[PATCH 08/10] Allow colord_t to read snmpd_var_lib_t files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Laurent Bigonville <bigon@xxxxxxxx>

colord-sane daemon indirectly links against libsnmp, the library tries
to read files in /var/lib/snmp

----
type=AVC msg=audit(06/10/19 12:58:49.639:83) : avc:  denied  { getattr } for  pid=873 comm=colord-sane path=/var/lib/snmp dev="dm-1" ino=399773 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(06/10/19 12:58:49.639:84) : avc:  denied  { search } for  pid=873 comm=colord-sane name=snmp dev="dm-1" ino=399773 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(06/10/19 12:58:49.647:85) : avc:  denied  { search } for  pid=873 comm=colord-sane name=snmp dev="dm-1" ino=399773 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=1
----
type=AVC msg=audit(06/10/19 12:58:49.647:86) : avc:  denied  { getattr } for  pid=873 comm=colord-sane path=/var/lib/snmp dev="dm-1" ino=399773 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=1

Signed-off-by: Laurent Bigonville <bigon@xxxxxxxx>
---
 policy/modules/services/colord.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 2fbb1835..ec03244b 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -132,6 +132,10 @@ optional_policy(`
 	policykit_read_reload(colord_t)
 ')
 
+optional_policy(`
+	snmp_read_snmp_var_lib_files(colord_t)
+')
+
 optional_policy(`
 	sysnet_exec_ifconfig(colord_t)
 ')
-- 
2.23.0
[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux