From 99f967d3b5f5241bd687c69510e0fa44375a4548 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Date: Fri, 15 Mar 2019 16:40:23 -0400
Subject: [PATCH] udev: Drop write by udev to its executable.

This removes one vector for arbitrary code execution if udev is
compromised.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
---
 policy/modules/system/udev.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 6190a46d3..134ea86ab 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -66,7 +66,6 @@ allow udev_t self:rawip_socket create_socket_perms;
 # for systemd-udevd to rename interfaces
 allow udev_t self:netlink_route_socket nlmsg_write;
 
-allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
 
 allow udev_t udev_helper_exec_t:dir list_dir_perms;