[selinux-policy: 34/3172] insmod can be run directly from kernel; fix update_modules errors
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:07:53 UTC 2010
commit 1f7b37c585b6d6917ff2cabe70d92b95733b4f9c
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Apr 21 21:35:45 2005 +0000
insmod can be run directly from kernel; fix update_modules errors
refpolicy/policy/modules/system/modutils.te | 10 ++++++----
1 files changed, 6 insertions(+), 4 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index 0a01207..3e9a620 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -56,6 +56,8 @@ allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow insmod_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
+kernel_transition_from(insmod_t,insmod_exec_t)
+
kernel_load_module(insmod_t)
# Rules for /proc/sys/kernel/tainted
@@ -232,11 +234,11 @@ terminal_use_controlling_terminal(update_modules_t)
files_read_runtime_system_config(update_modules_t)
files_read_general_system_config(update_modules_t)
-files_execute_system_config_script(insmod_t)
+files_execute_system_config_script(update_modules_t)
-corecommands_execute_general_programs(insmod_t)
-corecommands_execute_system_programs(insmod_t)
-corecommands_execute_shell(insmod_t)
+corecommands_execute_general_programs(update_modules_t)
+corecommands_execute_system_programs(update_modules_t)
+corecommands_execute_shell(update_modules_t)
libraries_use_dynamic_loader(update_modules_t)
libraries_read_shared_libraries(update_modules_t)
More information about the scm-commits
mailing list