commit: ebae10c1795bdf42caa83f6daed9b0974c83146f
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Aug 3 05:48:19 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ebae10c1
getattr on unlabeled blk devs
The following has been in my tree for a few years. It allows initrc_t to stat
devices early in the boot process.
>From ad46ce856a1a780cf6c3a0bb741794019e03edc2 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift <AT> gmail.com>
Date: Sat, 9 Nov 2013 10:45:09 +0100
Subject: [PATCH] init: startpar (initrc_t) gets attributes of /dev/dm-0
(device_t) early on boot, soon later the node context is properly reset
(debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
policy/modules/system/init.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8e8c163..0d4f74a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -568,6 +568,9 @@ userdom_read_user_home_content_files(initrc_t)
userdom_use_user_terminals(initrc_t)
ifdef(`distro_debian',`
+ kernel_getattr_core_if(initrc_t)
+
+ dev_getattr_generic_blk_files(initrc_t)
dev_setattr_generic_dirs(initrc_t)
fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
