1 |
commit: c308e6f1f5a4cf7df16bc154da2d500dfa3703c9 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Fri Dec 6 17:45:37 2013 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Dec 6 17:45:37 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c308e6f1 |
7 |
|
8 |
Move gentoo specifics to lower part |
9 |
|
10 |
--- |
11 |
policy/modules/system/udev.te | 66 +++++++++++++++++++++++++++---------------- |
12 |
1 file changed, 41 insertions(+), 25 deletions(-) |
13 |
|
14 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
15 |
index 2679c85..a7078c4 100644 |
16 |
--- a/policy/modules/system/udev.te |
17 |
+++ b/policy/modules/system/udev.te |
18 |
@@ -64,10 +64,7 @@ can_exec(udev_t, udev_helper_exec_t) |
19 |
# read udev config |
20 |
allow udev_t udev_etc_t:file read_file_perms; |
21 |
|
22 |
-allow udev_t udev_tbl_t:dir relabelto; |
23 |
-manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t) |
24 |
-manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t) |
25 |
-manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t) |
26 |
+allow udev_t udev_tbl_t:file manage_file_perms; |
27 |
dev_filetrans(udev_t, udev_tbl_t, file) |
28 |
|
29 |
list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) |
30 |
@@ -79,24 +76,24 @@ manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) |
31 |
manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) |
32 |
files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev") |
33 |
|
34 |
-kernel_dgram_send(udev_t) |
35 |
+kernel_read_system_state(udev_t) |
36 |
+kernel_request_load_module(udev_t) |
37 |
kernel_getattr_core_if(udev_t) |
38 |
-kernel_load_module(udev_t) |
39 |
+kernel_use_fds(udev_t) |
40 |
kernel_read_device_sysctls(udev_t) |
41 |
kernel_read_hotplug_sysctls(udev_t) |
42 |
-kernel_read_kernel_sysctls(udev_t) |
43 |
kernel_read_modprobe_sysctls(udev_t) |
44 |
-kernel_read_network_state(udev_t) |
45 |
-kernel_read_software_raid_state(udev_t) |
46 |
-kernel_read_system_state(udev_t) |
47 |
-kernel_request_load_module(udev_t) |
48 |
+kernel_read_kernel_sysctls(udev_t) |
49 |
kernel_rw_hotplug_sysctls(udev_t) |
50 |
-#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 |
51 |
-kernel_rw_net_sysctls(udev_t) |
52 |
kernel_rw_unix_dgram_sockets(udev_t) |
53 |
-kernel_search_debugfs(udev_t) |
54 |
+kernel_dgram_send(udev_t) |
55 |
kernel_signal(udev_t) |
56 |
-kernel_use_fds(udev_t) |
57 |
+kernel_search_debugfs(udev_t) |
58 |
+ |
59 |
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 |
60 |
+kernel_rw_net_sysctls(udev_t) |
61 |
+kernel_read_network_state(udev_t) |
62 |
+kernel_read_software_raid_state(udev_t) |
63 |
|
64 |
corecmd_exec_all_executables(udev_t) |
65 |
|
66 |
@@ -114,13 +111,12 @@ dev_manage_generic_symlinks(udev_t) |
67 |
domain_read_all_domains_state(udev_t) |
68 |
domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these |
69 |
|
70 |
-files_exec_etc_files(udev_t) |
71 |
-files_getattr_generic_locks(udev_t) |
72 |
-files_read_etc_files(udev_t) |
73 |
-files_read_etc_runtime_files(udev_t) |
74 |
-files_read_kernel_modules(udev_t) |
75 |
files_read_usr_files(udev_t) |
76 |
+files_read_etc_runtime_files(udev_t) |
77 |
+files_read_etc_files(udev_t) |
78 |
+files_exec_etc_files(udev_t) |
79 |
files_dontaudit_search_isid_type_dirs(udev_t) |
80 |
+files_getattr_generic_locks(udev_t) |
81 |
files_search_mnt(udev_t) |
82 |
|
83 |
fs_getattr_all_fs(udev_t) |
84 |
@@ -178,8 +174,6 @@ sysnet_etc_filetrans_config(udev_t) |
85 |
|
86 |
userdom_dontaudit_search_user_home_content(udev_t) |
87 |
|
88 |
-udev_pid_filetrans_db(udev_t, dir, "data") |
89 |
- |
90 |
ifdef(`distro_debian',` |
91 |
files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug") |
92 |
|
93 |
@@ -197,12 +191,9 @@ ifdef(`distro_debian',` |
94 |
') |
95 |
|
96 |
ifdef(`distro_gentoo',` |
97 |
- allow udev_t self:capability2 block_suspend; |
98 |
- |
99 |
# during boot, init scripts use /dev/.rcsysinit |
100 |
# existance to determine if we are in early booting |
101 |
init_getattr_script_status_files(udev_t) |
102 |
- init_domtrans_script(udev_t) |
103 |
') |
104 |
|
105 |
ifdef(`distro_redhat',` |
106 |
@@ -331,3 +322,28 @@ optional_policy(` |
107 |
optional_policy(` |
108 |
xserver_read_xdm_pid(udev_t) |
109 |
') |
110 |
+ |
111 |
+ifdef(`distro_gentoo',` |
112 |
+ ################################# |
113 |
+ # |
114 |
+ # local udev_t policy |
115 |
+ # |
116 |
+ allow udev_t self:capability2 block_suspend; |
117 |
+ allow udev_t udev_tbl_t:dir relabelto; |
118 |
+ |
119 |
+ manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t) |
120 |
+ manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t) |
121 |
+ manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t) |
122 |
+ |
123 |
+ kernel_load_module(udev_t) |
124 |
+ |
125 |
+ files_read_etc_files(udev_t) |
126 |
+ files_read_etc_runtime_files(udev_t) |
127 |
+ files_read_kernel_modules(udev_t) |
128 |
+ files_read_usr_files(udev_t) |
129 |
+ files_dontaudit_search_isid_type_dirs(udev_t) |
130 |
+ |
131 |
+ udev_pid_filetrans_db(udev_t, dir, "data") |
132 |
+ |
133 |
+ init_domtrans_script(udev_t) |
134 |
+') |