diff mbox series

[09/12] package/acpid/selinux: Add buildroot acpid policy

Message ID 20231012103210.2915871-10-adam.duskett@amarulasolutions.com
State New
Headers show
Series SELinux: Basic config enforcing mode support. | expand

Commit Message

Adam Duskett Oct. 12, 2023, 10:32 a.m. UTC 
This is a basic policy necessary for acpid to work properly in enforcing
mode without any denials.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                               |  1 +
 package/acpid/selinux/buildroot-acpid.fc |  0
 package/acpid/selinux/buildroot-acpid.if |  1 +
 package/acpid/selinux/buildroot-acpid.te | 10 ++++++++++
 4 files changed, 12 insertions(+)
 create mode 100644 package/acpid/selinux/buildroot-acpid.fc
 create mode 100644 package/acpid/selinux/buildroot-acpid.if
 create mode 100644 package/acpid/selinux/buildroot-acpid.te
diff mbox series

Patch

diff --git a/DEVELOPERS b/DEVELOPERS
index 5082448b56..695738c4a9 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -32,6 +32,7 @@  F:	package/vulkan-loader/
 F:	package/vulkan-tools/
 
 N:	Adam Duskett <adam.duskett@amarulasolutions.com>
+F:	package/acpid/selinux/
 F:	package/audit/selinux/
 F:	package/busybox/selinux/
 F:	package/depot-tools/
diff --git a/package/acpid/selinux/buildroot-acpid.fc b/package/acpid/selinux/buildroot-acpid.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/acpid/selinux/buildroot-acpid.if b/package/acpid/selinux/buildroot-acpid.if
new file mode 100644
index 0000000000..b2b568a823
--- /dev/null
+++ b/package/acpid/selinux/buildroot-acpid.if
@@ -0,0 +1 @@ 
+## <summary>Buildroot acpid rules</summary>
diff --git a/package/acpid/selinux/buildroot-acpid.te b/package/acpid/selinux/buildroot-acpid.te
new file mode 100644
index 0000000000..dd10e65c42
--- /dev/null
+++ b/package/acpid/selinux/buildroot-acpid.te
@@ -0,0 +1,10 @@ 
+policy_module(buildroot-acpid, 1.0.0)
+
+#============= acpid_t ==============
+allow acpid_t device_t:chr_file { read open write ioctl };
+allow acpid_t kernel_t:fd use;
+allow acpid_t root_t:chr_file { read write open ioctl };
+allow acpid_t tmpfs_t:dir { add_name write remove_name };
+allow acpid_t tmpfs_t:file { create open write unlink };
+allow acpid_t tmpfs_t:sock_file create;
+