[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Kenton Groombridge]

commit:     5a9675744968affced75d510ec23e1410443a576
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Wed Nov 30 08:27:56 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:50 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a967574

fstools: handle gentoo place for drivedb.h

On a gentoo-hardened+selinux, I got denial from fsadm_t reading var_t.
This is due to smartctl trying to read /var/db/smartmontools/drivedb.h

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/fstools.fc | 4 ++++
 policy/modules/system/fstools.te | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 2f4d6cd88..ac67213ea 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -108,6 +108,10 @@
 /usr/sbin/zstreamdump          --      
gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/ztest                        --      
gen_context(system_u:object_r:fsadm_exec_t,s0)
 
+ifdef(`distro_gentoo',`
+/var/db/smartmontools(/.*)?            
gen_context(system_u:object_r:fsadm_db_t,s0)
+')
+
 /var/swap                      --      
gen_context(system_u:object_r:swapfile_t,s0)
 
 /var/log/fsck(/.*)?            gen_context(system_u:object_r:fsadm_log_t,s0)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 75da8a0a0..11211b699 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -19,6 +19,11 @@ files_tmp_file(fsadm_tmp_t)
 type fsadm_run_t;
 files_runtime_file(fsadm_run_t)
 
+ifdef(`distro_gentoo',`
+type fsadm_db_t;
+files_type(fsadm_db_t)
+')
+
 type swapfile_t; # customizable
 files_type(swapfile_t)
 
@@ -55,6 +60,10 @@ allow fsadm_t fsadm_run_t:dir manage_dir_perms;
 allow fsadm_t fsadm_run_t:file manage_file_perms;
 files_runtime_filetrans(fsadm_t, fsadm_run_t, dir)
 
+ifdef(`distro_gentoo',`
+manage_files_pattern(fsadm_t, fsadm_db_t, fsadm_db_t)
+')
+
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)