1 |
commit: 75224d9c038ddc5e136838767f0cfcbce01ad8d8 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Tue Jan 20 14:21:00 2015 +0000 |
4 |
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com> |
5 |
CommitDate: Mon Jan 26 06:01:05 2015 +0000 |
6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=75224d9c |
7 |
|
8 |
udev: allow netlink_socket perms |
9 |
|
10 |
udev needs these perms for CRDA communication (Central Regulatory Domain |
11 |
Agent for wifi) |
12 |
|
13 |
type=AVC msg=audit(1421753429.771:3718): avc: denied { create } for |
14 |
pid=28698 comm="crda" scontext=system_u:system_r:udev_t |
15 |
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1 |
16 |
type=AVC msg=audit(1421753429.771:3719): avc: denied { setopt } for |
17 |
pid=28698 comm="crda" scontext=system_u:system_r:udev_t |
18 |
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1 |
19 |
type=AVC msg=audit(1421753429.771:3720): avc: denied { bind } for |
20 |
pid=28698 comm="crda" scontext=system_u:system_r:udev_t |
21 |
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1 |
22 |
type=AVC msg=audit(1421753429.771:3721): avc: denied { getattr } for |
23 |
pid=28698 comm="crda" scontext=system_u:system_r:udev_t |
24 |
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1 |
25 |
type=AVC msg=audit(1421753429.771:3722): avc: denied { write } for |
26 |
pid=28698 comm="crda" scontext=system_u:system_r:udev_t |
27 |
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1 |
28 |
type=AVC msg=audit(1421753429.771:3723): avc: denied { read } for |
29 |
pid=28698 comm="crda" scontext=system_u:system_r:udev_t |
30 |
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1 |
31 |
|
32 |
--- |
33 |
policy/modules/system/udev.te | 2 ++ |
34 |
1 file changed, 2 insertions(+) |
35 |
|
36 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
37 |
index 78e4328..810d135 100644 |
38 |
--- a/policy/modules/system/udev.te |
39 |
+++ b/policy/modules/system/udev.te |
40 |
@@ -334,6 +334,8 @@ ifdef(`distro_gentoo',` |
41 |
|
42 |
# needed for predictable network interfaces naming |
43 |
allow udev_t self:netlink_route_socket rw_netlink_socket_perms; |
44 |
+ # needed for crda |
45 |
+ allow udev_t self:netlink_socket create_socket_perms; |
46 |
|
47 |
manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t) |
48 |
manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t) |