RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
selinux-refpolicy/policy
History
Stephen Smalley 7a4e93a385 refpolicy: Define and allow map permission 
Kernel commit 6941857e82ae ("selinux: add a map permission check
for mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This refpolicy change defines map permission for refpolicy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33,
< RHEL 6); on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change only allows map permission as needed, e.g. only in the
mmap_file_perms and exec_file_perms object permission sets
(since map is always required there) and only in specific interfaces
or modules where denials were observed in limited testing.

It is important to note that effective use of this permission requires
complete removal of unconfined, as otherwise unconfined domains will be
able to map all file types and therefore bypass the intended protection.
If we wanted to exclude map permission to all file types by default from
unconfined, we would need to add it to the list of permissions excluded from
files_unconfined_type in kernel/files.te.

Policies that depend on this permission not being allowed to specific file
types should also make use of neverallow rules to ensure that this is not
undermined by any allow rule, and ensure that they are performing neverallow
checking at policy build time (e.g. make validate) or runtime (e.g.
semanage.conf expand-check=1).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 		2017-05-24 19:53:14 -04:00
..
flask refpolicy: Define and allow map permission 2017-05-24 19:53:14 -04:00
modules refpolicy: Define and allow map permission 2017-05-24 19:53:14 -04:00
support refpolicy: Define and allow map permission 2017-05-24 19:53:14 -04:00
constraints remove trailing whitespaces 2016-12-06 13:45:13 +01:00
context_defaults
global_booleans
global_tunables user_udp_server tunable 2016-08-02 19:44:16 -04:00
mcs remove trailing whitespaces 2016-12-06 13:45:13 +01:00
mls remove trailing whitespaces 2016-12-06 13:45:13 +01:00
policy_capabilities refpolicy: Define smc_socket security class 2017-05-17 18:00:57 -04:00
users