| 1 |
commit: 068bfb7fb714073b079070396937889f7c86bacf |
| 2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 3 |
AuthorDate: Mon May 28 07:22:19 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Mon May 28 07:22:19 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=068bfb7f |
| 7 |
|
| 8 |
Create /run/udev immediately with udev_tbl_t |
| 9 |
|
| 10 |
--- |
| 11 |
policy/modules/kernel/files.if | 2 +- |
| 12 |
policy/modules/system/init.te | 1 + |
| 13 |
policy/modules/system/udev.if | 25 +++++++++++++++++++++++++ |
| 14 |
3 files changed, 27 insertions(+), 1 deletions(-) |
| 15 |
|
| 16 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
| 17 |
index 36dd117..05329fd 100644 |
| 18 |
--- a/policy/modules/kernel/files.if |
| 19 |
+++ b/policy/modules/kernel/files.if |
| 20 |
@@ -6012,7 +6012,7 @@ interface(`files_write_generic_pid_pipes',` |
| 21 |
') |
| 22 |
######################################## |
| 23 |
## <summary> |
| 24 |
-## Write files in /var/run with the lock file type |
| 25 |
+## Write dirs in /var/run with the lock file type |
| 26 |
## </summary> |
| 27 |
## <param name="domain"> |
| 28 |
## <summary> |
| 29 |
|
| 30 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
| 31 |
index c8452f3..b0cb238 100644 |
| 32 |
--- a/policy/modules/system/init.te |
| 33 |
+++ b/policy/modules/system/init.te |
| 34 |
@@ -853,6 +853,7 @@ optional_policy(` |
| 35 |
optional_policy(` |
| 36 |
udev_dontaudit_getattr_netlink_kobject_uevent_sockets(initrc_t) |
| 37 |
udev_dontaudit_getattr_unix_stream_sockets(initrc_t) |
| 38 |
+ udev_pid_filetrans_tbl_dirs(initrc_t, "udev") |
| 39 |
udev_rw_db(initrc_t) |
| 40 |
udev_manage_pid_files(initrc_t) |
| 41 |
udev_manage_rules_files(initrc_t) |
| 42 |
|
| 43 |
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if |
| 44 |
index 9e7f218..6330df1 100644 |
| 45 |
--- a/policy/modules/system/udev.if |
| 46 |
+++ b/policy/modules/system/udev.if |
| 47 |
@@ -272,6 +272,31 @@ interface(`udev_rw_db',` |
| 48 |
|
| 49 |
######################################## |
| 50 |
## <summary> |
| 51 |
+## Write dirs in /var/run with the udev_tbl file type |
| 52 |
+## </summary> |
| 53 |
+## <param name="domain"> |
| 54 |
+## <summary> |
| 55 |
+## Domain allowed access. |
| 56 |
+## </summary> |
| 57 |
+## </param> |
| 58 |
+## <param name="name" optional="true"> |
| 59 |
+## <summary> |
| 60 |
+## Name of the directory that the file transition will work on |
| 61 |
+## </summary> |
| 62 |
+## </param> |
| 63 |
+# |
| 64 |
+interface(`udev_pid_filetrans_tbl_dirs',` |
| 65 |
+ gen_require(` |
| 66 |
+ type udev_tbl_t; |
| 67 |
+ ') |
| 68 |
+ |
| 69 |
+ allow $1 var_t:dir search_dir_perms; |
| 70 |
+ allow $1 var_run_t:lnk_file read_lnk_file_perms; |
| 71 |
+ files_pid_filetrans($1, udev_tbl_t, dir, $2) |
| 72 |
+') |
| 73 |
+ |
| 74 |
+######################################## |
| 75 |
+## <summary> |
| 76 |
## Create, read, write, and delete |
| 77 |
## udev pid files. |
| 78 |
## </summary> |
Archives