From 623ee2d0f2ac072f62bc3d30eb828998e9315a90 Mon Sep 17 00:00:00 2001 From: Jackie Huang Date: Tue, 13 May 2014 06:01:13 -0400 Subject: refpolicy: Allow udev the block_suspend capability Fix the avc denied issue: type=1400 audit(1399440994.656:14): avc: denied { block_suspend } for pid=80 comm="udevd" capability=36 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tcontext=system_u:system_r:udev_t:s0-s15:c0.c1023 tclass=capability2 The patch is backported from upstream Signed-off-by: Jackie Huang Signed-off-by: Mark Hatle --- .../Allow-udev-the-block_suspend-capability.patch | 25 ++++++++++++++++++++++ .../refpolicy/refpolicy_2.20130424.inc | 1 + 2 files changed, 26 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch new file mode 100644 index 0000000..3c6a979 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/Allow-udev-the-block_suspend-capability.patch @@ -0,0 +1,25 @@ +Allow udev the block_suspend capability + +Upstream-Status: backport +upstream commit: 5905067f2acf710ffbb13ba32575e6316619ddd8 + +Signed-off-by: Jackie Huang +--- + policy/modules/system/udev.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te +index 90e4ab3..efe6c02 100644 +--- a/policy/modules/system/udev.te ++++ b/policy/modules/system/udev.te +@@ -39,6 +39,7 @@ ifdef(`enable_mcs',` + + allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; + dontaudit udev_t self:capability sys_tty_config; ++allow udev_t self:capability2 block_suspend; + allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow udev_t self:process { execmem setfscreate }; + allow udev_t self:fd use; +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc index 5dbb2dc..0e7419d 100644 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc @@ -61,6 +61,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ # Backport from upstream SRC_URI += "file://Allow-ping-to-get-set-capabilities.patch \ file://filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch \ + file://Allow-udev-the-block_suspend-capability.patch \ " include refpolicy_common.inc -- cgit v1.2.3-54-g00ecf