Enables ioctl_skip_cloexec

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
author: Dominick Grift <dominick.grift@defensec.nl> 2023-08-22 13:50:56 +0200
committer: Dominick Grift <dominick.grift@defensec.nl> 2023-08-22 13:59:39 +0200
commit: 8ab4c6e0db1dd758830023e91cfcfc989af27ec7 (patch)
tree: f06a3ac30c780c9015a998dfb28bd8b4e89a53c9
parent: f770f9fb8ec74b9686eb462466353868e2b27210 (diff)
download: selinux-policy-8ab4c6e0db1dd758830023e91cfcfc989af27ec7.tar.gz
7 files changed, 1 insertions, 32 deletions
diff --git a/src/dev/termdev.cil b/src/dev/termdev.cil
index 93655b3..efd5e7a 100644
--- a/src/dev/termdev.cil
+++ b/src/dev/termdev.cil
@@ -5,14 +5,12 @@
 
   (macro appendinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr appendinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
 
   (macro readwriteinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr readwriteinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
@@ -22,7 +20,6 @@
 
   (macro writeinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr writeinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
diff --git a/src/dev/termdev/ptytermdev.cil b/src/dev/termdev/ptytermdev.cil
index 4349a93..270cc03 100644
--- a/src/dev/termdev/ptytermdev.cil
+++ b/src/dev/termdev/ptytermdev.cil
@@ -5,14 +5,12 @@
 
   (macro appendinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr appendinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
 
   (macro readwriteinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr readwriteinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
@@ -22,7 +20,6 @@
 
   (macro writeinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr writeinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
@@ -53,7 +50,6 @@
 
     (macro appendinherited_ptytermdev_chr_files ((type ARG1))
 	   (allow ARG1 ptytermdev appendinherited_chr_file)
-	   (allowx ARG1 ptytermdev FIOCLEX_FIONCLEX_CHRFILE)
 	   (allowx ARG1 ptytermdev IOCTLCONSOLE)
 	   (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI)
 	   (allowx ARG1 ptytermdev IOCTLVT))
@@ -81,7 +77,6 @@
 
     (macro readwriteinherited_ptytermdev_chr_files ((type ARG1))
 	   (allow ARG1 ptytermdev readwriteinherited_chr_file)
-	   (allowx ARG1 ptytermdev FIOCLEX_FIONCLEX_CHRFILE)
 	   (allowx ARG1 ptytermdev IOCTLCONSOLE)
 	   (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI)
 	   (allowx ARG1 ptytermdev IOCTLVT))
@@ -103,7 +98,6 @@
 
     (macro writeinherited_ptytermdev_chr_files ((type ARG1))
 	   (allow ARG1 ptytermdev writeinherited_chr_file)
-	   (allowx ARG1 ptytermdev FIOCLEX_FIONCLEX_CHRFILE)
 	   (allowx ARG1 ptytermdev IOCTLCONSOLE)
 	   (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI)
 	   (allowx ARG1 ptytermdev IOCTLVT)))
diff --git a/src/dev/termdev/ptytermdev/loginptytermdev.cil b/src/dev/termdev/ptytermdev/loginptytermdev.cil
index b9019d4..43ae22b 100644
--- a/src/dev/termdev/ptytermdev/loginptytermdev.cil
+++ b/src/dev/termdev/ptytermdev/loginptytermdev.cil
@@ -8,14 +8,12 @@
 
   (macro appendinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr appendinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
 
   (macro readwriteinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr readwriteinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
@@ -25,7 +23,6 @@
 
   (macro writeinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr writeinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
diff --git a/src/dev/termdev/serialtermdev.cil b/src/dev/termdev/serialtermdev.cil
index 7400737..5907658 100644
--- a/src/dev/termdev/serialtermdev.cil
+++ b/src/dev/termdev/serialtermdev.cil
@@ -5,14 +5,12 @@
 
   (macro appendinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr appendinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
 
   (macro readwriteinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr readwriteinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
@@ -22,7 +20,6 @@
 
   (macro writeinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr writeinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
@@ -52,7 +49,6 @@
 
     (macro appendinherited_serialtermdev_chr_files ((type ARG1))
 	   (allow ARG1 serialtermdev appendinherited_chr_file)
-	   (allowx ARG1 serialtermdev FIOCLEX_FIONCLEX_CHRFILE)
 	   (allowx ARG1 serialtermdev IOCTLCONSOLE)
 	   (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI)
 	   (allowx ARG1 serialtermdev IOCTLVT))
@@ -80,7 +76,6 @@
 
     (macro readwriteinherited_serialtermdev_chr_files ((type ARG1))
 	   (allow ARG1 serialtermdev readwriteinherited_chr_file)
-	   (allowx ARG1 serialtermdev FIOCLEX_FIONCLEX_CHRFILE)
 	   (allowx ARG1 serialtermdev IOCTLCONSOLE)
 	   (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI)
 	   (allowx ARG1 serialtermdev IOCTLVT))
@@ -102,7 +97,6 @@
 
     (macro writeinherited_serialtermdev_chr_files ((type ARG1))
 	   (allow ARG1 serialtermdev writeinherited_chr_file)
-	   (allowx ARG1 serialtermdev FIOCLEX_FIONCLEX_CHRFILE)
 	   (allowx ARG1 serialtermdev IOCTLCONSOLE)
 	   (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI)
 	   (allowx ARG1 serialtermdev IOCTLVT)))
diff --git a/src/dev/termdev/serialtermdev/loginserialtermdev.cil b/src/dev/termdev/serialtermdev/loginserialtermdev.cil
index 2580dbe..b5a9d91 100644
--- a/src/dev/termdev/serialtermdev/loginserialtermdev.cil
+++ b/src/dev/termdev/serialtermdev/loginserialtermdev.cil
@@ -8,14 +8,12 @@
 
   (macro appendinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr appendinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
 
   (macro readwriteinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr readwriteinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
@@ -25,7 +23,6 @@
 
   (macro writeinherited_all_chr_files ((type ARG1))
 	 (allow ARG1 typeattr writeinherited_chr_file)
-	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
 	 (allowx ARG1 typeattr IOCTLCONSOLE)
 	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
 	 (allowx ARG1 typeattr IOCTLVT))
diff --git a/src/misc/conf.cil b/src/misc/conf.cil
index f7c70d4..3f77a6b 100644
--- a/src/misc/conf.cil
+++ b/src/misc/conf.cil
@@ -11,6 +11,4 @@
 (policycap "network_peer_controls")
 (policycap "nnp_nosuid_transition")
 (policycap "open_perms")
-
-;; SELinux 3.4/Linux 5.18
-;; (policycap "ioctl_skip_cloexec")
+(policycap "ioctl_skip_cloexec")
diff --git a/src/misc/xperm.cil b/src/misc/xperm.cil
deleted file mode 100644
index 4aca460..0000000
--- a/src/misc/xperm.cil
+++ /dev/null
@@ -1,8 +0,0 @@
-;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
-;; SPDX-License-Identifier: Unlicense
-
-(permissionx FIOCLEX_FIONCLEX_CHRFILE
-	     (ioctl chr_file (0x6601 0x5451 0x6602 0x5450)))
-
-(permissionx FIOCLEX (ioctl chr_file (0x6601 0x5451)))
-(permissionx FIONCLEX (ioctl chr_file (0x6602 0x5450)))
author	Dominick Grift <dominick.grift@defensec.nl>	2023-08-22 13:50:56 +0200
committer	Dominick Grift <dominick.grift@defensec.nl>	2023-08-22 13:59:39 +0200
commit	8ab4c6e0db1dd758830023e91cfcfc989af27ec7 (patch)
tree	f06a3ac30c780c9015a998dfb28bd8b4e89a53c9
parent	f770f9fb8ec74b9686eb462466353868e2b27210 (diff)
download	selinux-policy-8ab4c6e0db1dd758830023e91cfcfc989af27ec7.tar.gz