1 |
commit: 068bfb7fb714073b079070396937889f7c86bacf |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Mon May 28 07:22:19 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Mon May 28 07:22:19 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=068bfb7f |
7 |
|
8 |
Create /run/udev immediately with udev_tbl_t |
9 |
|
10 |
--- |
11 |
policy/modules/kernel/files.if | 2 +- |
12 |
policy/modules/system/init.te | 1 + |
13 |
policy/modules/system/udev.if | 25 +++++++++++++++++++++++++ |
14 |
3 files changed, 27 insertions(+), 1 deletions(-) |
15 |
|
16 |
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if |
17 |
index 36dd117..05329fd 100644 |
18 |
--- a/policy/modules/kernel/files.if |
19 |
+++ b/policy/modules/kernel/files.if |
20 |
@@ -6012,7 +6012,7 @@ interface(`files_write_generic_pid_pipes',` |
21 |
') |
22 |
######################################## |
23 |
## <summary> |
24 |
-## Write files in /var/run with the lock file type |
25 |
+## Write dirs in /var/run with the lock file type |
26 |
## </summary> |
27 |
## <param name="domain"> |
28 |
## <summary> |
29 |
|
30 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
31 |
index c8452f3..b0cb238 100644 |
32 |
--- a/policy/modules/system/init.te |
33 |
+++ b/policy/modules/system/init.te |
34 |
@@ -853,6 +853,7 @@ optional_policy(` |
35 |
optional_policy(` |
36 |
udev_dontaudit_getattr_netlink_kobject_uevent_sockets(initrc_t) |
37 |
udev_dontaudit_getattr_unix_stream_sockets(initrc_t) |
38 |
+ udev_pid_filetrans_tbl_dirs(initrc_t, "udev") |
39 |
udev_rw_db(initrc_t) |
40 |
udev_manage_pid_files(initrc_t) |
41 |
udev_manage_rules_files(initrc_t) |
42 |
|
43 |
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if |
44 |
index 9e7f218..6330df1 100644 |
45 |
--- a/policy/modules/system/udev.if |
46 |
+++ b/policy/modules/system/udev.if |
47 |
@@ -272,6 +272,31 @@ interface(`udev_rw_db',` |
48 |
|
49 |
######################################## |
50 |
## <summary> |
51 |
+## Write dirs in /var/run with the udev_tbl file type |
52 |
+## </summary> |
53 |
+## <param name="domain"> |
54 |
+## <summary> |
55 |
+## Domain allowed access. |
56 |
+## </summary> |
57 |
+## </param> |
58 |
+## <param name="name" optional="true"> |
59 |
+## <summary> |
60 |
+## Name of the directory that the file transition will work on |
61 |
+## </summary> |
62 |
+## </param> |
63 |
+# |
64 |
+interface(`udev_pid_filetrans_tbl_dirs',` |
65 |
+ gen_require(` |
66 |
+ type udev_tbl_t; |
67 |
+ ') |
68 |
+ |
69 |
+ allow $1 var_t:dir search_dir_perms; |
70 |
+ allow $1 var_run_t:lnk_file read_lnk_file_perms; |
71 |
+ files_pid_filetrans($1, udev_tbl_t, dir, $2) |
72 |
+') |
73 |
+ |
74 |
+######################################## |
75 |
+## <summary> |
76 |
## Create, read, write, and delete |
77 |
## udev pid files. |
78 |
## </summary> |