From: russell@coker.com.au (Russell Coker)
Date: Mon, 6 Feb 2017 15:56:14 +1100
Subject: [refpolicy]  [PATCH] systemd-tmpfiles kmod
Message-ID: <20170206045614.k2x7xppoxjvhkh2k@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The following patch allows systemd-tmpfiles to read a generated config file.

It's been in Debian for a over 2 years and it's the last Debian patch related
to kmod.

Description: Allow systemd-tmpfiles to read a generated config file
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-02-06

Index: refpolicy-2.20170204/policy/modules/system/modutils.if
===================================================================
--- refpolicy-2.20170204.orig/policy/modules/system/modutils.if
+++ refpolicy-2.20170204/policy/modules/system/modutils.if
@@ -333,3 +333,21 @@ interface(`modutils_exec_update_mods',`
 	corecmd_search_bin($1)
 	can_exec($1, update_modules_exec_t)
 ')
+
+########################################
+## <summary>
+##	Read kmod_var_run_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_var_run_files',`
+	gen_require(`
+		type kmod_var_run_t;
+	')
+
+	allow $1 kmod_var_run_t:file read_file_perms;
+')
Index: refpolicy-2.20170204/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170204.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170204/policy/modules/system/systemd.te
@@ -714,6 +714,9 @@ userdom_relabel_user_runtime_root_dirs(s
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
 kernel_read_network_state(systemd_tmpfiles_t)
 
+# for /run/tmpfiles.d/kmod.conf
+modutils_var_run_files(systemd_tmpfiles_t)
+
 dev_relabel_all_sysfs(systemd_tmpfiles_t)
 dev_read_urand(systemd_tmpfiles_t)
 dev_manage_all_dev_nodes(systemd_tmpfiles_t)