From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 7C8221381F3 for ; Fri, 27 Sep 2013 13:27:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BC50FE0EE7; Fri, 27 Sep 2013 13:27:28 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 25705E0E7B for ; Fri, 27 Sep 2013 13:27:28 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3B08233EE3D for ; Fri, 27 Sep 2013 13:27:27 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id D7A63E5464 for ; Fri, 27 Sep 2013 13:27:25 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1380288147.666884f7ec55dda866841340b14c77e013c41d7c.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/udev.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 666884f7ec55dda866841340b14c77e013c41d7c X-VCS-Branch: master Date: Fri, 27 Sep 2013 13:27:25 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: b25279d0-21dc-4ee9-b838-250788f69be3 X-Archives-Hash: 0fc73cdaf6999e5856416622f87a92c1 commit: 666884f7ec55dda866841340b14c77e013c41d7c Author: Dominick Grift gmail com> AuthorDate: Tue Sep 24 13:40:29 2013 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Fri Sep 27 13:22:27 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=666884f7 udev: This is specific to debian i think. Some how the /usr/lib/avahi/avahi-daemon-check-dns\.sh ends up in the udev_t domain The script basically does what the name suggests, and additionally it need to be able to stop and start avahi-daemon via its init script Signed-off-by: Dominick Grift gmail.com> --- policy/modules/system/udev.te | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index f2344a1..80dc84e 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -179,6 +179,16 @@ userdom_dontaudit_search_user_home_content(udev_t) udev_pid_filetrans_db(udev_t, dir, "data") +ifdef(`distro_debian',` + optional_policy(` + kernel_read_vm_sysctls(udev_t) + corenet_udp_bind_generic_node(udev_t) + miscfiles_read_generic_certs(udev_t) + avahi_initrc_domtrans(udev_t) + avahi_manage_pid_files(udev_t) + ') +') + ifdef(`distro_gentoo',` allow udev_t self:capability2 block_suspend;