selinux: Add pcp_domain level read access to maps

Update qa accordingly with conditional logic as well
performancecopilot · Apr 30, 2019 · 4306187 · 4306187
1 parent c155362
commit 4306187
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 1 deletion.
diff --git a/qa/917 b/qa/917
@@ -134,11 +134,16 @@ _filter_outfile()
            !/pcp_tmp_t/ ;
         else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /fsadm_exec_t/ && /map/)
            !/fsadm_exec_t/ ;
+        else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /pcp_domain/ && /map/)
+           !/pcp_domain] [file_type] \: [file]/ ;
 	else if (numad_context == "" && /numda_t/)
 	   !/numad_t/ ;
 	else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /hostname_exec_t/ && /pcp_pmie_t/) {
 	     printf("  allow [pcp_pmie_t] [hostname_exec_t] : [file] { execute execute_no_trans getattr open read };\n")
 	   }
+	else if (hostname_exec_map_a == "" && hostname_exec_map_b == "" && /pcp_pmcd_t/ && /pcp_pmie_exec_t/) {
+             printf("  allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read };\n")
+           }
         else if (bpf_class == "" && /bpf/)
             !/bpf/ ;
         else if (wap_port_type == "" && /wap_wsp_port_t/)

diff --git a/qa/917.out.in b/qa/917.out.in
@@ -14,7 +14,7 @@ decl 1:
   allow [init_t] [system_cronjob_t] : [dbus] { send_msg };
   allow [pcp_pmcd_t] [user_home_t] : [file] { execute execute_no_trans };
   allow [pcp_pmcd_t] [debugfs_t] : [file] { append getattr ioctl open read write };
-  allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read };
+  allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read map };
   allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink };
   allow [pcp_pmcd_t] [proc_kcore_t] : [file] { getattr };
   allow [pcp_pmcd_t] self : [capability] { kill chown sys_chroot ipc_lock sys_resource };
@@ -93,6 +93,7 @@ decl 1:
   allow [pcp_domain] [userdomain] : [sem] { unix_read associate getattr read };
   allow [pcp_domain] [domain] : [unix_stream_socket] { connectto };
   allow [pcp_domain] [port_type] : [tcp_socket] { name_connect };
+  allow [pcp_domain] [file_type] : [file] { map };
 --- begin avrule block ---
 decl 2:
   allow [pcp_pmcd_t] [etc_t] : [dir] { open read search getattr lock ioctl };

diff --git a/src/selinux/GNUlocaldefs b/src/selinux/GNUlocaldefs
@@ -71,6 +71,7 @@ PCP_TMP_T_MAP_RULE="allow pcp_pmcd_t pcp_tmp_t:file map\;"
 PCP_LDCONFIG_EXEC_MAP_RULE="allow pcp_pmcd_t ldconfig_exec_t:file map\;"
 PCP_FSADM_EXEC_MAP_RULE="allow pcp_pmcd_t fsadm_exec_t:file map\;"
 PCP_DEFAULT_T_MAP="allow pcp_pmcd_t default_t:file { map execute }\;"
+PCP_MMAP_ALL="files_mmap_all_files(pcp_domain)\;"
 endif
 
 ifeq "$(PCP_SELINUX_MOCK)" "true"

diff --git a/src/selinux/GNUmakefile b/src/selinux/GNUmakefile
@@ -72,6 +72,7 @@ $(IAM).te: $(IAM).te.in
 		-e 's;@PCP_NUMAD_CONTEXT@;'$(PCP_NUMAD_CONTEXT)';' \
 		-e 's;@PCP_NUMAD_RULE@;'$(PCP_NUMAD_RULE)';' \
 		-e 's;@PCP_FSADM_EXEC_MAP_RULE@;'$(PCP_FSADM_EXEC_MAP_RULE)';' \
+		-e 's;@PCP_MMAP_ALL@;'$(PCP_MMAP_ALL)';' \
 		-e 's;@PCP_BPF_STATUS_CLASS@;'$(PCP_BPF_STATUS_CLASS)';' \
 		-e 's;@PCP_BPF_STATUS_RULE@;'$(PCP_BPF_STATUS_RULE)';' \
 		-e 's;@PCP_WAP_PORT_CONTEXT@;'$(PCP_WAP_PORT_CONTEXT)';' \

diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in
@@ -604,3 +604,6 @@ allow pcp_domain domain:unix_stream_socket connectto;
 
 # allow pcp_domain to connect to all ports.
 corenet_tcp_connect_all_ports(pcp_domain)
+
+# all pcp_domain read access to all maps
+@PCP_MMAP_ALL@