1 |
commit: 5135e685790073660abb1e0ef52816fb542f75a9 |
2 |
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Aug 26 18:02:45 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Sep 3 19:07:50 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5135e685 |
7 |
|
8 |
firewalld: write tmpfs files |
9 |
|
10 |
node=localhost type=AVC msg=audit(1661536245.787:9531): avc: denied { write } for pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 |
11 |
node=localhost type=AVC msg=audit(1661536245.788:9532): avc: denied { map } for pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 |
12 |
node=localhost type=AVC msg=audit(1661536245.788:9532): avc: denied { read execute } for pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 |
13 |
|
14 |
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com> |
15 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
16 |
|
17 |
policy/modules/services/firewalld.te | 8 ++++++++ |
18 |
1 file changed, 8 insertions(+) |
19 |
|
20 |
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te |
21 |
index a32e4b93..32e16898 100644 |
22 |
--- a/policy/modules/services/firewalld.te |
23 |
+++ b/policy/modules/services/firewalld.te |
24 |
@@ -24,6 +24,9 @@ logging_log_file(firewalld_var_log_t) |
25 |
type firewalld_tmp_t; |
26 |
files_tmp_file(firewalld_tmp_t) |
27 |
|
28 |
+type firewalld_tmpfs_t; |
29 |
+files_tmpfs_file(firewalld_tmpfs_t) |
30 |
+ |
31 |
######################################## |
32 |
# |
33 |
# Local policy |
34 |
@@ -54,6 +57,11 @@ manage_dirs_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t) |
35 |
manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t) |
36 |
files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file }) |
37 |
|
38 |
+manage_dirs_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t) |
39 |
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t) |
40 |
+mmap_read_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t) |
41 |
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, { dir file }) |
42 |
+ |
43 |
kernel_read_crypto_sysctls(firewalld_t) |
44 |
kernel_read_network_state(firewalld_t) |
45 |
kernel_read_system_state(firewalld_t) |