From 6a966a3ee89233a0a055712f39ca564ba91183bf Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 15 Apr 2021 16:56:08 +0200 Subject: [PATCH] Allow fapolicyd watch_mount/watch_with_perm all files and directories For the fanotify_mark() syscall, fapolicyd uses the FAN_MARK_MOUNT flag to mark the file's mount point to monitor. As this can be any file or directory on the filesystem, the SELinux watch_mount and watch_with_perm permissions are allowed for the file_type attribute. --- fapolicyd.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te index c12f385..582e03f 100644 --- a/fapolicyd-selinux-0.4/fapolicyd.te +++ b/fapolicyd-selinux-0.4/fapolicyd.te @@ -36,6 +36,12 @@ allow fapolicyd_t self:process { setcap setsched }; allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms; allow fapolicyd_t self:unix_dgram_socket create_socket_perms; +gen_require(` + attribute file_type; +') +allow fapolicyd_t file_type:dir { watch_mount watch_with_perm }; +allow fapolicyd_t file_type:file { watch_mount watch_with_perm }; + manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t) logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)