[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/

[Kenton Groombridge]

commit:     9127b63127407012150cc1257dab821bc300477d
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 17:00:51 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:55 2024 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9127b631

udev: update

    AVC avc:  denied  { create } for  pid=685 comm="ifquery" name="network" 
scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 
tclass=dir permissive=1

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/sysnetwork.if | 30 ++++++++++++++++++++++++++++++
 policy/modules/system/udev.te       |  3 +++
 2 files changed, 33 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if 
b/policy/modules/system/sysnetwork.if
index f41024669..884f3735d 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -489,6 +489,7 @@ interface(`sysnet_create_config',`
        ')
 
        files_search_etc($1)
+       allow $1 net_conf_t:dir { add_entry_dir_perms create_dir_perms };
        allow $1 net_conf_t:file create_file_perms;
 ')
 
@@ -535,6 +536,35 @@ interface(`sysnet_etc_filetrans_config',`
        files_etc_filetrans($1, net_conf_t, file, $2)
 ')
 
+#######################################
+## <summary>
+##     Create files in /run with the type used for
+##     the network config files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="object">
+##     <summary>
+##     The object class of the object being created.
+##     </summary>
+## </param>
+## <param name="name" optional="true">
+##     <summary>
+##     The name of the object being created.
+##     </summary>
+## </param>
+#
+interface(`sysnet_runtime_filetrans_config',`
+       gen_require(`
+               type net_conf_t;
+       ')
+
+       files_runtime_filetrans($1, net_conf_t, $2, $3)
+')
+
 #######################################
 ## <summary>
 ##     Create, read, write, and delete network config files.

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 6e24d515f..8ecc17bc7 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -217,6 +217,9 @@ ifdef(`distro_debian',`
 
        files_runtime_filetrans(udev_t, udev_runtime_t, dir, "xen-hotplug")
 
+       sysnet_runtime_filetrans_config(udev_t, dir, "network")
+       sysnet_create_config(udev_t)
+
        optional_policy(`
                # for /usr/lib/avahi/avahi-daemon-check-dns.sh
                kernel_read_vm_sysctls(udev_t)