commit: 6a125aa8a8498a230fc9c1ec2170ac2c65120501
Author: Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Mon Jan 9 08:45:55 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:24:03 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a125aa8
selinuxutil: do not audit load_policy trying to use portage ptys
Each time portage build and install a new SELinux policy I got the following
AVC:
allow load_policy_t portage_devpts_t:chr_file { read write };
Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/admin/portage.if | 18 ++++++++++++++++++
policy/modules/system/selinuxutil.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 645e704b4..1202ceb28 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -324,6 +324,24 @@ interface(`portage_dontaudit_use_fds',`
dontaudit $1 portage_t:fd use;
')
+########################################
+## <summary>
+## Do not audit attempts to read and write inherited portage ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`portage_dontaudit_use_inherited_ptys',`
+ gen_require(`
+ type portage_devpts_t;
+ ')
+
+ dontaudit $1 portage_devpts_t:chr_file rw_inherited_term_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to search the
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index c4be3ae68..5c7c1aec2 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -216,6 +216,7 @@ optional_policy(`
optional_policy(`
portage_dontaudit_use_fds(load_policy_t)
+ portage_dontaudit_use_inherited_ptys(load_policy_t)
')
optional_policy(`
