Note that not only kmod needs this permission, other libkmod consumers
like udev require it, too. Hence I'm adding the permission to the
relevant interfaces.
---
policy/modules/system/modutils.if | 4 ++--
policy/modules/system/modutils.te | 2 ++
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index d6b92ba4..e9ee3c29 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -34,7 +34,7 @@ interface(`modutils_read_module_deps',`
')
files_list_kernel_modules($1)
- allow $1 modules_dep_t:file read_file_perms;
+ allow $1 modules_dep_t:file { read_file_perms map };
')
########################################
@@ -53,7 +53,7 @@ interface(`modutils_read_module_objects',`
')
files_list_kernel_modules($1)
- allow $1 modules_object_t:file read_file_perms;
+ allow $1 modules_object_t:file { read_file_perms map };
')
########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 7cc6985d..70efffc1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -46,9 +46,11 @@ list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
+allow kmod_t modules_dep_t:file map;
filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
+allow kmod_t modules_object_t:file map;
can_exec(kmod_t, kmod_exec_t)
--
2.14.1
On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> Note that not only kmod needs this permission, other libkmod consumers
> like udev require it, too. Hence I'm adding the permission to the
> relevant interfaces.
> ---
> policy/modules/system/modutils.if | 4 ++--
> policy/modules/system/modutils.te | 2 ++
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
> index d6b92ba4..e9ee3c29 100644
> --- a/policy/modules/system/modutils.if
> +++ b/policy/modules/system/modutils.if
> @@ -34,7 +34,7 @@ interface(`modutils_read_module_deps',`
> ')
>
> files_list_kernel_modules($1)
> - allow $1 modules_dep_t:file read_file_perms;
> + allow $1 modules_dep_t:file { read_file_perms map };
> ')
>
> ########################################
> @@ -53,7 +53,7 @@ interface(`modutils_read_module_objects',`
> ')
>
> files_list_kernel_modules($1)
> - allow $1 modules_object_t:file read_file_perms;
> + allow $1 modules_object_t:file { read_file_perms map };
> ')
>
> ########################################
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index 7cc6985d..70efffc1 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -46,9 +46,11 @@ list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
> read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
> list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
> manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
> +allow kmod_t modules_dep_t:file map;
> filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
> create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
> delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
> +allow kmod_t modules_object_t:file map;
>
> can_exec(kmod_t, kmod_exec_t)
Merged.
--
Chris PeBenito