Bug 1290422 - RFE: add support for allowxperm in SELinux modular policy
Summary: RFE: add support for allowxperm in SELinux modular policy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: checkpolicy
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-10 13:18 UTC by Paul Moore
Modified: 2016-07-20 00:21 UTC (History)
3 users (show)

Fixed In Version: checkpolicy-2.5-6.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-20 00:21:34 UTC


Attachments (Terms of Use)

Description Paul Moore 2015-12-10 13:18:28 UTC
Description of problem:
Add support for allowxperm and related policy constructs in the SELinux module policy so that the fine grained ioctl controls can be utilized in modular policy.

Additional info:
More information on allowxperm and the fine grained ioctl controls can be found at the link below.

 -> http://selinuxproject.org/page/XpermRules

Comment 1 Petr Lautrbach 2016-03-08 09:42:47 UTC
It works with CIL on Fedora 24 and later:

$ cat localallowxperm.cil 

(allowx staff_t etc_t (ioctl file (0x40)))

$ sudo semodule -i localallowxperm.cil                        

$ sudo semodule -l | grep allowxperm
localallowxperm

Comment 2 Paul Moore 2016-03-08 21:23:39 UTC
Goodie, thanks!

Comment 3 Fedora Update System 2016-07-15 11:54:23 UTC
checkpolicy-2.5-6.fc24, libselinux-2.5-9.fc24, libsemanage-2.5-5.fc24, libsepol-2.5-8.fc24, policycoreutils-2.5-12.fc24, secilc-2.5-4.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-84d1f77e58

Comment 4 Fedora Update System 2016-07-20 00:20:51 UTC
checkpolicy-2.5-6.fc24, libselinux-2.5-9.fc24, libsemanage-2.5-5.fc24, libsepol-2.5-8.fc24, policycoreutils-2.5-12.fc24, secilc-2.5-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.