commit: f2e3f0187d67264d9511dbbdbc3b40d898ac9eed
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jan 12 08:03:42 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f2e3f018
kernel: introduce kernel_dontaudit_read_kernel_sysctl
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 5afc4802..de5ee946 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2012,6 +2012,24 @@ interface(`kernel_dontaudit_search_kernel_sysctl',`
dontaudit $1 sysctl_kernel_t:dir search;
')
+#######################################
+## <summary>
+## Do not audit attempted reading of kernel sysctls
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit accesses from
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_read_kernel_sysctl',`
+ gen_require(`
+ type sysctl_kernel_t;
+ ')
+
+ dontaudit $1 sysctl_kernel_t:file read_file_perms;
+')
+
########################################
## <summary>
## Read generic crypto sysctls.
