Add interface to read efivarfs_t directory

I'm seeing the following denial when using 'efivars --list'. This interface grants access 2019-12-17T15:22:06-05:00 ip-tsc-black tag_audit_log: type=AVC msg=audit(1576596109.149:95): avc: denied { read } for pid=2329 comm="efivar" name="/" dev="efivarfs" ino=11266 scontext=system_u:system_r:my_app_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-12-17 23:34:25 +00:00 · 2019-12-17 23:34:25 +00:00 · 99a7c5c197
parent 335d9425c0
commit 99a7c5c197
1 changed files with 18 additions and 0 deletions
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@ -1982,6 +1982,24 @@ interface(`fs_manage_dos_files',`
 	manage_files_pattern($1, dosfs_t, dosfs_t)
 ')

+########################################
+## <summary>
+##	List dirs in efivarfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_efivars',`
+	gen_require(`
+		type efivarfs_t;
+	')
+
+	list_dirs_pattern($1, efivarfs_t, efivarfs_t)
+')
+
 #######################################
 ## <summary>
 ##      Read files in efivarfs