commit: 31251ed390d89aaf082af95bf532470b4d0f339d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Apr 30 06:32:23 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun 8 09:21:01 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31251ed3
init: Add filetrans for /run/initctl
sysvinit 2.89 moved /dev/initctl to /run/initctl.
Reported-by: revel
policy/modules/system/init.if | 5 +++++
policy/modules/system/init.te | 1 +
2 files changed, 6 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 547720de..46e61cb4 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1314,6 +1314,8 @@ interface(`init_getattr_initctl',`
type initctl_t;
')
+ dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file getattr;
')
')
@@ -1353,6 +1355,7 @@ interface(`init_write_initctl',`
')
dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file write;
')
@@ -1385,6 +1388,7 @@ interface(`init_telinit',`
corecmd_exec_bin($1)
dev_list_all_dev_nodes($1)
+ files_search_pids($1)
init_exec($1)
')
@@ -1405,6 +1409,7 @@ interface(`init_rw_initctl',`
')
dev_list_all_dev_nodes($1)
+ files_search_pids($1)
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f1b6b008..09f9688e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
+files_pid_filetrans(init_t, initctl_t, fifo_file)
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
