Prelink patch from Dan Walsh.
Prelink has new directory under /var/lib dontaudit leaks from domains that transition cron job looks at all mount points.
This commit is contained in:
parent
9a4d292902
commit
a9ef84b578
@ -8,3 +8,4 @@
|
||||
/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
|
||||
|
||||
/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
|
||||
/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
|
||||
|
@ -17,6 +17,11 @@ interface(`prelink_domtrans',`
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, prelink_exec_t, prelink_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit prelink_t $1:socket_class_set { read write };
|
||||
dontaudit prelink_t $1:fifo_file setattr;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,4 +1,4 @@
|
||||
policy_module(prelink, 1.9.0)
|
||||
policy_module(prelink, 1.9.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -123,7 +123,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
allow prelink_cron_system_t self:capability setuid;
|
||||
allow prelink_cron_system_t self:process { setsched setfscreate };
|
||||
allow prelink_cron_system_t self:process { setsched setfscreate signal };
|
||||
allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
|
||||
allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
|
||||
|
||||
@ -144,7 +144,9 @@ optional_policy(`
|
||||
corecmd_exec_bin(prelink_cron_system_t)
|
||||
corecmd_exec_shell(prelink_cron_system_t)
|
||||
|
||||
files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
|
||||
files_read_etc_files(prelink_cron_system_t)
|
||||
files_search_var_lib(prelink_cron_system_t)
|
||||
|
||||
init_exec(prelink_cron_system_t)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user