From 60e4f114acb237bdd195d9cc433a754d0471005a Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 28 Jun 2012 14:28:24 -0400
Subject: [PATCH] Add key_socket class to socket_class_set macro.  Allow system
 to trigger module auto-loading and to write to sockets created under /dev.

---
 global_macros | 2 +-
 system.te     | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/global_macros b/global_macros
index 15e09ed7e..6d71c0c9c 100644
--- a/global_macros
+++ b/global_macros
@@ -8,7 +8,7 @@ define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file
 define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
 define(`devfile_class_set', `{ chr_file blk_file }')
 
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
diff --git a/system.te b/system.te
index 1457c79ac..2030af467 100644
--- a/system.te
+++ b/system.te
@@ -72,6 +72,9 @@ bluetooth_domain(system)
 # XXX See if we can remove some of these.
 allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
 
+# Trigger module auto-load.
+allow system kernel:system module_request;
+
 # Use netlink uevent sockets.
 allow system self:netlink_kobject_uevent_socket *;
 
@@ -133,6 +136,7 @@ allow system sysfs_nfc_power_writable:file rw_file_perms;
 # Access devices.
 allow system device:dir r_dir_perms;
 allow system device:chr_file rw_file_perms;
+allow system device:sock_file rw_file_perms;
 allow system akm_device:chr_file rw_file_perms;
 allow system accelerometer_device:chr_file rw_file_perms;
 allow system alarm_device:chr_file rw_file_perms;
-- 
GitLab