diff options
| author |   Kenton Groombridge <me@concord.sh> | 2021-04-13 16:48:54 -0400 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2021-09-05 07:16:58 -0700 |
| commit | 95ba6dc2388e695c24d2d19f5ce3aa6a6a8951be (patch) | |
| tree | 1da15225d0518635886666e1e646fdf12f99bf81 /policy/modules/kernel/devices.if | |
| parent | filesystem, init: allow systemd to create pstore dirs (diff) | |
| download | hardened-refpolicy-95ba6dc2388e695c24d2d19f5ce3aa6a6a8951be.tar.gz hardened-refpolicy-95ba6dc2388e695c24d2d19f5ce3aa6a6a8951be.tar.bz2 hardened-refpolicy-95ba6dc2388e695c24d2d19f5ce3aa6a6a8951be.zip | |
bootloader, devices: dontaudit grub writing on legacy efi variables
Newer versions of grub modify EFI variables on efivarfs. This commit
adds a dontaudit on the legacy /sys/fs/efi/vars files.
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy/modules/kernel/devices.if')
| -rw-r--r-- | policy/modules/kernel/devices.if | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 19d29c95f..ac72cde12 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4475,6 +4475,24 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## <summary> +## Do not audit attempts to write to a sysfs file. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`dev_dontaudit_write_sysfs_files',` + gen_require(` + type sysfs_t; + ') + + dontaudit $1 sysfs_t:file write; +') + +######################################## +## <summary> ## Create, read, write, and delete sysfs ## directories. ## </summary> |