commit: 459df0bed3a810a10ce4a7276873cb7c878641e3
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov 7 01:30:53 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=459df0be
usbguard, sysadm: misc fixes
Fixes for usbguard and allow sysadm to connect to usbguard to manage
devices at runtime.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/usbguard.te | 3 +++
policy/modules/system/userdomain.if | 4 ++++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te
index 9304ef5b..cca00cdb 100644
--- a/policy/modules/admin/usbguard.te
+++ b/policy/modules/admin/usbguard.te
@@ -40,6 +40,7 @@ files_tmpfs_file(usbguard_tmpfs_t)
#
allow usbguard_t self:capability { chown dac_read_search fowner };
+allow usbguard_t self:process { getcap signal };
allow usbguard_t self:netlink_kobject_uevent_socket create_socket_perms;
allow usbguard_t self:unix_stream_socket rw_stream_socket_perms;
@@ -72,6 +73,8 @@ init_search_runtime(usbguard_t)
logging_send_audit_msgs(usbguard_t)
logging_send_syslog_msg(usbguard_t)
+miscfiles_read_localization(usbguard_t)
+
tunable_policy(`usbguard_user_modify_rule_files',`
manage_files_pattern(usbguard_t, usbguard_conf_t, usbguard_rules_t)
')
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 1539477e..958e088f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1439,6 +1439,10 @@ template(`userdom_admin_user_template',`
postgresql_unconfined($1_t)
')
+ optional_policy(`
+ usbguard_stream_connect($1_t)
+ ')
+
optional_policy(`
userhelper_exec($1_t)
')
