Create new interface and type for managing /etc/udev/rules.d
udev_var_run_t is used for managing files in /etc/udev/rules.d as well as other files, including udev pid files. This patch creates a type specifically for rules.d files, and an interface for managing them. It also gives access to this type to initrc_t so that rules can be properly populated during startup. This also fixes a problem on Gentoo where udev rules are NOT properly populated on startup. Signed-off-by: Chris Richards <gizmo@giz-works.com> Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
This commit is contained in:
parent
1b2f08ea10
commit
d56b33a1e4
|
@ -794,6 +794,7 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_rw_db(initrc_t)
|
udev_rw_db(initrc_t)
|
||||||
udev_manage_pid_files(initrc_t)
|
udev_manage_pid_files(initrc_t)
|
||||||
|
udev_manage_rules_files(initrc_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
|
|
||||||
/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
|
/etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
|
||||||
|
|
||||||
/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
|
/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
|
||||||
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
|
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
|
||||||
|
|
||||||
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
|
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
|
||||||
|
|
|
@ -213,3 +213,22 @@ interface(`udev_manage_pid_files',`
|
||||||
files_search_var_lib($1)
|
files_search_var_lib($1)
|
||||||
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
|
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Manage udev rules files
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`udev_manage_rules_files',`
|
||||||
|
gen_require(`
|
||||||
|
type udev_rules_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_dirs_pattern($1, udev_rules_t, udev_rules_t)
|
||||||
|
manage_files_pattern($1, udev_rules_t, udev_rules_t)
|
||||||
|
')
|
||||||
|
|
|
@ -21,6 +21,9 @@ files_config_file(udev_etc_t)
|
||||||
type udev_tbl_t alias udev_tdb_t;
|
type udev_tbl_t alias udev_tdb_t;
|
||||||
files_type(udev_tbl_t)
|
files_type(udev_tbl_t)
|
||||||
|
|
||||||
|
type udev_rules_t;
|
||||||
|
files_type(udev_rules_t)
|
||||||
|
|
||||||
type udev_var_run_t;
|
type udev_var_run_t;
|
||||||
files_pid_file(udev_var_run_t)
|
files_pid_file(udev_var_run_t)
|
||||||
|
|
||||||
|
@ -64,6 +67,9 @@ allow udev_t udev_etc_t:file read_file_perms;
|
||||||
allow udev_t udev_tbl_t:file manage_file_perms;
|
allow udev_t udev_tbl_t:file manage_file_perms;
|
||||||
dev_filetrans(udev_t, udev_tbl_t, file)
|
dev_filetrans(udev_t, udev_tbl_t, file)
|
||||||
|
|
||||||
|
list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
|
||||||
|
read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
|
||||||
|
|
||||||
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
||||||
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
||||||
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
|
||||||
|
|
Loading…
Reference in New Issue