RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

selinux: selinuxfs is now mounted under /sys/fs/selinux instead of /selinux, so we need to allow domains that use selinuxfs to interface with SELinux to traverse /sys/fs to be able to get to /sys/fs/selinux 

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
This commit is contained in:
Dominick Grift 2013-09-24 15:40:34 +02:00 committed by Chris PeBenito
parent 0a60e5753f
commit e6e9e2d08b
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
policy/modules/kernel/selinux.if
View File

@ -220,6 +220,7 @@ interface(`selinux_search_fs',`
type security_t;
')
dev_search_sysfs($1)
allow $1 security_t:dir search_dir_perms;
')
@ -278,6 +279,7 @@ interface(`selinux_get_enforce_mode',`
type security_t;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
@ -311,6 +313,7 @@ interface(`selinux_set_enforce_mode',`
bool secure_mode_policyload;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_setenforce;
@ -342,6 +345,7 @@ interface(`selinux_load_policy',`
bool secure_mode_policyload;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_load_policy;
@ -371,6 +375,7 @@ interface(`selinux_read_policy',`
type security_t;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
allow $1 security_t:security read_policy;
@ -435,6 +440,8 @@ interface(`selinux_set_generic_booleans',`
type security_t;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
@ -475,6 +482,8 @@ interface(`selinux_set_all_booleans',`
bool secure_mode_policyload;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
allow $1 secure_mode_policyload_t:file read_file_perms;
@ -519,6 +528,7 @@ interface(`selinux_set_parameters',`
attribute can_setsecparam;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
@ -542,6 +552,7 @@ interface(`selinux_validate_context',`
type security_t;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security check_context;
@ -584,6 +595,7 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
@ -605,6 +617,7 @@ interface(`selinux_compute_create_context',`
type security_t;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
@ -626,6 +639,7 @@ interface(`selinux_compute_member',`
type security_t;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
@ -655,6 +669,7 @@ interface(`selinux_compute_relabel_context',`
type security_t;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
@ -675,6 +690,7 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;