[refpolicy] [PATCH 1/1] modutils patch for update-modules

[refpolicy] [PATCH 1/1] modutils patch for update-modules

[Chris Richards]

update-modules on Gentoo throws errors when run because it sources /etc/init.d/functions.sh, which always scans /var/lib/init.d to set SOFTLEVEL environment var.  This is never used by update-modules.


Signed-off-by: Chris Richards <gizmo@giz-works.com>
---
 policy/modules/kernel/files.if    |   20 ++++++++++++++++++++
 policy/modules/system/modutils.te |    2 ++
 2 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 2dd4e3c..fee4d52 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4660,6 +4660,26 @@ interface(`files_search_var_lib',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to search the
+##	contents of /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_dontaudit_search_var_lib',`
+	gen_require(`
+		type var_lib_t;
+	')
+
+	dontaudit $1 var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	List the contents of the /var/lib directory.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index fb0dea9..2e1cdf1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -303,6 +303,8 @@ ifdef(`distro_gentoo',`
 	files_search_pids(update_modules_t)
 	files_getattr_usr_src_files(update_modules_t)
 	files_list_isid_type_dirs(update_modules_t) # /var
+	files_dontaudit_search_var_lib(update_modules_t)
+	init_dontaudit_read_script_status_files(update_modules_t)
 
 	optional_policy(`
 		consoletype_exec(update_modules_t)
-- 
1.6.4.4

[refpolicy] [PATCH 1/1] modutils patch for update-modules

[Chris PeBenito]

On Fri, 2010-04-16 at 06:29 +0000, Chris Richards wrote:
> update-modules on Gentoo throws errors when run because it sources /etc/init.d/functions.sh, which always scans /var/lib/init.d to set SOFTLEVEL environment var.  This is never used by update-modules.

Merged.

> Signed-off-by: Chris Richards <gizmo@giz-works.com>
> ---
>  policy/modules/kernel/files.if    |   20 ++++++++++++++++++++
>  policy/modules/system/modutils.te |    2 ++
>  2 files changed, 22 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 2dd4e3c..fee4d52 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -4660,6 +4660,26 @@ interface(`files_search_var_lib',`
>  
>  ########################################
>  ## <summary>
> +##	Do not audit attempts to search the
> +##	contents of /var/lib.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`files_dontaudit_search_var_lib',`
> +	gen_require(`
> +		type var_lib_t;
> +	')
> +
> +	dontaudit $1 var_lib_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	List the contents of the /var/lib directory.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index fb0dea9..2e1cdf1 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -303,6 +303,8 @@ ifdef(`distro_gentoo',`
>  	files_search_pids(update_modules_t)
>  	files_getattr_usr_src_files(update_modules_t)
>  	files_list_isid_type_dirs(update_modules_t) # /var
> +	files_dontaudit_search_var_lib(update_modules_t)
> +	init_dontaudit_read_script_status_files(update_modules_t)
>  
>  	optional_policy(`
>  		consoletype_exec(update_modules_t)

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243