update-modules on Gentoo throws errors when run because it sources /etc/init.d/functions.sh, which always scans /var/lib/init.d to set SOFTLEVEL environment var. This is never used by update-modules.
Signed-off-by: Chris Richards <[email protected]>
---
policy/modules/kernel/files.if | 20 ++++++++++++++++++++
policy/modules/system/modutils.te | 2 ++
2 files changed, 22 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 2dd4e3c..fee4d52 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4660,6 +4660,26 @@ interface(`files_search_var_lib',`
########################################
## <summary>
+## Do not audit attempts to search the
+## contents of /var/lib.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_dontaudit_search_var_lib',`
+ gen_require(`
+ type var_lib_t;
+ ')
+
+ dontaudit $1 var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## List the contents of the /var/lib directory.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index fb0dea9..2e1cdf1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -303,6 +303,8 @@ ifdef(`distro_gentoo',`
files_search_pids(update_modules_t)
files_getattr_usr_src_files(update_modules_t)
files_list_isid_type_dirs(update_modules_t) # /var
+ files_dontaudit_search_var_lib(update_modules_t)
+ init_dontaudit_read_script_status_files(update_modules_t)
optional_policy(`
consoletype_exec(update_modules_t)
--
1.6.4.4
On Fri, 2010-04-16 at 06:29 +0000, Chris Richards wrote:
> update-modules on Gentoo throws errors when run because it sources /etc/init.d/functions.sh, which always scans /var/lib/init.d to set SOFTLEVEL environment var. This is never used by update-modules.
Merged.
> Signed-off-by: Chris Richards <[email protected]>
> ---
> policy/modules/kernel/files.if | 20 ++++++++++++++++++++
> policy/modules/system/modutils.te | 2 ++
> 2 files changed, 22 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 2dd4e3c..fee4d52 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -4660,6 +4660,26 @@ interface(`files_search_var_lib',`
>
> ########################################
> ## <summary>
> +## Do not audit attempts to search the
> +## contents of /var/lib.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`files_dontaudit_search_var_lib',`
> + gen_require(`
> + type var_lib_t;
> + ')
> +
> + dontaudit $1 var_lib_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> ## List the contents of the /var/lib directory.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index fb0dea9..2e1cdf1 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -303,6 +303,8 @@ ifdef(`distro_gentoo',`
> files_search_pids(update_modules_t)
> files_getattr_usr_src_files(update_modules_t)
> files_list_isid_type_dirs(update_modules_t) # /var
> + files_dontaudit_search_var_lib(update_modules_t)
> + init_dontaudit_read_script_status_files(update_modules_t)
>
> optional_policy(`
> consoletype_exec(update_modules_t)
--
Chris PeBenito
<[email protected]>
Developer,
Hardened Gentoo Linux
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243