commit: 2cf229a5ed2aeb9d64b544c5cbbf87f1105d318d
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Jul 22 19:42:43 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep 2 21:59:08 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2cf229a5
selinuxutil (#988)
* Some small selinuxutil.te changes
Allow restorecond to watch all dirs
Allow restorecond to read file contexts
Allow run_init to stat /proc
Allow semanage to read overcommit sysctl
Allow setfiles to stat /proc and read bin_t symlinks
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/files.if | 1 -
policy/modules/system/selinuxutil.te | 11 +++++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index bb907f6bb..fe81fd9a0 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1523,7 +1523,6 @@ interface(`files_watch_all_dirs',`
allow $1 file_type:dir watch;
')
-
########################################
## <summary>
## Read all non-authentication related
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index 6925ef1ef..0b1d95e6f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -361,6 +361,8 @@ allow restorecond_t self:fifo_file rw_fifo_file_perms;
allow restorecond_t restorecond_run_t:file manage_file_perms;
files_runtime_filetrans(restorecond_t, restorecond_run_t, file)
+allow restorecond_t selinux_config_t:file watch;
+
kernel_getattr_debugfs(restorecond_t)
kernel_read_system_state(restorecond_t)
kernel_rw_pipes(restorecond_t)
@@ -388,9 +390,11 @@ selinux_compute_access_vector(restorecond_t)
selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
+seutil_read_file_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_dontaudit_read_all_symlinks(restorecond_t)
+files_watch_all_dirs(restorecond_t)
auth_use_nsswitch(restorecond_t)
logging_send_syslog_msg(restorecond_t)
@@ -431,6 +435,8 @@ allow run_init_t self:netlink_audit_socket {
create_netlink_socket_perms nlmsg_r
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
+kernel_getattr_proc(run_init_t)
+
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
@@ -541,6 +547,7 @@ files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir
})
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
+kernel_read_vm_overcommit_sysctl(semanage_t)
kernel_dontaudit_getattr_proc(semanage_t)
corecmd_exec_bin(semanage_t)
@@ -640,6 +647,7 @@ allow setfiles_t { policy_src_t policy_config_t
file_context_t default_context_t
allow setfiles_t { policy_src_t policy_config_t file_context_t
default_context_t }:lnk_file { ioctl lock read_lnk_file_perms };
allow setfiles_t file_context_t:file map;
+kernel_getattr_proc(setfiles_t)
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
@@ -663,6 +671,9 @@ dev_relabel_all_dev_nodes(setfiles_t)
# to handle when /dev/console needs to be relabeled
dev_rw_generic_chr_files(setfiles_t)
+# to read bin_t symlinks
+corecmd_search_bin(setfiles_t)
+
domain_use_interactive_fds(setfiles_t)
domain_dontaudit_search_all_domains_state(setfiles_t)
