136 строки
3.4 KiB
Diff
136 строки
3.4 KiB
Diff
From 7a0b98db32746f8d8899ece9aa5c8779605e85dd Mon Sep 17 00:00:00 2001
|
|
From: Chris PeBenito <Christopher.PeBenito@microsoft.com>
|
|
Date: Wed, 1 Mar 2023 20:53:21 +0000
|
|
Subject: [PATCH 35/35] modutils: Handle running dracut during rpm postinst.
|
|
|
|
Dracut runs depmod.
|
|
|
|
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
|
|
---
|
|
policy/modules/admin/rpm.if | 57 +++++++++++++++++++++++++++++++
|
|
policy/modules/kernel/files.if | 19 +++++++++++
|
|
policy/modules/system/modutils.te | 7 ++++
|
|
3 files changed, 83 insertions(+)
|
|
|
|
MSFT_TAG: not upstreamable
|
|
|
|
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
|
|
index 2b5e0768e..ce62d846f 100644
|
|
--- a/policy/modules/admin/rpm.if
|
|
+++ b/policy/modules/admin/rpm.if
|
|
@@ -338,6 +338,63 @@ interface(`rpm_manage_script_tmp_files',`
|
|
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
|
|
')
|
|
|
|
+########################################
|
|
+## <summary>
|
|
+## Read rpm script temporary symlinks.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rpm_read_script_tmp_symlinks',`
|
|
+ gen_require(`
|
|
+ type rpm_script_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_tmp($1)
|
|
+ read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Read inherited rpm temporary files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rpm_read_inherited_tmp_files',`
|
|
+ gen_require(`
|
|
+ type rpm_t, rpm_tmp_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 rpm_t:fd use;
|
|
+ allow $1 rpm_tmp_t:file { getattr read };
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Append inherited rpm temporary files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rpm_append_inherited_tmp_files',`
|
|
+ gen_require(`
|
|
+ type rpm_t, rpm_tmp_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 rpm_t:fd use;
|
|
+ allow $1 rpm_tmp_t:file { getattr append };
|
|
+')
|
|
+
|
|
#####################################
|
|
## <summary>
|
|
## Append rpm temporary files.
|
|
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
|
index f7217b226..b95270960 100644
|
|
--- a/policy/modules/kernel/files.if
|
|
+++ b/policy/modules/kernel/files.if
|
|
@@ -2557,6 +2557,25 @@ interface(`files_boot_filetrans',`
|
|
filetrans_pattern($1, boot_t, $2, $3, $4)
|
|
')
|
|
|
|
+########################################
|
|
+## <summary>
|
|
+## Get the attributes of files in the /boot directory.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`files_getattr_boot_files',`
|
|
+ gen_require(`
|
|
+ type boot_t;
|
|
+ ')
|
|
+
|
|
+ getattr_files_pattern($1, boot_t, boot_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## read files in the /boot directory.
|
|
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
|
|
index 3da4d5354..fb388ce98 100644
|
|
--- a/policy/modules/system/modutils.te
|
|
+++ b/policy/modules/system/modutils.te
|
|
@@ -173,6 +173,13 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
rpm_rw_pipes(kmod_t)
|
|
+ # running dracut during rpm script:
|
|
+ files_getattr_boot_files(kmod_t)
|
|
+ rpm_manage_tmp_files(kmod_t)
|
|
+ rpm_read_inherited_tmp_files(kmod_t)
|
|
+ rpm_append_inherited_tmp_files(kmod_t)
|
|
+ rpm_manage_script_tmp_files(kmod_t)
|
|
+ rpm_read_script_tmp_symlinks(kmod_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
--
|
|
2.34.1
|
|
|