From: aranea@aixah.de (Luis Ressel) Date: Mon, 11 Sep 2017 05:18:07 +0200 Subject: [refpolicy] [PATCH] modutils: libkmod mmap()s modules.dep and *.ko's Message-ID: <20170911031807.3980-1-aranea@aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Note that not only kmod needs this permission, other libkmod consumers like udev require it, too. Hence I'm adding the permission to the relevant interfaces. --- policy/modules/system/modutils.if | 4 ++-- policy/modules/system/modutils.te | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index d6b92ba4..e9ee3c29 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -34,7 +34,7 @@ interface(`modutils_read_module_deps',` ') files_list_kernel_modules($1) - allow $1 modules_dep_t:file read_file_perms; + allow $1 modules_dep_t:file { read_file_perms map }; ') ######################################## @@ -53,7 +53,7 @@ interface(`modutils_read_module_objects',` ') files_list_kernel_modules($1) - allow $1 modules_object_t:file read_file_perms; + allow $1 modules_object_t:file { read_file_perms map }; ') ######################################## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 7cc6985d..70efffc1 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -46,9 +46,11 @@ list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t) read_files_pattern(kmod_t, modules_conf_t, modules_conf_t) list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t) manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t) +allow kmod_t modules_dep_t:file map; filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file) create_files_pattern(kmod_t, modules_object_t, modules_dep_t) delete_files_pattern(kmod_t, modules_object_t, modules_dep_t) +allow kmod_t modules_object_t:file map; can_exec(kmod_t, kmod_exec_t) -- 2.14.1