Allow mock_t to setattr on sysfs_t dir, not sure if this would work with a dontaudit

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 0b844f8059800174ad30ec9232be2d98b499c4dc..c4607c94bee7004ca1e6e013e451bd183b3af4a5 100644 (file)
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3864,6 +3864,24 @@ interface(`dev_getattr_sysfs_dirs',`
        allow $1 sysfs_t:dir getattr_dir_perms;
 ')
 
+########################################
+## <summary>
+##     Set the attributes of sysfs directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_setattr_sysfs_dirs',`
+       gen_require(`
+               type sysfs_t;
+       ')
+
+       allow $1 sysfs_t:dir setattr_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##     Search the sysfs directories.

diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
index 16a267a557263ccd474237f1c13971fd83d70694..891bb5a94c627ccb89b6d5403f405f98c8c9dd81 100644 (file)
--- a/policy/modules/services/mock.te
+++ b/policy/modules/services/mock.te
@@ -65,7 +65,6 @@ allow mock_t mock_var_lib_t:dir mounton;
 allow mock_t mock_var_lib_t:dir relabel_dir_perms;
 allow mock_t mock_var_lib_t:file relabel_file_perms;
 
-
 kernel_list_proc(mock_t)
 kernel_read_irq_sysctls(mock_t)
 kernel_read_system_state(mock_t)
@@ -81,6 +80,7 @@ corenet_tcp_connect_http_port(mock_t)
 
 dev_read_urand(mock_t)
 dev_read_sysfs(mock_t)
+dev_setattr_sysfs_dirs(mock_t)
 
 domain_read_all_domains_state(mock_t)
 domain_use_interactive_fds(mock_t)