Skip to content

Commit 2f00750

Browse files
etbeetbe
authored
device (#939)
* device related patches Signed-off-by: Russell Coker <[email protected]>
1 parent 1daa35b commit 2f00750

File tree

3 files changed

+25
-1
lines changed

3 files changed

+25
-1
lines changed

policy/modules/services/devicekit.te

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,7 @@ dev_getattr_mtrr_dev(devicekit_disk_t)
102102
dev_getattr_usbfs_dirs(devicekit_disk_t)
103103
dev_read_rand(devicekit_disk_t)
104104
dev_read_urand(devicekit_disk_t)
105+
dev_rw_lvm_control(devicekit_disk_t)
105106
dev_rw_sysfs(devicekit_disk_t)
106107

107108
domain_getattr_all_pipes(devicekit_disk_t)
@@ -116,6 +117,7 @@ files_getattr_all_files(devicekit_disk_t)
116117
files_getattr_all_pipes(devicekit_disk_t)
117118
files_manage_boot_dirs(devicekit_disk_t)
118119
files_manage_mnt_dirs(devicekit_disk_t)
120+
files_mounton_mnt(devicekit_disk_t)
119121
files_read_etc_runtime_files(devicekit_disk_t)
120122
files_read_usr_files(devicekit_disk_t)
121123
files_watch_etc_dirs(devicekit_disk_t)
@@ -131,6 +133,9 @@ mls_file_read_all_levels(devicekit_disk_t)
131133
mls_file_write_to_clearance(devicekit_disk_t)
132134

133135
mount_rw_runtime_files(devicekit_disk_t)
136+
mount_watch_runtime_dirs(devicekit_disk_t)
137+
mount_watch_runtime_files(devicekit_disk_t)
138+
mount_watch_runtime_files_reads(devicekit_disk_t)
134139

135140
storage_raw_read_fixed_disk(devicekit_disk_t)
136141
storage_raw_write_fixed_disk(devicekit_disk_t)
@@ -204,7 +209,7 @@ optional_policy(`
204209

205210
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
206211
allow devicekit_power_t self:capability2 wake_alarm;
207-
allow devicekit_power_t self:process { getsched signal_perms };
212+
allow devicekit_power_t self:process { getsched setsched signal_perms };
208213
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
209214
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
210215
allow devicekit_power_t self:unix_stream_socket create_socket_perms;

policy/modules/system/mount.if

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -273,6 +273,24 @@ interface(`mount_watch_reads_runtime_files',`
273273
allow $1 mount_runtime_t:file watch_reads;
274274
')
275275

276+
########################################
277+
## <summary>
278+
## Watch mount runtime files reads.
279+
## </summary>
280+
## <param name="domain">
281+
## <summary>
282+
## Domain allowed access.
283+
## </summary>
284+
## </param>
285+
#
286+
interface(`mount_watch_runtime_files_reads',`
287+
gen_require(`
288+
type mount_runtime_t;
289+
')
290+
291+
allow $1 mount_runtime_t:file watch_reads;
292+
')
293+
276294
########################################
277295
## <summary>
278296
## Getattr on mount_runtime_t files

policy/modules/system/udev.te

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,7 @@ kernel_read_fs_sysctls(udev_t)
109109
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
110110
kernel_rw_net_sysctls(udev_t)
111111
kernel_read_network_state(udev_t)
112+
kernel_read_psi(udev_t)
112113
kernel_read_software_raid_state(udev_t)
113114
kernel_dontaudit_search_unlabeled(udev_t)
114115

0 commit comments

Comments
 (0)