diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 2dd4e3c26..9adeea441 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -4658,6 +4658,26 @@ interface(`files_search_var_lib',` search_dirs_pattern($1, var_t, var_lib_t) ') +######################################## +## +## Do not audit attempts to search the +## contents of /var/lib. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`files_dontaudit_search_var_lib',` + gen_require(` + type var_lib_t; + ') + + dontaudit $1 var_lib_t:dir search_dir_perms; +') + ######################################## ## ## List the contents of the /var/lib directory. diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index fb0dea924..2e1cdf1e6 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -303,6 +303,8 @@ ifdef(`distro_gentoo',` files_search_pids(update_modules_t) files_getattr_usr_src_files(update_modules_t) files_list_isid_type_dirs(update_modules_t) # /var + files_dontaudit_search_var_lib(update_modules_t) + init_dontaudit_read_script_status_files(update_modules_t) optional_policy(` consoletype_exec(update_modules_t)