Update the modutils module so that it can run in confined
mode instead of unconfined mode.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/files.if | 1 +
policy/modules/system/modutils.te | 10 ++--------
2 files changed, 3 insertions(+), 8 deletions(-)
--- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200
+++ b/policy/modules/kernel/files.if 2016-12-23 01:55:46.667538808 +0100
@@ -4100,6 +4231,7 @@ interface(`files_manage_kernel_modules',
type modules_object_t;
')
+ allow $1 modules_object_t:dir rw_dir_perms;
manage_files_pattern($1, modules_object_t, modules_object_t)
')
--- a/policy/modules/system/modutils.te 2016-12-07 13:39:08.671449319 +0100
+++ b/policy/modules/system/modutils.te 2016-12-23 02:00:51.313120132 +0100
@@ -89,8 +89,8 @@ files_read_usr_files(kmod_t)
files_exec_etc_files(kmod_t)
# for nscd:
files_dontaudit_search_pids(kmod_t)
-# for locking: (cjp: ????)
-files_write_kernel_modules(kmod_t)
+# to manage modules.dep
+files_manage_kernel_modules(kmod_t)
fs_getattr_xattr_fs(kmod_t)
fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
@@ -166,12 +166,6 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain(kmod_t)
- unconfined_dontaudit_rw_pipes(kmod_t)
- unconfined_domtrans_to(kmod_t, kmod_exec_t)
-')
-
-optional_policy(`
# cjp: why is this needed:
dev_rw_xserver_misc(kmod_t)
On 12/22/16 20:15, Guido Trentalancia via refpolicy wrote:
> Update the modutils module so that it can run in confined
> mode instead of unconfined mode.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/files.if | 1 +
> policy/modules/system/modutils.te | 10 ++--------
> 2 files changed, 3 insertions(+), 8 deletions(-)
>
> --- a/policy/modules/kernel/files.if 2016-08-30 13:58:35.862542184 +0200
> +++ b/policy/modules/kernel/files.if 2016-12-23 01:55:46.667538808 +0100
> @@ -4100,6 +4231,7 @@ interface(`files_manage_kernel_modules',
> type modules_object_t;
> ')
>
> + allow $1 modules_object_t:dir rw_dir_perms;
> manage_files_pattern($1, modules_object_t, modules_object_t)
> ')
>
> --- a/policy/modules/system/modutils.te 2016-12-07 13:39:08.671449319 +0100
> +++ b/policy/modules/system/modutils.te 2016-12-23 02:00:51.313120132 +0100
> @@ -89,8 +89,8 @@ files_read_usr_files(kmod_t)
> files_exec_etc_files(kmod_t)
> # for nscd:
> files_dontaudit_search_pids(kmod_t)
> -# for locking: (cjp: ????)
> -files_write_kernel_modules(kmod_t)
> +# to manage modules.dep
> +files_manage_kernel_modules(kmod_t)
>
> fs_getattr_xattr_fs(kmod_t)
> fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
> @@ -166,12 +166,6 @@ optional_policy(`
> ')
>
> optional_policy(`
> - unconfined_domain(kmod_t)
> - unconfined_dontaudit_rw_pipes(kmod_t)
> - unconfined_domtrans_to(kmod_t, kmod_exec_t)
> -')
> -
> -optional_policy(`
> # cjp: why is this needed:
> dev_rw_xserver_misc(kmod_t)
Merged.
--
Chris PeBenito