Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date: Fri, 27 Sep 2013 13:27:30
Message-Id: 1380288147.666884f7ec55dda866841340b14c77e013c41d7c.swift@gentoo
1 commit: 666884f7ec55dda866841340b14c77e013c41d7c
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Tue Sep 24 13:40:29 2013 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Fri Sep 27 13:22:27 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=666884f7
7
8 udev: This is specific to debian i think. Some how the /usr/lib/avahi/avahi-daemon-check-dns\.sh ends up in the udev_t domain
9
10 The script basically does what the name suggests, and additionally it
11 need to be able to stop and start avahi-daemon via its init script
12
13 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
14
15 ---
16 policy/modules/system/udev.te | 10 ++++++++++
17 1 file changed, 10 insertions(+)
18
19 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
20 index f2344a1..80dc84e 100644
21 --- a/policy/modules/system/udev.te
22 +++ b/policy/modules/system/udev.te
23 @@ -179,6 +179,16 @@ userdom_dontaudit_search_user_home_content(udev_t)
24
25 udev_pid_filetrans_db(udev_t, dir, "data")
26
27 +ifdef(`distro_debian',`
28 + optional_policy(`
29 + kernel_read_vm_sysctls(udev_t)
30 + corenet_udp_bind_generic_node(udev_t)
31 + miscfiles_read_generic_certs(udev_t)
32 + avahi_initrc_domtrans(udev_t)
33 + avahi_manage_pid_files(udev_t)
34 + ')
35 +')
36 +
37 ifdef(`distro_gentoo',`
38 allow udev_t self:capability2 block_suspend;