From: gizmo@giz-works.com (Chris Richards) Date: Fri, 16 Apr 2010 06:29:26 +0000 Subject: [refpolicy] [PATCH 1/1] modutils patch for update-modules Message-ID: <1271399366-4294-1-git-send-email-gizmo@giz-works.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com update-modules on Gentoo throws errors when run because it sources /etc/init.d/functions.sh, which always scans /var/lib/init.d to set SOFTLEVEL environment var. This is never used by update-modules. Signed-off-by: Chris Richards --- policy/modules/kernel/files.if | 20 ++++++++++++++++++++ policy/modules/system/modutils.te | 2 ++ 2 files changed, 22 insertions(+), 0 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 2dd4e3c..fee4d52 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -4660,6 +4660,26 @@ interface(`files_search_var_lib',` ######################################## ## +## Do not audit attempts to search the +## contents of /var/lib. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`files_dontaudit_search_var_lib',` + gen_require(` + type var_lib_t; + ') + + dontaudit $1 var_lib_t:dir search_dir_perms; +') + +######################################## +## ## List the contents of the /var/lib directory. ## ## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index fb0dea9..2e1cdf1 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -303,6 +303,8 @@ ifdef(`distro_gentoo',` files_search_pids(update_modules_t) files_getattr_usr_src_files(update_modules_t) files_list_isid_type_dirs(update_modules_t) # /var + files_dontaudit_search_var_lib(update_modules_t) + init_dontaudit_read_script_status_files(update_modules_t) optional_policy(` consoletype_exec(update_modules_t) -- 1.6.4.4