RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

devices, userdomain: dontaudit userdomain setattr on null device nodes 

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2021-03-11 23:01:38 -05:00
parent f137b5cdcc
commit d91bef2d24
2 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
policy/modules/kernel/devices.if
View File

@ -3391,6 +3391,25 @@ interface(`dev_setattr_null_dev',`
setattr_chr_files_pattern($1, device_t, null_device_t) setattr_chr_files_pattern($1, device_t, null_device_t)
') ')
########################################
## <summary>
## Do not audit attempts to set the attributes of
## the null device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_dontaudit_setattr_null_dev',`
gen_require(`
type null_device_t;
')
dontaudit $1 null_device_t:chr_file setattr;
')
######################################## ########################################
## <summary> ## <summary>
## Delete the null device (/dev/null). ## Delete the null device (/dev/null).

1
policy/modules/system/userdomain.if
View File

@ -78,6 +78,7 @@ template(`userdom_base_user_template',`
dev_dontaudit_getattr_all_blk_files($1_t) dev_dontaudit_getattr_all_blk_files($1_t)
dev_dontaudit_getattr_all_chr_files($1_t) dev_dontaudit_getattr_all_chr_files($1_t)
dev_dontaudit_setattr_null_dev($1_t)
# for X session unlock # for X session unlock
allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };