Don't allow creating regular files in /dev

Init, init scripts and udisks don't need to be able to create regular files in /dev. Thanks to Jarkko Sakkinen for the idea. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-07 23:03:16 +03:00 · 2020-04-07 23:03:16 +03:00 · 8982ce5945
commit 8982ce5945
parent a2ec18d2a3
2 changed files with 0 additions and 3 deletions
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@ -108,7 +108,6 @@ corecmd_getattr_all_executables(devicekit_disk_t)
 dev_getattr_all_chr_files(devicekit_disk_t)
 dev_getattr_mtrr_dev(devicekit_disk_t)
 dev_getattr_usbfs_dirs(devicekit_disk_t)
-dev_manage_generic_files(devicekit_disk_t)
 dev_read_rand(devicekit_disk_t)
 dev_read_urand(devicekit_disk_t)
 dev_rw_sysfs(devicekit_disk_t)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -318,7 +318,6 @@ ifdef(`init_systemd',`
 	dev_rw_autofs(init_t)
 	dev_manage_generic_symlinks(init_t)
 	dev_manage_generic_dirs(init_t)
-	dev_manage_generic_files(init_t)
 	dev_manage_null_service(initrc_t)
 	dev_read_generic_chr_files(init_t)
 	dev_relabel_generic_dev_dirs(init_t)
@ -674,7 +673,6 @@ dev_rw_lvm_control(initrc_t)
 dev_rw_generic_chr_files(initrc_t)
 dev_delete_lvm_control_dev(initrc_t)
 dev_manage_generic_symlinks(initrc_t)
-dev_manage_generic_files(initrc_t)
 # Wants to remove udev.tbl:
 dev_delete_generic_symlinks(initrc_t)
 dev_getattr_all_blk_files(initrc_t)