kmod, lvm, brctl patches from Russell Coker

Patches for modutils, at least one of which is needed to generate an initramfs on Debian. Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts etc. Patch for brctl to allow it to create sysfs files.
2025-03-24 12:06:51 +00:00 · 2017-04-18 21:17:36 -04:00 · 2017-04-18 21:17:36 -04:00 · c2b04d1ea2
commit c2b04d1ea2
parent 132cc4b2d5
7 changed files with 54 additions and 5 deletions
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@ -1 +1 @@
-Subproject commit 89c5442a083107b0092f408ba1c9b6f0a40a49b4
+Subproject commit 2b8cc38af0ccc125a8004ec09d5f052c3cce4a9f
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@ -4277,6 +4277,24 @@ interface(`dev_rw_sysfs',`
 	list_dirs_pattern($1, sysfs_t, sysfs_t)
 ')

+########################################
+## <summary>
+##	Add a sysfs file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_create_sysfs_files',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	create_files_pattern($1, sysfs_t, sysfs_t)
+')
+
 ########################################
 ## <summary>
 ##     Relabel hardware state directories.
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@ -1,4 +1,4 @@
-policy_module(devices, 1.20.6)
+policy_module(devices, 1.20.7)

 ########################################
 #
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@ -165,6 +165,24 @@ interface(`iptables_manage_config',`
 	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')

+###################################
+## <summary>
+##	dontaudit reading iptables_var_run_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`iptables_dontaudit_read_pids',`
+	gen_require(`
+		type iptables_var_run_t;
+	')
+
+	dontaudit $1 iptables_var_run_t:file read;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@ -1,4 +1,4 @@
-policy_module(iptables, 1.18.3)
+policy_module(iptables, 1.18.4)

 ########################################
 #
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.8)
+policy_module(lvm, 1.19.9)

 ########################################
 #
@ -341,6 +341,10 @@ optional_policy(`
 	ccs_stream_connect(lvm_t)
 ')

+optional_policy(`
+	dpkg_script_rw_pipes(lvm_t)
+')
+
 optional_policy(`
 	gpm_dontaudit_getattr_gpmctl(lvm_t)
 ')
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@ -1,4 +1,4 @@
-policy_module(modutils, 1.17.3)
+policy_module(modutils, 1.17.4)

 ########################################
 #
@ -89,6 +89,7 @@ files_read_etc_runtime_files(kmod_t)
 files_read_etc_files(kmod_t)
 files_read_usr_files(kmod_t)
 files_exec_etc_files(kmod_t)
+files_search_tmp(kmod_t)
 # for nscd:
 files_dontaudit_search_pids(kmod_t)
 # to manage modules.dep
@ -126,6 +127,10 @@ optional_policy(`
 	alsa_domtrans(kmod_t)
 ')

+optional_policy(`
+	dpkg_manage_script_tmp_files(kmod_t)
+')
+
 optional_policy(`
 	firstboot_dontaudit_rw_pipes(kmod_t)
 	firstboot_dontaudit_rw_stream_sockets(kmod_t)
@ -139,6 +144,10 @@ optional_policy(`
 	hotplug_search_config(kmod_t)
 ')

+optional_policy(`
+	iptables_dontaudit_read_pids(kmod_t)
+')
+
 optional_policy(`
 	mount_domtrans(kmod_t)
 ')