From: pebenito@gentoo.org (Chris PeBenito) Date: Sat, 24 Apr 2010 08:19:48 -0400 Subject: [refpolicy] [PATCH 1/1] modutils patch for update-modules In-Reply-To: <1271399366-4294-1-git-send-email-gizmo@giz-works.com> References: <1271399366-4294-1-git-send-email-gizmo@giz-works.com> Message-ID: <1272111588.2828.4.camel@defiant> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2010-04-16 at 06:29 +0000, Chris Richards wrote: > update-modules on Gentoo throws errors when run because it sources /etc/init.d/functions.sh, which always scans /var/lib/init.d to set SOFTLEVEL environment var. This is never used by update-modules. Merged. > Signed-off-by: Chris Richards > --- > policy/modules/kernel/files.if | 20 ++++++++++++++++++++ > policy/modules/system/modutils.te | 2 ++ > 2 files changed, 22 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if > index 2dd4e3c..fee4d52 100644 > --- a/policy/modules/kernel/files.if > +++ b/policy/modules/kernel/files.if > @@ -4660,6 +4660,26 @@ interface(`files_search_var_lib',` > > ######################################## > ##

> +## Do not audit attempts to search the > +## contents of /var/lib. > +##

> +## > +##

> +## Domain to not audit. > +##

> +## > +## > +# > +interface(`files_dontaudit_search_var_lib',` > + gen_require(` > + type var_lib_t; > + ') > + > + dontaudit $1 var_lib_t:dir search_dir_perms; > +') > + > +######################################## > +##

> ## List the contents of the /var/lib directory. > ##

> ## > diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te > index fb0dea9..2e1cdf1 100644 > --- a/policy/modules/system/modutils.te > +++ b/policy/modules/system/modutils.te > @@ -303,6 +303,8 @@ ifdef(`distro_gentoo',` > files_search_pids(update_modules_t) > files_getattr_usr_src_files(update_modules_t) > files_list_isid_type_dirs(update_modules_t) # /var > + files_dontaudit_search_var_lib(update_modules_t) > + init_dontaudit_read_script_status_files(update_modules_t) > > optional_policy(` > consoletype_exec(update_modules_t) -- Chris PeBenito Developer, Hardened Gentoo Linux Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243