From 8982ce594541b0c98ac1dc33ae0caab0dd62a733 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Tue, 7 Apr 2020 23:03:16 +0300 Subject: [PATCH] Don't allow creating regular files in /dev Init, init scripts and udisks don't need to be able to create regular files in /dev. Thanks to Jarkko Sakkinen for the idea. Signed-off-by: Topi Miettinen --- policy/modules/services/devicekit.te | 1 - policy/modules/system/init.te | 2 -- 2 files changed, 3 deletions(-) diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index 83e91da00..88ec86166 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -108,7 +108,6 @@ corecmd_getattr_all_executables(devicekit_disk_t) dev_getattr_all_chr_files(devicekit_disk_t) dev_getattr_mtrr_dev(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t) -dev_manage_generic_files(devicekit_disk_t) dev_read_rand(devicekit_disk_t) dev_read_urand(devicekit_disk_t) dev_rw_sysfs(devicekit_disk_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 867ce5000..8607d023c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -318,7 +318,6 @@ ifdef(`init_systemd',` dev_rw_autofs(init_t) dev_manage_generic_symlinks(init_t) dev_manage_generic_dirs(init_t) - dev_manage_generic_files(init_t) dev_manage_null_service(initrc_t) dev_read_generic_chr_files(init_t) dev_relabel_generic_dev_dirs(init_t) @@ -674,7 +673,6 @@ dev_rw_lvm_control(initrc_t) dev_rw_generic_chr_files(initrc_t) dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) -dev_manage_generic_files(initrc_t) # Wants to remove udev.tbl: dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t)