commit 85c5fc21c8a6259ec74686d62cf2c9a3fe01a56e
author William Roberts <wroberts@tresys.com> Sun Oct 06 15:36:11 2013 -0400
committer William Roberts <wroberts@tresys.com> Tue Oct 08 09:43:28 2013 -0400
tree 1bff697293b8537e1dd6481724b8c90fed489027
parent ec7d39ba168a5b620e6bb526f316581acc5c1238

Start confining ueventd

* Keep ueventd in permissive
* Drop unconfined macro to collect logs
* Restore allow rules to current NSA maintained policy

Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b

ueventd.te

diff --git a/ueventd.te b/ueventd.te
index 6e1a4a8..1562c0e 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -3,5 +3,22 @@
 type ueventd, domain;
 permissive ueventd;
 tmpfs_domain(ueventd)
-unconfined_domain(ueventd)
+write_klog(ueventd)
+security_access_policy(ueventd)
+relabelto_domain(ueventd)
 allow ueventd rootfs:file entrypoint;
+allow ueventd init:process sigchld;
+allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd device:file create_file_perms;
+allow ueventd device:chr_file rw_file_perms;
+allow ueventd sysfs:file rw_file_perms;
+allow ueventd sysfs:file setattr;
+allow ueventd sysfs_type:file { relabelfrom relabelto };
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { create setattr unlink };
+allow ueventd dev_type:blk_file { create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket *;
+allow ueventd efs_file:dir search;
+allow ueventd efs_file:file r_file_perms;