commit: 8091d5f27c3715d4165980bee51d7652837a97a7
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Aug 12 15:47:07 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 12 15:47:07 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8091d5f2
tmpfiles on gentoo needs a few extra perms
currently tmpfiles.sh runs mknod which creates device_t
and is relabelled afterwards.
---
policy/modules/system/tmpfiles.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/tmpfiles.te
b/policy/modules/system/tmpfiles.te
index de92477..49445de 100644
--- a/policy/modules/system/tmpfiles.te
+++ b/policy/modules/system/tmpfiles.te
@@ -32,7 +32,7 @@ files_pid_file(tmpfiles_var_run_t)
#
allow tmpfiles_t self:capability { mknod chown fowner fsetid };
-allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:process { getsched setfscreate };
allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
@@ -55,6 +55,7 @@ dev_getattr_generic_chr_files(tmpfiles_t)
dev_relabel_all_dev_nodes(tmpfiles_t)
dev_relabel_generic_dev_dirs(tmpfiles_t)
dev_relabelfrom_generic_chr_files(tmpfiles_t)
+dev_setattr_all_blk_files(tmpfiles_t)
dev_setattr_all_chr_files(tmpfiles_t)
dev_setattr_generic_dirs(tmpfiles_t)
@@ -92,6 +93,8 @@ ifdef(`distro_gentoo',`
dev_create_generic_dirs(tmpfiles_t)
# Early at boot, access /dev/console and /dev/tty which is device_t due
to kernel-provided devtmpfs
dev_rw_generic_chr_files(tmpfiles_t)
+ dev_create_generic_chr_files(tmpfiles_t)
+ dev_create_generic_blk_files(tmpfiles_t)
init_relabelto_script_state(tmpfiles_t)
')
