[refpolicy] [PATCH 5/5] Give kmod access to tmpfiles

Sven Vermeulen sven.vermeulen at siphos.be
Thu Aug 7 14:05:38 EDT 2014


Upon boot, the kmod application (running as insmod_t) can generate a
tmpfiles configuration file to allow tmpfiles to relabel and set the
required static device nodes for the kernel:

kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf

This requires the insmod_t domain to have create/write privileges
towards the /run/tmpfiles.d location.

Signed-off-by: Jason Zaman <jason at perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
 policy/modules/system/modutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 59ecb2b..dde3f02 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -228,6 +228,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	tmpfiles_create_var_run_files(insmod_t)
+	tmpfiles_write_var_run_files(insmod_t)
+')
+
+optional_policy(`
 	unconfined_domain(insmod_t)
 	unconfined_dontaudit_rw_pipes(insmod_t)
 ')
-- 
1.8.5.5



More information about the refpolicy mailing list