From: aranea@aixah.de (Luis Ressel)
Date: Mon, 11 Sep 2017 05:18:07 +0200
Subject: [refpolicy] [PATCH] modutils: libkmod mmap()s modules.dep and *.ko's
Message-ID: <20170911031807.3980-1-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Note that not only kmod needs this permission, other libkmod consumers
like udev require it, too. Hence I'm adding the permission to the
relevant interfaces.
---
 policy/modules/system/modutils.if | 4 ++--
 policy/modules/system/modutils.te | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index d6b92ba4..e9ee3c29 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -34,7 +34,7 @@ interface(`modutils_read_module_deps',`
 	')
 
 	files_list_kernel_modules($1)
-	allow $1 modules_dep_t:file read_file_perms;
+	allow $1 modules_dep_t:file { read_file_perms map };
 ')
 
 ########################################
@@ -53,7 +53,7 @@ interface(`modutils_read_module_objects',`
 	')
 
 	files_list_kernel_modules($1)
-	allow $1 modules_object_t:file read_file_perms;
+	allow $1 modules_object_t:file { read_file_perms map };
 ')
 
 ########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 7cc6985d..70efffc1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -46,9 +46,11 @@ list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
 read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
 list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
 manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
+allow kmod_t modules_dep_t:file map;
 filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
 create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
 delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
+allow kmod_t modules_object_t:file map;
 
 can_exec(kmod_t, kmod_exec_t)
 
-- 
2.14.1