commit: ec44d0f7401dbd1c01bead625eb1d08752fbe254
Author: Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Sun Jul 20 15:17:09 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep 2 20:40:01 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ec44d0f7
udev: allow udev_t to watch udev_runtime_t directory
Fix:
avc: denied { watch } for pid=175 comm="udevadm" path="/run/udev"
dev="tmpfs" ino=2 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0
Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/udev.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index b8406bf3b..b7864d240 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -85,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev")
+allow udev_t udev_runtime_t:dir watch;
kernel_load_module(udev_t)
kernel_read_system_state(udev_t)
