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 v2 - Create new interface to allow mapping security_t and use this interface by rpm_t Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-09 15:15:38 +00:00 · 2019-07-09 15:15:38 +00:00 · 2831598bb5
parent b85c93b582
commit 2831598bb5
2 changed files with 21 additions and 0 deletions
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@ -185,6 +185,7 @@ selinux_compute_access_vector(rpm_t)
 selinux_compute_create_context(rpm_t)
 selinux_compute_relabel_context(rpm_t)
 selinux_compute_user_contexts(rpm_t)
+selinux_map_security_files(rpm_t)

 storage_raw_write_fixed_disk(rpm_t)
 storage_raw_read_fixed_disk(rpm_t)
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@ -635,6 +635,26 @@ interface(`selinux_compute_user_contexts',`
 	allow $1 security_t:security compute_user;
 ')

+########################################
+## <summary>
+##	Allows caller to map secuirty_t files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+
+interface(`selinux_map_security_files',`
+	gen_require(`
+		type security_t;
+	')
+
+	dev_search_sysfs($1)
+	allow $1 security_t:file map;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to the SELinux kernel security server.