C9s build 20241010

policy/modules.conf

@@ -3120,3 +3120,10 @@ coreos_installer = module
 #  bootupd - bootloader update daemon
 #
 bootupd = module
+
+# Layer: contrib
+# Module: iiosensorproxy
+#
+# Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy
+#
+iiosensorproxy = module

policy/modules/contrib/boothd.te

@@ -43,6 +43,7 @@ files_pid_filetrans(boothd_t, boothd_var_run_t, { dir file} )
 manage_dirs_pattern(boothd_t, boothd_var_lib_t, boothd_var_lib_t)
 
 kernel_dgram_send(boothd_t)
+kernel_stream_connect(boothd_t)
 
 corecmd_exec_bin(boothd_t)
 corecmd_exec_shell(boothd_t)
@@ -76,6 +77,10 @@ optional_policy(`
 	rhcs_stream_connect_cluster(boothd_t)
 ')
 
+optional_policy(`
+       systemd_userdbd_stream_connect(boothd_t)
+')
+
 optional_policy(`
 	sysnet_read_config(boothd_t)
 ')

policy/modules/contrib/iiosensorproxy.fc

@@ -0,0 +1 @@
+/usr/libexec/iio-sensor-proxy	--	gen_context(system_u:object_r:iiosensorproxy_exec_t,s0)

policy/modules/contrib/iiosensorproxy.if

@@ -0,0 +1,2 @@
+## <summary>IIO sensors to D-Bus proxy</summary>
+

policy/modules/contrib/iiosensorproxy.te

@@ -0,0 +1,31 @@
+policy_module(iiosensorproxy, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type iiosensorproxy_t;
+type iiosensorproxy_exec_t;
+init_daemon_domain(iiosensorproxy_t, iiosensorproxy_exec_t)
+
+allow iiosensorproxy_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+dev_read_sysfs(iiosensorproxy_t)
+
+optional_policy(`
+	dbus_connect_system_bus(iiosensorproxy_t)
+	dbus_system_bus_client(iiosensorproxy_t)
+
+	optional_policy(`
+		policykit_dbus_chat(iiosensorproxy_t)
+	')
+
+	optional_policy(`
+		unconfined_dbus_chat(unconfined_t)
+	')
+')
+
+optional_policy(`
+	udev_read_pid_files(iiosensorproxy_t)
+')

policy/modules/contrib/linuxptp.te

@@ -159,7 +159,7 @@ allow ptp4l_t self:packet_socket create_socket_perms;
 allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
 allow ptp4l_t self:shm create_shm_perms;
 allow ptp4l_t self:udp_socket create_socket_perms;
-allow ptp4l_t self:capability { net_admin net_raw sys_time };
+allow ptp4l_t self:capability { net_admin net_raw sys_admin sys_time };
 allow ptp4l_t self:capability2 { bpf wake_alarm };
 allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;
 

policy/modules/contrib/stalld.te

@@ -19,9 +19,12 @@ files_pid_file(stalld_var_run_t)
 #
 # stalld local policy
 #
-allow stalld_t self:capability sys_nice;
-allow stalld_t self:process { fork setsched };
+allow stalld_t self:bpf { map_create map_read map_write prog_load prog_run };
+allow stalld_t self:capability { sys_nice sys_resource };
+allow stalld_t self:capability2 { bpf perfmon };
+allow stalld_t self:process { fork setsched setrlimit };
 allow stalld_t self:fifo_file rw_fifo_file_perms;
+allow stalld_t self:process setrlimit;
 allow stalld_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_dirs_pattern(stalld_t, stalld_var_run_t, stalld_var_run_t)
@@ -43,6 +46,8 @@ domain_use_interactive_fds(stalld_t)
 
 files_read_etc_files(stalld_t)
 
+fs_list_bpf_dirs(stalld_t)
+
 selinux_read_security_files(stalld_t)
 
 logging_send_syslog_msg(stalld_t)

policy/modules/kernel/devices.fc

@@ -46,6 +46,7 @@
 /dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/hfmodem		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/hfi1_[0-9]+	-c	gen_context(system_u:object_r:hfi1_device_t,s0)
 /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hidraw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)

policy/modules/kernel/devices.if

@@ -6681,6 +6681,24 @@ interface(`dev_rw_papr_sysparm',`
 	rw_chr_files_pattern($1, device_t, papr_sysparm_device_t)
 ')
 
+########################################
+## <summary>
+##	Allow read the hfi1_[0-9]+ devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_hfi1',`
+	gen_require(`
+		type device_t, hfi1_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, hfi1_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Create all named devices with the correct label

policy/modules/kernel/devices.te

@@ -158,6 +158,12 @@ dev_node(gpfs_device_t)
 type gpio_device_t;
 dev_node(gpio_device_t)
 
+#
+# Type for /dev/hfi1_[0-9]+
+#
+type hfi1_device_t;
+dev_node(hfi1_device_t)
+
 #
 # Type for /dev/ipmi/0
 #

policy/modules/kernel/filesystem.if

@@ -599,6 +599,26 @@ interface(`fs_register_binary_executable_type',`
 	rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
 ')
 
+########################################
+## <summary>
+##	List bpf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_bpf_dirs',`
+	gen_require(`
+		type bpf_t;
+	')
+
+	list_dirs_pattern($1, bpf_t, bpf_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Manage bpf directories.

policy/modules/system/modutils.fc

@@ -34,5 +34,6 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/modules/modprobe\.conf -- 	gen_context(system_u:object_r:modules_conf_t,s0)
 
+/var/run/modprobe\.d(/.*)?		gen_context(system_u:object_r:modules_conf_t,s0)
 /var/run/tmpfiles.d/kmod.conf --	gen_context(system_u:object_r:kmod_var_run_t,s0)
 /var/run/tmpfiles.d/static-nodes.conf --	gen_context(system_u:object_r:kmod_var_run_t,s0)