From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9699E13877A for ; Tue, 12 Aug 2014 17:12:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 19A7CE0C2C; Tue, 12 Aug 2014 17:12:12 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B78B6E0C2C for ; Tue, 12 Aug 2014 17:12:11 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9B45C3400E6 for ; Tue, 12 Aug 2014 17:12:10 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 7B58E18815 for ; Tue, 12 Aug 2014 17:12:08 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1407858427.8091d5f27c3715d4165980bee51d7652837a97a7.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/tmpfiles.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 8091d5f27c3715d4165980bee51d7652837a97a7 X-VCS-Branch: master Date: Tue, 12 Aug 2014 17:12:08 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: b343f387-cc92-43ba-a6a5-a7b81ea77b2a X-Archives-Hash: 88618847cc2e673817b389b9efe758d2 commit: 8091d5f27c3715d4165980bee51d7652837a97a7 Author: Jason Zaman perfinion com> AuthorDate: Tue Aug 12 15:47:07 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Tue Aug 12 15:47:07 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8091d5f2 tmpfiles on gentoo needs a few extra perms currently tmpfiles.sh runs mknod which creates device_t and is relabelled afterwards. --- policy/modules/system/tmpfiles.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te index de92477..49445de 100644 --- a/policy/modules/system/tmpfiles.te +++ b/policy/modules/system/tmpfiles.te @@ -32,7 +32,7 @@ files_pid_file(tmpfiles_var_run_t) # allow tmpfiles_t self:capability { mknod chown fowner fsetid }; -allow tmpfiles_t self:process getsched; +allow tmpfiles_t self:process { getsched setfscreate }; allow tmpfiles_t self:fifo_file rw_fifo_file_perms; allow tmpfiles_t self:unix_dgram_socket create_socket_perms; @@ -55,6 +55,7 @@ dev_getattr_generic_chr_files(tmpfiles_t) dev_relabel_all_dev_nodes(tmpfiles_t) dev_relabel_generic_dev_dirs(tmpfiles_t) dev_relabelfrom_generic_chr_files(tmpfiles_t) +dev_setattr_all_blk_files(tmpfiles_t) dev_setattr_all_chr_files(tmpfiles_t) dev_setattr_generic_dirs(tmpfiles_t) @@ -92,6 +93,8 @@ ifdef(`distro_gentoo',` dev_create_generic_dirs(tmpfiles_t) # Early at boot, access /dev/console and /dev/tty which is device_t due to kernel-provided devtmpfs dev_rw_generic_chr_files(tmpfiles_t) + dev_create_generic_chr_files(tmpfiles_t) + dev_create_generic_blk_files(tmpfiles_t) init_relabelto_script_state(tmpfiles_t) ')