From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu,  7 Aug 2014 20:05:38 +0200
Subject: [refpolicy] [PATCH 5/5] Give kmod access to tmpfiles
In-Reply-To: <1407434738-11937-1-git-send-email-sven.vermeulen@siphos.be>
References: <1407434738-11937-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1407434738-11937-6-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Upon boot, the kmod application (running as insmod_t) can generate a
tmpfiles configuration file to allow tmpfiles to relabel and set the
required static device nodes for the kernel:

kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf

This requires the insmod_t domain to have create/write privileges
towards the /run/tmpfiles.d location.

Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/modutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 59ecb2b..dde3f02 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -228,6 +228,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	tmpfiles_create_var_run_files(insmod_t)
+	tmpfiles_write_var_run_files(insmod_t)
+')
+
+optional_policy(`
 	unconfined_domain(insmod_t)
 	unconfined_dontaudit_rw_pipes(insmod_t)
 ')
-- 
1.8.5.5