- Fix initrc_context generation for MLS
This commit is contained in:
Daniel J Walsh
parent
33b0aacf82
commit
cab5dce18d
@ -7424,8 +7424,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
|
||||
########################################
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.3.1/policy/modules/kernel/kernel.te
|
||||
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-12-19 05:32:07.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.te 2008-02-26 08:29:22.000000000 -0500
|
||||
@@ -259,6 +259,8 @@
|
||||
+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.te 2008-03-06 15:50:41.000000000 -0500
|
||||
@@ -231,6 +231,8 @@
|
||||
# Mount root file system. Used when loading a policy
|
||||
# from initrd, then mounting the root filesystem
|
||||
fs_mount_all_fs(kernel_t)
|
||||
+fs_unmount_all_fs(kernel_t)
|
||||
+
|
||||
|
||||
selinux_load_policy(kernel_t)
|
||||
|
||||
@@ -253,12 +255,16 @@
|
||||
|
||||
mls_process_read_up(kernel_t)
|
||||
mls_process_write_down(kernel_t)
|
||||
+mls_file_write_all_levels(kernel_t)
|
||||
+mls_file_read_all_levels(kernel_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# Bugzilla 222337
|
||||
fs_rw_tmpfs_chr_files(kernel_t)
|
||||
')
|
||||
|
||||
@ -7434,7 +7451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default(kernel_t)
|
||||
files_read_default_files(kernel_t)
|
||||
@@ -363,7 +365,7 @@
|
||||
@@ -363,7 +369,7 @@
|
||||
|
||||
allow kern_unconfined proc_type:{ dir file lnk_file } *;
|
||||
|
||||
@ -7443,7 +7460,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
|
||||
|
||||
allow kern_unconfined kernel_t:system *;
|
||||
|
||||
@@ -374,3 +376,4 @@
|
||||
@@ -374,3 +380,4 @@
|
||||
allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
|
||||
|
||||
kernel_rw_all_sysctls(kern_unconfined)
|
||||
@ -13651,7 +13668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.3.1/policy/modules/services/fail2ban.te
|
||||
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-12-19 05:32:17.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-03-06 13:11:59.000000000 -0500
|
||||
+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-03-06 16:54:16.000000000 -0500
|
||||
@@ -18,6 +18,9 @@
|
||||
type fail2ban_var_run_t;
|
||||
files_pid_file(fail2ban_var_run_t)
|
||||
@ -13683,7 +13700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
|
||||
+fs_list_inotifyfs(fail2ban_t)
|
||||
+
|
||||
+auth_use_nsswitch(fail2ban_t)
|
||||
+corenet_tcp_connect_dns_port(fail2ban_t)
|
||||
+corenet_tcp_connect_whois_port(fail2ban_t)
|
||||
|
||||
libs_use_ld_so(fail2ban_t)
|
||||
libs_use_shared_libs(fail2ban_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user