From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 89C251381F4 for ; Wed, 15 Aug 2012 13:04:16 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 68236E0A99; Wed, 15 Aug 2012 13:04:03 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 36437E0A98 for ; Wed, 15 Aug 2012 13:04:03 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7E5131B402E for ; Wed, 15 Aug 2012 13:04:02 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 6FC5BE544A for ; Wed, 15 Aug 2012 13:04:00 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1345019785.23bce36578a8464620e6a8b98f142fd4c8bca90c.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/udev.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 23bce36578a8464620e6a8b98f142fd4c8bca90c X-VCS-Branch: master Date: Wed, 15 Aug 2012 13:04:00 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 89de9c60-0616-4bc9-b945-27bc2252dc02 X-Archives-Hash: dcfea98a5f88e4dfc94513ff739e67c5 commit: 23bce36578a8464620e6a8b98f142fd4c8bca90c Author: Sven Vermeulen siphos be> AuthorDate: Wed Aug 15 08:36:25 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Wed Aug 15 08:36:25 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=23bce365 Allow udev to load in kernel modules As per bug #427660, udev might need to load in kernel modules itself. This requires not only the sys_module capability (offered through kernel_load_module) but also read rights on the module-related files (files_read_kernel_modules and modutils_read_module_config). --- policy/modules/system/udev.te | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index d6a107a..60e7aa9 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -80,6 +80,7 @@ files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) kernel_dgram_send(udev_t) kernel_getattr_core_if(udev_t) +kernel_load_module(udev_t) kernel_read_device_sysctls(udev_t) kernel_read_hotplug_sysctls(udev_t) kernel_read_kernel_sysctls(udev_t) @@ -116,6 +117,7 @@ files_exec_etc_files(udev_t) files_getattr_generic_locks(udev_t) files_read_etc_files(udev_t) files_read_etc_runtime_files(udev_t) +files_read_kernel_modules(udev_t) files_read_usr_files(udev_t) files_dontaudit_search_isid_type_dirs(udev_t) files_search_mnt(udev_t) @@ -155,6 +157,7 @@ miscfiles_read_localization(udev_t) miscfiles_read_hwdata(udev_t) modutils_domtrans_insmod(udev_t) +modutils_read_module_config(udev_t) # read modules.inputmap: modutils_read_module_deps(udev_t)