Label checkarray as mdadm_exec_t, allow it to read/write temp files inherited

from cron, and dontaudit ps type operations from it Signed-off-by: Russell Coker <russell@coker.com.au>
2023-10-06 21:48:52 +11:00 · 2023-10-06 21:48:52 +11:00 · c2a9111a5c
parent 0af7c312d1
commit c2a9111a5c
3 changed files with 4 additions and 1 deletions
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@ -309,7 +309,6 @@ ifdef(`distro_debian',`
 /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)

-/usr/share/mdadm/checkarray	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/(.*/)?bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/ajaxterm\.py.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ajaxterm/qweb\.py.* --	gen_context(system_u:object_r:bin_t,s0)
--- a/policy/modules/system/raid.fc
+++ b/policy/modules/system/raid.fc
@ -11,6 +11,8 @@
 /usr/bin/mdmpd	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
 /usr/bin/raid-check	--	gen_context(system_u:object_r:mdadm_exec_t,s0)

+/usr/share/mdadm/checkarray --	gen_context(system_u:object_r:mdadm_exec_t,s0)
+
 # Systemd unit files
 /usr/lib/systemd/system/[^/]*mdadm-.*	--	gen_context(system_u:object_r:mdadm_unit_t,s0)
 /usr/lib/systemd/system/[^/]*mdmon.*	--	gen_context(system_u:object_r:mdadm_unit_t,s0)
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@ -57,6 +57,7 @@ dev_read_realtime_clock(mdadm_t)
 # create links in /dev/md
 dev_create_generic_symlinks(mdadm_t)

+domain_dontaudit_search_all_domains_state(mdadm_t)
 domain_use_interactive_fds(mdadm_t)

 files_read_etc_files(mdadm_t)
@ -95,6 +96,7 @@ userdom_dontaudit_search_user_home_content(mdadm_t)

 optional_policy(`
 	cron_system_entry(mdadm_t, mdadm_exec_t)
+	cron_rw_inherited_tmp_files(mdadm_t)
 ')

 optional_policy(`