Altered to use roleattribute based on suggestion Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> --- policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++ policy/modules/system/udev.te | 2 ++ 2 files changed, 28 insertions(+) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index fee55852..90dfb17d 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -36,6 +36,32 @@ interface(`udev_domtrans',` domtrans_pattern($1, udev_exec_t, udev_t) ') +######################################## +## <summary> +## Execute udev in the udev domain, and +## allow the specified role the udev domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`udev_run',` + gen_require(` + attribute_role udev_roles; + ') + + udev_domtrans($1) + roleattribute $2 udev_roles; +') + ######################################## ## <summary> ## Allow udev to execute the specified program in diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 3cbf7eff..88bff272 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -4,6 +4,7 @@ policy_module(udev, 1.25.0) # # Declarations # +attribute_role udev_roles; type udev_t; type udev_exec_t; @@ -14,6 +15,7 @@ domain_entry_file(udev_t, udev_helper_exec_t) domain_interactive_fd(udev_t) init_daemon_domain(udev_t, udev_exec_t) init_named_socket_activation(udev_t, udev_var_run_t) +role udev_roles types udev_t; type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) -- 2.20.1
