diff options
| -rw-r--r-- | policy/modules/admin/bootloader.te | 2 | ||||
| -rw-r--r-- | policy/modules/kernel/devices.if | 18 |
2 files changed, 20 insertions, 0 deletions
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 8bbaed33..c149fd98 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -83,6 +83,8 @@ dev_dontaudit_rw_generic_dev_nodes(bootloader_t) dev_read_rand(bootloader_t) dev_read_urand(bootloader_t) dev_read_sysfs(bootloader_t) +# newer versions of grub use efivarfs to modify EFI variables; dontaudit legacy /sys/fs/efi/vars access +dev_dontaudit_write_sysfs_files(bootloader_t) # needed on some hardware dev_rw_nvram(bootloader_t) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 19d29c95..ac72cde1 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4475,6 +4475,24 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## <summary> +## Do not audit attempts to write to a sysfs file. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`dev_dontaudit_write_sysfs_files',` + gen_require(` + type sysfs_t; + ') + + dontaudit $1 sysfs_t:file write; +') + +######################################## +## <summary> ## Create, read, write, and delete sysfs ## directories. ## </summary> |