commit: 682ae85bac62d08d6fadb22405f347dd194bdfdb
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Nov 2 00:36:45 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=682ae85b
Add interface udev_run_domain
This interface is useful when using the 'RUN' option in UDEV rules where udev
will be executing a user executable to perform some action. This interface
allows a domain transition to occur for the run action.
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/system/udev.if | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 73e994d6..2ecdf5f0 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -36,6 +36,37 @@ interface(`udev_domtrans',`
domtrans_pattern($1, udev_exec_t, udev_t)
')
+########################################
+## <summary>
+## Allow udev to execute the specified program in
+## the specified domain.
+## </summary>
+## <desc>
+## <p>
+## This is a interface to support the UDEV 'RUN'
+## command. This will allow the command run by
+## udev to be run in a domain other than udev_t.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+## <param name="entry_file">
+## <summary>
+## Domain entry point file.
+## </summary>
+## </param>
+#
+interface(`udev_run_domain',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ domtrans_pattern(udev_t,$2,$1)
+')
+
########################################
## <summary>
## Execute udev in the caller domain.
