On 12/17/19 6:34 PM, Sugar, David wrote:
I'm seeing the following denial when using 'efivars --list'. This
interface grants access
2019-12-17T15:22:06-05:00 ip-tsc-black tag_audit_log: type=AVC msg=audit(1576596109.149:95): avc: denied { read } for pid=2329 comm="efivar" name="/" dev="efivarfs" ino=11266 scontext=system_u:system_r:my_app_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=dir permissive=1
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 62911f12..98f3af5d 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1982,6 +1982,24 @@ interface(`fs_manage_dos_files',`
manage_files_pattern($1, dosfs_t, dosfs_t)
')
+########################################
+## <summary>
+## List dirs in efivarfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_efivars',`
+ gen_require(`
+ type efivarfs_t;
+ ')
+
+ list_dirs_pattern($1, efivarfs_t, efivarfs_t)
+')
+
#######################################
## <summary>
## Read files in efivarfs
Merged.
--
Chris PeBenito
