RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

udev: Drop write by udev to its executable. 

This removes one vector for arbitrary code execution if udev is
compromised.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
This commit is contained in:
Chris PeBenito 2019-03-15 16:40:23 -04:00
parent 40bf663090
commit 99f967d3b5
1 changed files with 0 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/system/udev.te
View File

@ -66,7 +66,6 @@ allow udev_t self:rawip_socket create_socket_perms;
# for systemd-udevd to rename interfaces # for systemd-udevd to rename interfaces
allow udev_t self:netlink_route_socket nlmsg_write; allow udev_t self:netlink_route_socket nlmsg_write;
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t) can_exec(udev_t, udev_exec_t)
allow udev_t udev_helper_exec_t:dir list_dir_perms; allow udev_t udev_helper_exec_t:dir list_dir_perms;