From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 7 Feb 2017 18:55:26 -0500 Subject: [refpolicy] [PATCH] systemd-tmpfiles kmod In-Reply-To: <20170206045614.k2x7xppoxjvhkh2k@athena.coker.com.au> References: <20170206045614.k2x7xppoxjvhkh2k@athena.coker.com.au> Message-ID: <85c16020-bcaa-4e6c-3b84-7d97e3cafa03@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/05/17 23:56, Russell Coker via refpolicy wrote: > The following patch allows systemd-tmpfiles to read a generated config file. > > It's been in Debian for a over 2 years and it's the last Debian patch related > to kmod. > > Description: Allow systemd-tmpfiles to read a generated config file > Author: Russell Coker > Last-Update: 2017-02-06 > > Index: refpolicy-2.20170204/policy/modules/system/modutils.if > =================================================================== > --- refpolicy-2.20170204.orig/policy/modules/system/modutils.if > +++ refpolicy-2.20170204/policy/modules/system/modutils.if > @@ -333,3 +333,21 @@ interface(`modutils_exec_update_mods',` > corecmd_search_bin($1) > can_exec($1, update_modules_exec_t) > ') > + > +######################################## > +## > +## Read kmod_var_run_t > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`modutils_var_run_files',` > + gen_require(` > + type kmod_var_run_t; > + ') > + > + allow $1 kmod_var_run_t:file read_file_perms; > +') > Index: refpolicy-2.20170204/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20170204.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20170204/policy/modules/system/systemd.te > @@ -714,6 +714,9 @@ userdom_relabel_user_runtime_root_dirs(s > kernel_read_kernel_sysctls(systemd_tmpfiles_t) > kernel_read_network_state(systemd_tmpfiles_t) > > +# for /run/tmpfiles.d/kmod.conf > +modutils_var_run_files(systemd_tmpfiles_t) > + > dev_relabel_all_sysfs(systemd_tmpfiles_t) > dev_read_urand(systemd_tmpfiles_t) > dev_manage_all_dev_nodes(systemd_tmpfiles_t) Merged, though I renamed the interface. -- Chris PeBenito