From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 12 Jul 2012 21:24:44 +0200 Subject: [refpolicy] [PATCH v5 4/5] Prepare udev interfaces for /run usage In-Reply-To: <1342121085-2765-1-git-send-email-sven.vermeulen@siphos.be> References: <1342121085-2765-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1342121085-2765-5-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Recent udev implementations now use /run (actually, /run/udev) for storing database files, rules and more. Hence, we need to extend existing interfaces to support searching through the udev_var_run_t location (as most of that was previously only in device_t and/or etc_t or udev_etc_t) Next to enhancing the interfaces, we provide additional ones that will be used by the init script (for udev) which needs to create and support the new /run/udev locations. Signed-off-by: Sven Vermeulen --- policy/modules/system/udev.if | 74 ++++++++++++++++++++++++++++++++++++++++- 1 files changed, 73 insertions(+), 1 deletions(-) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index 025348a..401d818 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -146,6 +146,10 @@ interface(`udev_manage_rules_files',` ') manage_files_pattern($1, udev_rules_t, udev_rules_t) + + files_search_etc($1) + + udev_search_pids($1) ') ######################################## @@ -187,10 +191,16 @@ interface(`udev_read_db',` type udev_tbl_t; ') - dev_list_all_dev_nodes($1) allow $1 udev_tbl_t:dir list_dir_perms; + read_files_pattern($1, udev_tbl_t, udev_tbl_t) read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) + + dev_list_all_dev_nodes($1) + + files_search_etc($1) + + udev_search_pids($1) ') ######################################## @@ -214,6 +224,68 @@ interface(`udev_rw_db',` ######################################## ## +## Search through udev pid content +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_search_pids',` + gen_require(` + type udev_var_run_t; + ') + + files_search_pids($1) + search_dirs_pattern($1, udev_var_run_t, udev_var_run_t) +') + +######################################## +## +## Create directories in the run location with udev_var_run_t type +## +## +## +## Domain allowed access. +## +## +## +## +## Name of the directory that is created +## +## +# +interface(`udev_generic_pid_filetrans_run_dirs',` + gen_require(` + type udev_var_run_t; + ') + + files_pid_filetrans($1, udev_var_run_t, dir, $2) +') + +######################################## +## +## Create, read, write, and delete +## udev pid directories +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_manage_pid_dirs',` + gen_require(` + type udev_var_run_t; + ') + + files_search_var($1) + manage_dirs_pattern($1, udev_var_run_t, udev_var_run_t) +') + +######################################## +## ## Create, read, write, and delete ## udev pid files. ## -- 1.7.8.6