diff options
| author |   Kenton Groombridge <concord@gentoo.org> | 2024-01-12 17:09:17 -0500 |
|---|---|---|
| committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:04:45 -0500 |
| commit | e3764d1c7d91daecaebbd3e39ffa44bb31715e63 (patch) | |
| tree | 8a7903da62663ed07a69d8ac3723948f1398cb9b | |
| parent | zfs: allow zfs to write to exports (diff) | |
| download | hardened-refpolicy-e3764d1c7d91daecaebbd3e39ffa44bb31715e63.tar.gz hardened-refpolicy-e3764d1c7d91daecaebbd3e39ffa44bb31715e63.tar.bz2 hardened-refpolicy-e3764d1c7d91daecaebbd3e39ffa44bb31715e63.zip | |
kernel: allow managing mouse devices
Seen with systemd 255.
type=AVC msg=audit(1705092132.309:64): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/input/mouse0" dev="devtmpfs" ino=328 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1705108275.269:52): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="mouse0" dev="devtmpfs" ino=327 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1705108275.269:53): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="mouse0" dev="devtmpfs" ino=327 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/kernel/devices.if | 18 | ||||
| -rw-r--r-- | policy/modules/kernel/kernel.te | 3 |
2 files changed, 21 insertions, 0 deletions
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 3625e8c9..344d858c 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -3362,6 +3362,24 @@ interface(`dev_setattr_mouse_dev',` ######################################## ## <summary> +## Delete the mouse devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_delete_mouse_dev',` + gen_require(` + type device_t, mouse_device_t; + ') + + delete_chr_files_pattern($1, device_t, mouse_device_t) +') + +######################################## +## <summary> ## Read the mouse devices. ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 8bf5f1a1..1aa2e092 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -314,6 +314,9 @@ dev_delete_generic_symlinks(kernel_t) dev_rw_generic_chr_files(kernel_t) dev_setattr_generic_blk_files(kernel_t) dev_setattr_generic_chr_files(kernel_t) +dev_getattr_mouse_dev(kernel_t) +dev_setattr_mouse_dev(kernel_t) +dev_delete_mouse_dev(kernel_t) dev_getattr_fs(kernel_t) dev_getattr_sysfs(kernel_t) dev_write_kmsg(kernel_t) |