1 |
commit: 68f0d31ccb685203e3146a4f10f80af9412fd160 |
2 |
Author: Sugar, David <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Sat Mar 9 03:58:09 2019 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Mar 25 10:05:25 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68f0d31c |
7 |
|
8 |
Allow additional map permission when reading hwdb |
9 |
|
10 |
I'm seeing a denial for udev to map /etc/udev/hwdb.bin. |
11 |
This creates and uses a new interface to allow the needed |
12 |
permission for udev. |
13 |
|
14 |
type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1 |
15 |
|
16 |
Updated from previous to create a new interface. |
17 |
|
18 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
19 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
20 |
|
21 |
policy/modules/system/systemd.if | 18 ++++++++++++++++++ |
22 |
policy/modules/system/udev.te | 1 + |
23 |
2 files changed, 19 insertions(+) |
24 |
|
25 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
26 |
index 8d2bb8da..6353ca69 100644 |
27 |
--- a/policy/modules/system/systemd.if |
28 |
+++ b/policy/modules/system/systemd.if |
29 |
@@ -37,6 +37,24 @@ interface(`systemd_read_hwdb',` |
30 |
read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t) |
31 |
') |
32 |
|
33 |
+####################################### |
34 |
+## <summary> |
35 |
+## Allow domain to map udev hwdb file |
36 |
+## </summary> |
37 |
+## <param name="domain"> |
38 |
+## <summary> |
39 |
+## domain allowed access |
40 |
+## </summary> |
41 |
+## </param> |
42 |
+# |
43 |
+interface(`systemd_map_hwdb',` |
44 |
+ gen_require(` |
45 |
+ type systemd_hwdb_t; |
46 |
+ ') |
47 |
+ |
48 |
+ allow $1 systemd_hwdb_t:file map; |
49 |
+') |
50 |
+ |
51 |
###################################### |
52 |
## <summary> |
53 |
## Read systemd_login PID files. |
54 |
|
55 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
56 |
index 99f22bfb..f6a9d652 100644 |
57 |
--- a/policy/modules/system/udev.te |
58 |
+++ b/policy/modules/system/udev.te |
59 |
@@ -248,6 +248,7 @@ ifdef(`init_systemd',` |
60 |
init_get_generic_units_status(udev_t) |
61 |
init_stream_connect(udev_t) |
62 |
|
63 |
+ systemd_map_hwdb(udev_t) |
64 |
systemd_read_hwdb(udev_t) |
65 |
systemd_read_logind_sessions_files(udev_t) |
66 |
systemd_read_logind_pids(udev_t) |