commit: daf2971d9e410585f2bcb9599a40ea969466a060
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 19:59:37 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:42:07 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=daf2971d
update irqbalance module
policy/modules/contrib/irqbalance.fc | 8 +++++---
policy/modules/contrib/irqbalance.if | 7 ++++---
policy/modules/contrib/irqbalance.te | 22 +++++++++-------------
3 files changed, 18 insertions(+), 19 deletions(-)
diff --git a/policy/modules/contrib/irqbalance.fc
b/policy/modules/contrib/irqbalance.fc
index acc75dd..7753008 100644
--- a/policy/modules/contrib/irqbalance.fc
+++ b/policy/modules/contrib/irqbalance.fc
@@ -1,5 +1,7 @@
-/etc/rc\.d/init\.d/irqbalance --
gen_context(system_u:object_r:irqbalance_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/irqbalance --
gen_context(system_u:object_r:irqbalance_initrc_exec_t,s0)
-/usr/sbin/irqbalance --
gen_context(system_u:object_r:irqbalance_exec_t,s0)
+/usr/lib/systemd/system/irqbalance\.service --
gen_context(system_u:object_r:irqbalance_unit_t,s0)
-/run/irqbalance\.pid --
gen_context(system_u:object_r:irqbalance_var_run_t,s0)
+/run/irqbalance\.pid --
gen_context(system_u:object_r:irqbalance_pid_t,s0)
+
+/usr/sbin/irqbalance --
gen_context(system_u:object_r:irqbalance_exec_t,s0)
diff --git a/policy/modules/contrib/irqbalance.if
b/policy/modules/contrib/irqbalance.if
index 9e943d3..a8e452f 100644
--- a/policy/modules/contrib/irqbalance.if
+++ b/policy/modules/contrib/irqbalance.if
@@ -19,14 +19,15 @@
#
interface(`irqbalance_admin',`
gen_require(`
- type irqbalance_t, irqbalance_initrc_exec_t,
irqbalance_var_run_t;
+ type irqbalance_t, irqbalance_initrc_exec_t;
+ type irqbalance_pid_t, irqbalance_unit_t;
')
allow $1 irqbalance_t:process { ptrace signal_perms };
ps_process_pattern($1, irqbalance_t)
- init_startstop_service($1, $2, irqbalance_t, irqbalance_initrc_exec_t)
+ init_startstop_service($1, $2, irqbalance_t, irqbalance_initrc_exec_t,
irqbalance_unit_t)
files_search_pids($1)
- admin_pattern($1, irqbalance_var_run_t)
+ admin_pattern($1, irqbalance_pid_t)
')
diff --git a/policy/modules/contrib/irqbalance.te
b/policy/modules/contrib/irqbalance.te
index 0a06815..7c8af64 100644
--- a/policy/modules/contrib/irqbalance.te
+++ b/policy/modules/contrib/irqbalance.te
@@ -12,21 +12,25 @@ init_daemon_domain(irqbalance_t, irqbalance_exec_t)
type irqbalance_initrc_exec_t;
init_script_file(irqbalance_initrc_exec_t)
-type irqbalance_var_run_t;
-files_pid_file(irqbalance_var_run_t)
+type irqbalance_pid_t;
+typealias irqbalance_pid_t alias irqbalance_var_run_t;
+files_pid_file(irqbalance_pid_t)
+
+type irqbalance_unit_t;
+init_unit_file(irqbalance_unit_t)
########################################
#
# Local policy
#
-allow irqbalance_t self:capability { setpcap net_admin };
+allow irqbalance_t self:capability { setpcap };
dontaudit irqbalance_t self:capability sys_tty_config;
allow irqbalance_t self:process { getcap getsched setcap signal_perms };
allow irqbalance_t self:udp_socket create_socket_perms;
-manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
-files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
+manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
+files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file)
kernel_read_network_state(irqbalance_t)
kernel_read_system_state(irqbalance_t)
@@ -50,14 +54,6 @@ miscfiles_read_localization(irqbalance_t)
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
userdom_dontaudit_search_user_home_dirs(irqbalance_t)
-ifdef(`hide_broken_symptoms',`
- dontaudit irqbalance_t self:capability sys_module;
-')
-
-optional_policy(`
- seutil_sigchld_newrole(irqbalance_t)
-')
-
optional_policy(`
udev_read_db(irqbalance_t)
')
