From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Wed, 4 Jan 2012 21:03:20 +0100 Subject: [refpolicy] [PATCH 4/5] Grant dracut_manage_tmp_files to domains called by dracut In-Reply-To: <20120104200014.GA6512@siphos.be> References: <20120104200014.GA6512@siphos.be> Message-ID: <20120104200320.GE6512@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The dracut application calls, amongst other applications, ldconfig and depmod and gets them to write information in a temporary location created by dracut. This allows those domains manage access to these locations. Write privileges alone were not sufficient as new files were created as well. Signed-off-by: Sven Vermeulen --- policy/modules/system/libraries.te | 4 ++++ policy/modules/system/modutils.te | 4 ++++ 2 files changed, 8 insertions(+), 0 deletions(-) diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 5a16f99..50332d3 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -131,6 +131,10 @@ optional_policy(` ') optional_policy(` + dracut_manage_tmp_files(ldconfig_t) +') + +optional_policy(` puppet_rw_tmp(ldconfig_t) ') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index a8d6741..16cfe82 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -89,6 +89,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + dracut_manage_tmp_files(depmod_t) +') + +optional_policy(` rpm_rw_pipes(depmod_t) rpm_manage_script_tmp_files(depmod_t) ') -- 1.7.3.4