Update the udev module so that the udev domain can manage tmpfs files
and directories.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/udev.te | 2 ++
1 file changed, 2 insertions(+)
--- a/policy/modules/system/udev.te 2016-09-10 18:09:13.359710389 +0200
+++ b/policy/modules/system/udev.te 2016-12-18 18:09:55.935617782 +0100
@@ -123,6 +126,8 @@ files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
fs_getattr_all_fs(udev_t)
+fs_manage_tmpfs_dirs(udev_t)
+fs_manage_tmpfs_files(udev_t)
fs_list_inotifyfs(udev_t)
fs_rw_anon_inodefs_files(udev_t)
Hi,
on debian with systemd's udev these permissions are not needed, maybe
you can put hem into a ifndef(`init_systemd',...) block?
Kindly Regards,
Christian G?ttsche
2016-12-18 19:13 GMT+01:00 Guido Trentalancia via refpolicy
<[email protected]>:
> Update the udev module so that the udev domain can manage tmpfs files
> and directories.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/system/udev.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> --- a/policy/modules/system/udev.te 2016-09-10 18:09:13.359710389 +0200
> +++ b/policy/modules/system/udev.te 2016-12-18 18:09:55.935617782 +0100
> @@ -123,6 +126,8 @@ files_getattr_generic_locks(udev_t)
> files_search_mnt(udev_t)
>
> fs_getattr_all_fs(udev_t)
> +fs_manage_tmpfs_dirs(udev_t)
> +fs_manage_tmpfs_files(udev_t)
> fs_list_inotifyfs(udev_t)
> fs_rw_anon_inodefs_files(udev_t)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hello.
On Sun, 18/12/2016 at 20.37 +0100, cgzones wrote:
> Hi,
> on debian with systemd's udev these permissions are not needed, maybe
> you can put hem into a ifndef(`init_systemd',...) block?
Yes, thanks very much for telling me, it's a good idea !
I'll post a new revised patch shortly...
> Kindly Regards,
> ?Christian G?ttsche
>
> 2016-12-18 19:13 GMT+01:00 Guido Trentalancia via refpolicy
> <[email protected]>:
> >
> > Update the udev module so that the udev domain can manage tmpfs
> > files
> > and directories.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/system/udev.te |????2 ++
> > ?1 file changed, 2 insertions(+)
> >
> > --- a/policy/modules/system/udev.te?????2016-09-10
> > 18:09:13.359710389 +0200
> > +++ b/policy/modules/system/udev.te?????2016-12-18
> > 18:09:55.935617782 +0100
> > @@ -123,6 +126,8 @@ files_getattr_generic_locks(udev_t)
> > ?files_search_mnt(udev_t)
> >
> > ?fs_getattr_all_fs(udev_t)
> > +fs_manage_tmpfs_dirs(udev_t)
> > +fs_manage_tmpfs_files(udev_t)
> > ?fs_list_inotifyfs(udev_t)
> > ?fs_rw_anon_inodefs_files(udev_t)
Regards,
Guido
Update the udev module so that the udev domain can manage tmpfs files
and directories.
Thanks to Christian G?ttsche for pointing out that this only applies
to systems not using systemd (v2).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/udev.te | 3 +++
1 file changed, 3 insertions(+)
--- a/policy/modules/system/udev.te 2016-09-10 18:09:13.359710389 +0200
+++ b/policy/modules/system/udev.te 2016-12-18 20:56:21.466748374 +0100
@@ -229,6 +231,9 @@ ifdef(`init_systemd',`
init_dgram_send(udev_t)
systemd_read_logind_pids(udev_t)
+',`
+ fs_manage_tmpfs_dirs(udev_t)
+ fs_manage_tmpfs_files(udev_t)
')
optional_policy(`
On 12/18/2016 08:37 PM, cgzones via refpolicy wrote:
> Hi,
> on debian with systemd's udev these permissions are not needed, maybe
> you can put hem into a ifndef(`init_systemd',...) block?
>
I do not believe that udev should be able to do this at all. Please
explain why you would want to add these rules
> Kindly Regards,
> Christian G?ttsche
>
> 2016-12-18 19:13 GMT+01:00 Guido Trentalancia via refpolicy
> <[email protected]>:
>> Update the udev module so that the udev domain can manage tmpfs files
>> and directories.
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/system/udev.te | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> --- a/policy/modules/system/udev.te 2016-09-10 18:09:13.359710389 +0200
>> +++ b/policy/modules/system/udev.te 2016-12-18 18:09:55.935617782 +0100
>> @@ -123,6 +126,8 @@ files_getattr_generic_locks(udev_t)
>> files_search_mnt(udev_t)
>>
>> fs_getattr_all_fs(udev_t)
>> +fs_manage_tmpfs_dirs(udev_t)
>> +fs_manage_tmpfs_files(udev_t)
>> fs_list_inotifyfs(udev_t)
>> fs_rw_anon_inodefs_files(udev_t)
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161218/561858c5/attachment.bin
On Sun, 18/12/2016 at 21.24 +0100, Dominick Grift via refpolicy wrote:
> On 12/18/2016 08:37 PM, cgzones via refpolicy wrote:
> >
> > Hi,
> > on debian with systemd's udev these permissions are not needed,
> > maybe
> > you can put hem into a ifndef(`init_systemd',...) block?
> >
>
> I do not believe that udev should be able to do this at all. Please
> explain why you would want to add these rules
It needs the permissions to manage /run during bootup.
> > Kindly Regards,
> > ?Christian G?ttsche
> >
> > 2016-12-18 19:13 GMT+01:00 Guido Trentalancia via refpolicy
> > <[email protected]>:
> > >
> > > Update the udev module so that the udev domain can manage tmpfs
> > > files
> > > and directories.
> > >
> > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > ---
> > > ?policy/modules/system/udev.te |????2 ++
> > > ?1 file changed, 2 insertions(+)
> > >
> > > --- a/policy/modules/system/udev.te?????2016-09-10
> > > 18:09:13.359710389 +0200
> > > +++ b/policy/modules/system/udev.te?????2016-12-18
> > > 18:09:55.935617782 +0100
> > > @@ -123,6 +126,8 @@ files_getattr_generic_locks(udev_t)
> > > ?files_search_mnt(udev_t)
> > >
> > > ?fs_getattr_all_fs(udev_t)
> > > +fs_manage_tmpfs_dirs(udev_t)
> > > +fs_manage_tmpfs_files(udev_t)
> > > ?fs_list_inotifyfs(udev_t)
> > > ?fs_rw_anon_inodefs_files(udev_t)
Guido
On 12/18/2016 10:02 PM, Guido Trentalancia via refpolicy wrote:
> On Sun, 18/12/2016 at 21.24 +0100, Dominick Grift via refpolicy wrote:
>> On 12/18/2016 08:37 PM, cgzones via refpolicy wrote:
>>>
>>> Hi,
>>> on debian with systemd's udev these permissions are not needed,
>>> maybe
>>> you can put hem into a ifndef(`init_systemd',...) block?
>>>
>>
>> I do not believe that udev should be able to do this at all. Please
>> explain why you would want to add these rules
>
> It needs the permissions to manage /run during bootup.
I see. Yes that makes sense i suppose.
>
>>> Kindly Regards,
>>> Christian G?ttsche
>>>
>>> 2016-12-18 19:13 GMT+01:00 Guido Trentalancia via refpolicy
>>> <[email protected]>:
>>>>
>>>> Update the udev module so that the udev domain can manage tmpfs
>>>> files
>>>> and directories.
>>>>
>>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>>> ---
>>>> policy/modules/system/udev.te | 2 ++
>>>> 1 file changed, 2 insertions(+)
>>>>
>>>> --- a/policy/modules/system/udev.te 2016-09-10
>>>> 18:09:13.359710389 +0200
>>>> +++ b/policy/modules/system/udev.te 2016-12-18
>>>> 18:09:55.935617782 +0100
>>>> @@ -123,6 +126,8 @@ files_getattr_generic_locks(udev_t)
>>>> files_search_mnt(udev_t)
>>>>
>>>> fs_getattr_all_fs(udev_t)
>>>> +fs_manage_tmpfs_dirs(udev_t)
>>>> +fs_manage_tmpfs_files(udev_t)
>>>> fs_list_inotifyfs(udev_t)
>>>> fs_rw_anon_inodefs_files(udev_t)
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161218/c63db070/attachment.bin
On 12/18/16 15:01, Guido Trentalancia via refpolicy wrote:
> Update the udev module so that the udev domain can manage tmpfs files
> and directories.
>
> Thanks to Christian G?ttsche for pointing out that this only applies
> to systems not using systemd (v2).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/system/udev.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> --- a/policy/modules/system/udev.te 2016-09-10 18:09:13.359710389 +0200
> +++ b/policy/modules/system/udev.te 2016-12-18 20:56:21.466748374 +0100
> @@ -229,6 +231,9 @@ ifdef(`init_systemd',`
> init_dgram_send(udev_t)
>
> systemd_read_logind_pids(udev_t)
> +',`
> + fs_manage_tmpfs_dirs(udev_t)
> + fs_manage_tmpfs_files(udev_t)
> ')
>
Merged.
--
Chris PeBenito