commit: d9d2a067d727b222feb528d67103b4aec0e3c77a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 13:09:48 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:10:44 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d9d2a067
selinuxutil: allow semanage map perms
policy/modules/system/selinuxutil.te | 4 +++-
policy/modules/system/userdomain.if | 18 ++++++++++++++++++
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index 0629d437..35ba57c2 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -489,7 +489,7 @@ allow semanage_t policy_src_t:dir search;
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir,
"modules")
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms };
+allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms map };
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
kernel_read_system_state(semanage_t)
@@ -540,7 +540,9 @@ seutil_manage_default_contexts(semanage_t)
# Handle pp files created in homedir and /tmp
userdom_read_user_home_content_files(semanage_t)
+userdom_mmap_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
+userdom_mmap_user_tmp_files(semanage_t)
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 16789a3c..88fdb823 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2565,6 +2565,24 @@ interface(`userdom_read_user_tmp_files',`
########################################
## <summary>
+## Mmap user temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_mmap_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file map;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read users
## temporary files.
## </summary>