diff options
| author |   Christian Göttsche <cgzones@googlemail.com> | 2024-02-22 18:00:51 +0100 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:05:55 -0500 |
| commit | 9127b63127407012150cc1257dab821bc300477d (patch) | |
| tree | 8ee95cd4379e3a482078a645f95a0006d528c168 | |
| parent | systemd: generator updates (diff) | |
| download | hardened-refpolicy-9127b63127407012150cc1257dab821bc300477d.tar.gz hardened-refpolicy-9127b63127407012150cc1257dab821bc300477d.tar.bz2 hardened-refpolicy-9127b63127407012150cc1257dab821bc300477d.zip | |
udev: update
AVC avc: denied { create } for pid=685 comm="ifquery" name="network" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/system/sysnetwork.if | 30 | ||||
| -rw-r--r-- | policy/modules/system/udev.te | 3 |
2 files changed, 33 insertions, 0 deletions
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index f41024669..884f3735d 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -489,6 +489,7 @@ interface(`sysnet_create_config',` ') files_search_etc($1) + allow $1 net_conf_t:dir { add_entry_dir_perms create_dir_perms }; allow $1 net_conf_t:file create_file_perms; ') @@ -537,6 +538,35 @@ interface(`sysnet_etc_filetrans_config',` ####################################### ## <summary> +## Create files in /run with the type used for +## the network config files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`sysnet_runtime_filetrans_config',` + gen_require(` + type net_conf_t; + ') + + files_runtime_filetrans($1, net_conf_t, $2, $3) +') + +####################################### +## <summary> ## Create, read, write, and delete network config files. ## </summary> ## <param name="domain"> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 6e24d515f..8ecc17bc7 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -217,6 +217,9 @@ ifdef(`distro_debian',` files_runtime_filetrans(udev_t, udev_runtime_t, dir, "xen-hotplug") + sysnet_runtime_filetrans_config(udev_t, dir, "network") + sysnet_create_config(udev_t) + optional_policy(` # for /usr/lib/avahi/avahi-daemon-check-dns.sh kernel_read_vm_sysctls(udev_t) |