diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 00e89948..2b54658f 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -32,6 +32,16 @@ interface(`init_domain',` allow init_t $1:fd use; allow $1 init_t:fifo_file rw_file_perms; allow $1 init_t:process sigchld; + + ifdef(`hide_broken_symptoms',` + # RHEL4 systems seem to have a stray + # fds open from the initrd + ifdef(`distro_rhel4',` + kernel_dontaudit_use_fd($1) + storage_dontaudit_read_fixed_disk($1) + files_dontaudit_read_root_file($1) + ') + ') ') ######################################## @@ -75,6 +85,16 @@ interface(`init_daemon_domain',` typeattribute $2 direct_init_entry; ') + ifdef(`hide_broken_symptoms',` + # RHEL4 systems seem to have a stray + # fds open from the initrd + ifdef(`distro_rhel4',` + kernel_dontaudit_use_fd($1) + storage_dontaudit_read_fixed_disk($1) + files_dontaudit_read_root_file($1) + ') + ') + ifdef(`targeted_policy',` # this regex is a hack, since it assumes there is a # _t at the end of the domain type. If there is no _t @@ -141,6 +161,16 @@ interface(`init_system_domain',` allow $1 initrc_t:fd use; allow $1 initrc_t:fifo_file rw_file_perms; allow $1 initrc_t:process sigchld; + + ifdef(`hide_broken_symptoms',` + # RHEL4 systems seem to have a stray + # fds open from the initrd + ifdef(`distro_rhel4',` + kernel_dontaudit_use_fd($1) + storage_dontaudit_read_fixed_disk($1) + files_dontaudit_read_root_file($1) + ') + ') ') ########################################