allow ueventd sysfs_type lnk_file

ueventd is allowed to change files and directories in /sys, but not symbolic links. This is, at a minimum, causing the following denial: type=1400 audit(0.0:5): avc: denied { getattr } for comm="ueventd" path="/sys/devices/tegradc.0/driver" dev=sysfs ino=3386 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_tegradc:s0 tclass=lnk_file Allow ueventd to modify labeling / attributes of symlinks. Change-Id: If641a218e07ef479d1283f3171b2743f3956386d
author: Nick Kralevich <nnk@google.com> 2014-07-09 23:07:10 -0700
committer: Nick Kralevich <nnk@google.com> 2014-07-09 23:07:10 -0700
commit: 1d2ff869634649955fab0be3fb724d8b937c80bf (patch)
tree: 5e50c0283d594208a9def59ec9c50a73d09a5a22
parent: b59dc27a1b580a13c50477d2af1cbdaf95601d8f (diff)
download: sepolicy-1d2ff869634649955fab0be3fb724d8b937c80bf.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/ueventd.te b/ueventd.te
index 7d60c5a..d8ae16c 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -10,7 +10,7 @@ allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio da
 allow ueventd device:file create_file_perms;
 allow ueventd device:chr_file rw_file_perms;
 allow ueventd sysfs:file rw_file_perms;
-allow ueventd sysfs_type:file { relabelfrom relabelto setattr getattr };
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
 allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
 allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
 allow ueventd tmpfs:chr_file rw_file_perms;
author	Nick Kralevich <nnk@google.com>	2014-07-09 23:07:10 -0700
committer	Nick Kralevich <nnk@google.com>	2014-07-09 23:07:10 -0700
commit	1d2ff869634649955fab0be3fb724d8b937c80bf (patch)
tree	5e50c0283d594208a9def59ec9c50a73d09a5a22
parent	b59dc27a1b580a13c50477d2af1cbdaf95601d8f (diff)
download	sepolicy-1d2ff869634649955fab0be3fb724d8b937c80bf.tar.gz