[selinux-policy: 2631/3172] modutils patch for update-modules
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:53:57 UTC 2010
commit 194d61fd3c962abe143ee24f91e4c8cbf4745133
Author: Chris Richards <gizmo at giz-works.com>
Date: Fri Apr 16 06:29:26 2010 +0000
modutils patch for update-modules
update-modules on Gentoo throws errors when run because it sources /etc/init.d/functions.sh, which always scans /var/lib/init.d to set SOFTLEVEL environment var. This is never used by update-modules.
Signed-off-by: Chris Richards <gizmo at giz-works.com>
Signed-off-by: Chris PeBenito <pebenito at gentoo.org>
policy/modules/kernel/files.if | 20 ++++++++++++++++++++
policy/modules/system/modutils.te | 2 ++
2 files changed, 22 insertions(+), 0 deletions(-)
---
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 2dd4e3c..9adeea4 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4660,6 +4660,26 @@ interface(`files_search_var_lib',`
########################################
## <summary>
+## Do not audit attempts to search the
+## contents of /var/lib.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_dontaudit_search_var_lib',`
+ gen_require(`
+ type var_lib_t;
+ ')
+
+ dontaudit $1 var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## List the contents of the /var/lib directory.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index fb0dea9..2e1cdf1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -303,6 +303,8 @@ ifdef(`distro_gentoo',`
files_search_pids(update_modules_t)
files_getattr_usr_src_files(update_modules_t)
files_list_isid_type_dirs(update_modules_t) # /var
+ files_dontaudit_search_var_lib(update_modules_t)
+ init_dontaudit_read_script_status_files(update_modules_t)
optional_policy(`
consoletype_exec(update_modules_t)
More information about the scm-commits
mailing list