diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if index 7622d76..913e857 100644 --- a/policy/modules/services/pcscd.if +++ b/policy/modules/services/pcscd.if @@ -53,6 +53,5 @@ interface(`pcscd_stream_connect',` ') files_search_pids($1) - allow $1 pcscd_var_run_t:sock_file write; - allow $1 pcscd_t:unix_stream_socket connectto; + stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t) ') diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te index 0dc3371..37ddf3e 100644 --- a/policy/modules/services/pcscd.te +++ b/policy/modules/services/pcscd.te @@ -1,5 +1,5 @@ -policy_module(pcscd, 1.5.0) +policy_module(pcscd, 1.5.1) ######################################## # @@ -29,9 +29,12 @@ allow pcscd_t self:tcp_socket create_stream_socket_perms; manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) manage_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) +manage_fifo_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) manage_sock_files_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t) files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir }) +kernel_read_system_state(pcscd_t) + corenet_all_recvfrom_unlabeled(pcscd_t) corenet_all_recvfrom_netlabel(pcscd_t) corenet_tcp_sendrecv_generic_if(pcscd_t) @@ -40,6 +43,7 @@ corenet_tcp_sendrecv_all_ports(pcscd_t) corenet_tcp_connect_http_port(pcscd_t) dev_rw_generic_usb_dev(pcscd_t) +dev_rw_smartcard(pcscd_t) dev_rw_usbfs(pcscd_t) dev_search_sysfs(pcscd_t)