commit: c476335905f6b809c1f4ba083b071fab067aa1e5
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Sep 26 13:48:31 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 6 15:30:09 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4763359
allow jabbers to create sock file and allow matrixd to read sysfs (#705)
* Allow jabberd_domain to create sockets in it's var/lib dir
Allow matrixd_t to read sysfs
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Changed to manage_sock_file_perms to allow unlink
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
---------
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/jabber.te | 1 +
policy/modules/services/matrixd.te | 1 +
2 files changed, 2 insertions(+)
diff --git a/policy/modules/services/jabber.te
b/policy/modules/services/jabber.te
index 6003cc9fb..6c8e45de5 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -39,6 +39,7 @@ allow jabberd_domain self:tcp_socket { accept listen };
manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
+allow jabberd_domain jabberd_var_lib_t:sock_file manage_sock_file_perms;
kernel_read_system_state(jabberd_domain)
diff --git a/policy/modules/services/matrixd.te
b/policy/modules/services/matrixd.te
index 4ac31d901..c396a3d7c 100644
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@@ -83,6 +83,7 @@ corenet_udp_bind_generic_node(matrixd_t)
corenet_udp_bind_generic_port(matrixd_t)
corenet_udp_bind_reserved_port(matrixd_t)
+dev_read_sysfs(matrixd_t)
dev_read_urand(matrixd_t)
files_read_etc_files(matrixd_t)
