The following patch allows systemd-tmpfiles to read a generated config file.
It's been in Debian for a over 2 years and it's the last Debian patch related
to kmod.
Description: Allow systemd-tmpfiles to read a generated config file
Author: Russell Coker <[email protected]>
Last-Update: 2017-02-06
Index: refpolicy-2.20170204/policy/modules/system/modutils.if
===================================================================
--- refpolicy-2.20170204.orig/policy/modules/system/modutils.if
+++ refpolicy-2.20170204/policy/modules/system/modutils.if
@@ -333,3 +333,21 @@ interface(`modutils_exec_update_mods',`
corecmd_search_bin($1)
can_exec($1, update_modules_exec_t)
')
+
+########################################
+## <summary>
+## Read kmod_var_run_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_var_run_files',`
+ gen_require(`
+ type kmod_var_run_t;
+ ')
+
+ allow $1 kmod_var_run_t:file read_file_perms;
+')
Index: refpolicy-2.20170204/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170204.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170204/policy/modules/system/systemd.te
@@ -714,6 +714,9 @@ userdom_relabel_user_runtime_root_dirs(s
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
kernel_read_network_state(systemd_tmpfiles_t)
+# for /run/tmpfiles.d/kmod.conf
+modutils_var_run_files(systemd_tmpfiles_t)
+
dev_relabel_all_sysfs(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
On 02/05/17 23:56, Russell Coker via refpolicy wrote:
> The following patch allows systemd-tmpfiles to read a generated config file.
>
> It's been in Debian for a over 2 years and it's the last Debian patch related
> to kmod.
>
> Description: Allow systemd-tmpfiles to read a generated config file
> Author: Russell Coker <[email protected]>
> Last-Update: 2017-02-06
>
> Index: refpolicy-2.20170204/policy/modules/system/modutils.if
> ===================================================================
> --- refpolicy-2.20170204.orig/policy/modules/system/modutils.if
> +++ refpolicy-2.20170204/policy/modules/system/modutils.if
> @@ -333,3 +333,21 @@ interface(`modutils_exec_update_mods',`
> corecmd_search_bin($1)
> can_exec($1, update_modules_exec_t)
> ')
> +
> +########################################
> +## <summary>
> +## Read kmod_var_run_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`modutils_var_run_files',`
> + gen_require(`
> + type kmod_var_run_t;
> + ')
> +
> + allow $1 kmod_var_run_t:file read_file_perms;
> +')
> Index: refpolicy-2.20170204/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170204.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170204/policy/modules/system/systemd.te
> @@ -714,6 +714,9 @@ userdom_relabel_user_runtime_root_dirs(s
> kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> kernel_read_network_state(systemd_tmpfiles_t)
>
> +# for /run/tmpfiles.d/kmod.conf
> +modutils_var_run_files(systemd_tmpfiles_t)
> +
> dev_relabel_all_sysfs(systemd_tmpfiles_t)
> dev_read_urand(systemd_tmpfiles_t)
> dev_manage_all_dev_nodes(systemd_tmpfiles_t)
Merged, though I renamed the interface.
--
Chris PeBenito