Index: policy/modules/system/udev.fc
===================================================================
--- policy/modules/system/udev.fc.orig
+++ policy/modules/system/udev.fc
@@ -1,6 +1,6 @@
-/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
+/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
+/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
@@ -22,4 +22,4 @@
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
+/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
Index: policy/modules/system/udev.te
===================================================================
--- policy/modules/system/udev.te.orig
+++ policy/modules/system/udev.te
@@ -17,14 +17,12 @@
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
-type udev_tbl_t alias udev_tdb_t;
-files_type(udev_tbl_t)
-
type udev_rules_t;
files_type(udev_rules_t)
type udev_var_run_t;
files_pid_file(udev_var_run_t)
+typealias udev_var_run_t alias udev_tbl_t;
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
@@ -62,10 +60,6 @@
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
-# create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file manage_file_perms;
-dev_filetrans(udev_t, udev_tbl_t, file)
-
list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
@@ -73,6 +67,7 @@
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+dev_filetrans(udev_t, udev_var_run_t, { file lnk_file })
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
Index: policy/modules/system/udev.if
===================================================================
--- policy/modules/system/udev.if.orig
+++ policy/modules/system/udev.if
@@ -160,10 +160,10 @@
#
interface(`udev_dontaudit_search_db',`
gen_require(`
- type udev_tbl_t;
+ type udev_var_run_t;
')
- dontaudit $1 udev_tbl_t:dir search_dir_perms;
+ dontaudit $1 udev_var_run_t:dir search_dir_perms;
')
########################################
@@ -180,36 +180,52 @@
## Domain allowed access.
##
##
-##
#
interface(`udev_read_db',`
+ udev_read_pid_files($1)
+')
+
+########################################
+##
+## Allow process to modify list of devices.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`udev_rw_db',`
gen_require(`
- type udev_tbl_t;
+ type udev_var_run_t;
')
+ files_search_pids($1)
dev_list_all_dev_nodes($1)
- allow $1 udev_tbl_t:dir list_dir_perms;
- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+ rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
########################################
##
-## Allow process to modify list of devices.
+## Read udev pid files.
##
##
##
## Domain allowed access.
##
##
+##
#
-interface(`udev_rw_db',`
+interface(`udev_read_pid_files', `
gen_require(`
- type udev_tbl_t;
+ type udev_var_run_t;
')
dev_list_all_dev_nodes($1)
- allow $1 udev_tbl_t:file rw_file_perms;
+ files_search_pids($1)
+ allow $1 udev_var_run_t:dir list_dir_perms;
+ read_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
########################################
@@ -228,6 +244,6 @@
type udev_var_run_t;
')
- files_search_var_lib($1)
+ files_search_pids($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')