| 1 |
commit: 68f0d31ccb685203e3146a4f10f80af9412fd160 |
| 2 |
Author: Sugar, David <dsugar <AT> tresys <DOT> com> |
| 3 |
AuthorDate: Sat Mar 9 03:58:09 2019 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Mar 25 10:05:25 2019 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68f0d31c |
| 7 |
|
| 8 |
Allow additional map permission when reading hwdb |
| 9 |
|
| 10 |
I'm seeing a denial for udev to map /etc/udev/hwdb.bin. |
| 11 |
This creates and uses a new interface to allow the needed |
| 12 |
permission for udev. |
| 13 |
|
| 14 |
type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1 |
| 15 |
|
| 16 |
Updated from previous to create a new interface. |
| 17 |
|
| 18 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
| 19 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
| 20 |
|
| 21 |
policy/modules/system/systemd.if | 18 ++++++++++++++++++ |
| 22 |
policy/modules/system/udev.te | 1 + |
| 23 |
2 files changed, 19 insertions(+) |
| 24 |
|
| 25 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
| 26 |
index 8d2bb8da..6353ca69 100644 |
| 27 |
--- a/policy/modules/system/systemd.if |
| 28 |
+++ b/policy/modules/system/systemd.if |
| 29 |
@@ -37,6 +37,24 @@ interface(`systemd_read_hwdb',` |
| 30 |
read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t) |
| 31 |
') |
| 32 |
|
| 33 |
+####################################### |
| 34 |
+## <summary> |
| 35 |
+## Allow domain to map udev hwdb file |
| 36 |
+## </summary> |
| 37 |
+## <param name="domain"> |
| 38 |
+## <summary> |
| 39 |
+## domain allowed access |
| 40 |
+## </summary> |
| 41 |
+## </param> |
| 42 |
+# |
| 43 |
+interface(`systemd_map_hwdb',` |
| 44 |
+ gen_require(` |
| 45 |
+ type systemd_hwdb_t; |
| 46 |
+ ') |
| 47 |
+ |
| 48 |
+ allow $1 systemd_hwdb_t:file map; |
| 49 |
+') |
| 50 |
+ |
| 51 |
###################################### |
| 52 |
## <summary> |
| 53 |
## Read systemd_login PID files. |
| 54 |
|
| 55 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
| 56 |
index 99f22bfb..f6a9d652 100644 |
| 57 |
--- a/policy/modules/system/udev.te |
| 58 |
+++ b/policy/modules/system/udev.te |
| 59 |
@@ -248,6 +248,7 @@ ifdef(`init_systemd',` |
| 60 |
init_get_generic_units_status(udev_t) |
| 61 |
init_stream_connect(udev_t) |
| 62 |
|
| 63 |
+ systemd_map_hwdb(udev_t) |
| 64 |
systemd_read_hwdb(udev_t) |
| 65 |
systemd_read_logind_sessions_files(udev_t) |
| 66 |
systemd_read_logind_pids(udev_t) |
Archives