On 12/17/19 6:34 PM, Sugar, David wrote:
> I'm seeing the following denial when using 'efivars --list'. This
> interface grants access
> 2019-12-17T15:22:06-05:00 ip-tsc-black tag_audit_log: type=AVC msg=audit(1576596109.149:95): avc: denied { read } for pid=2329 comm="efivar" name="/" dev="efivarfs" ino=11266 scontext=system_u:system_r:my_app_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
> index 62911f12..98f3af5d 100644
> --- a/policy/modules/kernel/filesystem.if
> +++ b/policy/modules/kernel/filesystem.if
> @@ -1982,6 +1982,24 @@ interface(`fs_manage_dos_files',`
> manage_files_pattern($1, dosfs_t, dosfs_t)
> ')
>
> +########################################
> +## <summary>
> +## List dirs in efivarfs filesystem.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_list_efivars',`
> + gen_require(`
> + type efivarfs_t;
> + ')
> +
> + list_dirs_pattern($1, efivarfs_t, efivarfs_t)
> +')
> +
> #######################################
> ## <summary>
> ## Read files in efivarfs
Merged.
--
Chris PeBenito