[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

Tue, 15 Jul 2025 00:54:33 -0700 

commit:     f9f30c4fdbafa36675450f8451a4767d81756906
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Sat Jun 14 04:35:08 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 07:52:23 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9f30c4f

Fix for thunderbolt, laben the run dir, dontaudit the net_admin capability for 
the usual reasons, allow writing to sysfs for the force_power file, and allow 
reading udev runtime files

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/thunderbolt.fc | 2 +-
 policy/modules/services/thunderbolt.te | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/thunderbolt.fc 
b/policy/modules/services/thunderbolt.fc
index 1c50de19a..7d473c13d 100644
--- a/policy/modules/services/thunderbolt.fc
+++ b/policy/modules/services/thunderbolt.fc
@@ -1,3 +1,3 @@
 /usr/libexec/boltd     --      
gen_context(system_u:object_r:thunderboltd_exec_t,s0)
 /var/lib/boltd(/.*)?           
gen_context(system_u:object_r:thunderboltd_var_lib_t,s0)
-
+/run/boltd(/.*)?               
gen_context(system_u:object_r:thunderboltd_runtime_t,s0)

diff --git a/policy/modules/services/thunderbolt.te 
b/policy/modules/services/thunderbolt.te
index 49b4e5616..f69082233 100644
--- a/policy/modules/services/thunderbolt.te
+++ b/policy/modules/services/thunderbolt.te
@@ -22,6 +22,7 @@ files_runtime_file(thunderboltd_runtime_t)
 # Local policy
 #
 
+dontaudit thunderboltd_t self:capability net_admin;
 allow thunderboltd_t self:unix_dgram_socket { create write };
 allow thunderboltd_t self:netlink_kobject_uevent_socket { bind create getattr 
getopt read setopt };
 
@@ -34,6 +35,8 @@ allow thunderboltd_t thunderboltd_runtime_t:dir 
manage_dir_perms;
 kernel_read_system_state(thunderboltd_t)
 
 dev_read_sysfs(thunderboltd_t)
+# for force_power
+dev_write_sysfs(thunderboltd_t)
 
 files_read_etc_files(thunderboltd_t)
 
@@ -41,7 +44,7 @@ logging_send_syslog_msg(thunderboltd_t)
 
 miscfiles_read_localization(thunderboltd_t)
 
-udev_search_runtime(thunderboltd_t)
+udev_read_runtime_files(thunderboltd_t)
 
 ifdef(`init_systemd',`
        init_stream_connect(thunderboltd_t)

Reply via email to