From: russell@coker.com.au (Russell Coker) Date: Mon, 6 Feb 2017 15:56:14 +1100 Subject: [refpolicy] [PATCH] systemd-tmpfiles kmod Message-ID: <20170206045614.k2x7xppoxjvhkh2k@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch allows systemd-tmpfiles to read a generated config file. It's been in Debian for a over 2 years and it's the last Debian patch related to kmod. Description: Allow systemd-tmpfiles to read a generated config file Author: Russell Coker Last-Update: 2017-02-06 Index: refpolicy-2.20170204/policy/modules/system/modutils.if =================================================================== --- refpolicy-2.20170204.orig/policy/modules/system/modutils.if +++ refpolicy-2.20170204/policy/modules/system/modutils.if @@ -333,3 +333,21 @@ interface(`modutils_exec_update_mods',` corecmd_search_bin($1) can_exec($1, update_modules_exec_t) ') + +######################################## +## +## Read kmod_var_run_t +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_var_run_files',` + gen_require(` + type kmod_var_run_t; + ') + + allow $1 kmod_var_run_t:file read_file_perms; +') Index: refpolicy-2.20170204/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20170204.orig/policy/modules/system/systemd.te +++ refpolicy-2.20170204/policy/modules/system/systemd.te @@ -714,6 +714,9 @@ userdom_relabel_user_runtime_root_dirs(s kernel_read_kernel_sysctls(systemd_tmpfiles_t) kernel_read_network_state(systemd_tmpfiles_t) +# for /run/tmpfiles.d/kmod.conf +modutils_var_run_files(systemd_tmpfiles_t) + dev_relabel_all_sysfs(systemd_tmpfiles_t) dev_read_urand(systemd_tmpfiles_t) dev_manage_all_dev_nodes(systemd_tmpfiles_t)