commit: bdf027e057879dbba76e032570be27e1cc8ba4cc Author: Peter Morrow <pemorrow <AT> linux <DOT> microsoft <DOT> com> AuthorDate: Wed Feb 5 15:47:47 2020 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Feb 15 07:32:05 2020 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bdf027e0
systemd_tmpfiles_t: Allow systemd_tempfiles_t to change permissions in sysfs Rules specified in system tmpfiles.d configuration files are often used to change permissions on files in sysfs. https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html Signed-off-by: Peter Morrow <pemorrow <AT> linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/kernel/devices.if | 20 ++++++++++++++++++++ policy/modules/system/systemd.te | 1 + 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index afbd6d4a..1b83ea68 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4413,6 +4413,26 @@ interface(`dev_relabel_all_sysfs',` allow $1 sysfs_types:lnk_file relabel_lnk_file_perms; ') +######################################## +## <summary> +## Set the attributes of sysfs files, directories and symlinks. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_setattr_all_sysfs',` + gen_require(` + attribute sysfs_types; + ') + + allow $1 sysfs_types:dir { search_dir_perms setattr }; + allow $1 sysfs_types:file setattr; + allow $1 sysfs_types:lnk_file { read_lnk_file_perms setattr }; +') + ######################################## ## <summary> ## Read and write the TPM device. diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 4d906e5c..7624d258 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1112,6 +1112,7 @@ dev_manage_all_dev_nodes(systemd_tmpfiles_t) dev_read_urand(systemd_tmpfiles_t) dev_relabel_all_sysfs(systemd_tmpfiles_t) dev_read_urand(systemd_tmpfiles_t) +dev_setattr_all_sysfs(systemd_tmpfiles_t) dev_manage_all_dev_nodes(systemd_tmpfiles_t) files_create_lock_dirs(systemd_tmpfiles_t)
