Fix init Module
This commit is contained in:
Lukas Vrabec
parent
c0884791ad
commit
d50003157e
@ -35426,7 +35426,7 @@ index 79a45f6..e90f7a4 100644
|
||||
+ allow $1 init_var_lib_t:dir search_dir_perms;
|
||||
')
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index 17eda24..1f4dc71 100644
|
||||
index 17eda24..fa4ad6a 100644
|
||||
--- a/policy/modules/system/init.te
|
||||
+++ b/policy/modules/system/init.te
|
||||
@@ -11,10 +11,31 @@ gen_require(`
|
||||
@ -35744,7 +35744,7 @@ index 17eda24..1f4dc71 100644
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
allow init_t self:process { getcap setcap };
|
||||
@@ -186,29 +343,280 @@ ifdef(`distro_gentoo',`
|
||||
@@ -186,29 +343,283 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
@ -35785,17 +35785,21 @@ index 17eda24..1f4dc71 100644
|
||||
+optional_policy(`
|
||||
+ kdump_read_crash(init_t)
|
||||
+ kdump_read_config(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- auth_rw_login_records(init_t)
|
||||
+ gnome_filetrans_home_content(init_t)
|
||||
+ gnome_manage_data(init_t)
|
||||
+ gnome_manage_config(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ gssproxy_noatsecure(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gssproxy_noatsecure(init_t)
|
||||
+ gssd_noatsecure(init_t)
|
||||
+ rpc_gssd_noatsecure(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
@ -35992,14 +35996,13 @@ index 17eda24..1f4dc71 100644
|
||||
+
|
||||
+optional_policy(`
|
||||
+ lldpad_relabel_tmpfs(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- auth_rw_login_records(init_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ consolekit_manage_log(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_connect_system_bus(init_t)
|
||||
dbus_system_bus_client(init_t)
|
||||
+ dbus_delete_pid_files(init_t)
|
||||
@ -36034,7 +36037,7 @@ index 17eda24..1f4dc71 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -216,7 +624,30 @@ optional_policy(`
|
||||
@@ -216,7 +627,30 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36066,7 +36069,7 @@ index 17eda24..1f4dc71 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -225,9 +656,9 @@ optional_policy(`
|
||||
@@ -225,9 +659,9 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
||||
@ -36078,7 +36081,7 @@ index 17eda24..1f4dc71 100644
|
||||
allow initrc_t self:passwd rootok;
|
||||
allow initrc_t self:key manage_key_perms;
|
||||
|
||||
@@ -258,12 +689,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
@@ -258,12 +692,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
|
||||
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
||||
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
||||
@ -36095,7 +36098,7 @@ index 17eda24..1f4dc71 100644
|
||||
|
||||
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
||||
@@ -279,23 +714,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
@@ -279,23 +717,36 @@ kernel_change_ring_buffer_level(initrc_t)
|
||||
kernel_clear_ring_buffer(initrc_t)
|
||||
kernel_get_sysvipc_info(initrc_t)
|
||||
kernel_read_all_sysctls(initrc_t)
|
||||
@ -36138,7 +36141,7 @@ index 17eda24..1f4dc71 100644
|
||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||
corenet_tcp_connect_all_ports(initrc_t)
|
||||
@@ -303,9 +751,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
@@ -303,9 +754,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
|
||||
|
||||
dev_read_rand(initrc_t)
|
||||
dev_read_urand(initrc_t)
|
||||
@ -36150,7 +36153,7 @@ index 17eda24..1f4dc71 100644
|
||||
dev_rw_sysfs(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
dev_read_framebuffer(initrc_t)
|
||||
@@ -313,8 +763,10 @@ dev_write_framebuffer(initrc_t)
|
||||
@@ -313,8 +766,10 @@ dev_write_framebuffer(initrc_t)
|
||||
dev_read_realtime_clock(initrc_t)
|
||||
dev_read_sound_mixer(initrc_t)
|
||||
dev_write_sound_mixer(initrc_t)
|
||||
@ -36161,7 +36164,7 @@ index 17eda24..1f4dc71 100644
|
||||
dev_delete_lvm_control_dev(initrc_t)
|
||||
dev_manage_generic_symlinks(initrc_t)
|
||||
dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +774,7 @@ dev_manage_generic_files(initrc_t)
|
||||
@@ -322,8 +777,7 @@ dev_manage_generic_files(initrc_t)
|
||||
dev_delete_generic_symlinks(initrc_t)
|
||||
dev_getattr_all_blk_files(initrc_t)
|
||||
dev_getattr_all_chr_files(initrc_t)
|
||||
@ -36171,7 +36174,7 @@ index 17eda24..1f4dc71 100644
|
||||
|
||||
domain_kill_all_domains(initrc_t)
|
||||
domain_signal_all_domains(initrc_t)
|
||||
@@ -332,7 +783,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
@@ -332,7 +786,6 @@ domain_sigstop_all_domains(initrc_t)
|
||||
domain_sigchld_all_domains(initrc_t)
|
||||
domain_read_all_domains_state(initrc_t)
|
||||
domain_getattr_all_domains(initrc_t)
|
||||
@ -36179,7 +36182,7 @@ index 17eda24..1f4dc71 100644
|
||||
domain_getsession_all_domains(initrc_t)
|
||||
domain_use_interactive_fds(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
@@ -340,6 +790,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
@@ -340,6 +793,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_pipes(initrc_t)
|
||||
@ -36187,7 +36190,7 @@ index 17eda24..1f4dc71 100644
|
||||
|
||||
files_getattr_all_dirs(initrc_t)
|
||||
files_getattr_all_files(initrc_t)
|
||||
@@ -347,14 +798,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
@@ -347,14 +801,15 @@ files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_purge_tmp(initrc_t)
|
||||
@ -36205,7 +36208,7 @@ index 17eda24..1f4dc71 100644
|
||||
files_read_usr_files(initrc_t)
|
||||
files_manage_urandom_seed(initrc_t)
|
||||
files_manage_generic_spool(initrc_t)
|
||||
@@ -364,8 +816,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
@@ -364,8 +819,12 @@ files_list_isid_type_dirs(initrc_t)
|
||||
files_mounton_isid_type_dirs(initrc_t)
|
||||
files_list_default(initrc_t)
|
||||
files_mounton_default(initrc_t)
|
||||
@ -36219,7 +36222,7 @@ index 17eda24..1f4dc71 100644
|
||||
fs_list_inotifyfs(initrc_t)
|
||||
fs_register_binary_executable_type(initrc_t)
|
||||
# rhgb-console writes to ramfs
|
||||
@@ -375,10 +831,11 @@ fs_mount_all_fs(initrc_t)
|
||||
@@ -375,10 +834,11 @@ fs_mount_all_fs(initrc_t)
|
||||
fs_unmount_all_fs(initrc_t)
|
||||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
@ -36233,7 +36236,7 @@ index 17eda24..1f4dc71 100644
|
||||
mcs_process_set_categories(initrc_t)
|
||||
|
||||
mls_file_read_all_levels(initrc_t)
|
||||
@@ -387,8 +844,10 @@ mls_process_read_up(initrc_t)
|
||||
@@ -387,8 +847,10 @@ mls_process_read_up(initrc_t)
|
||||
mls_process_write_down(initrc_t)
|
||||
mls_rangetrans_source(initrc_t)
|
||||
mls_fd_share_all_levels(initrc_t)
|
||||
@ -36244,7 +36247,7 @@ index 17eda24..1f4dc71 100644
|
||||
|
||||
storage_getattr_fixed_disk_dev(initrc_t)
|
||||
storage_setattr_fixed_disk_dev(initrc_t)
|
||||
@@ -398,6 +857,7 @@ term_use_all_terms(initrc_t)
|
||||
@@ -398,6 +860,7 @@ term_use_all_terms(initrc_t)
|
||||
term_reset_tty_labels(initrc_t)
|
||||
|
||||
auth_rw_login_records(initrc_t)
|
||||
@ -36252,7 +36255,7 @@ index 17eda24..1f4dc71 100644
|
||||
auth_setattr_login_records(initrc_t)
|
||||
auth_rw_lastlog(initrc_t)
|
||||
auth_read_pam_pid(initrc_t)
|
||||
@@ -416,20 +876,18 @@ logging_read_all_logs(initrc_t)
|
||||
@@ -416,20 +879,18 @@ logging_read_all_logs(initrc_t)
|
||||
logging_append_all_logs(initrc_t)
|
||||
logging_read_audit_config(initrc_t)
|
||||
|
||||
@ -36276,7 +36279,7 @@ index 17eda24..1f4dc71 100644
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
dev_setattr_generic_dirs(initrc_t)
|
||||
@@ -451,7 +909,6 @@ ifdef(`distro_gentoo',`
|
||||
@@ -451,7 +912,6 @@ ifdef(`distro_gentoo',`
|
||||
allow initrc_t self:process setfscreate;
|
||||
dev_create_null_dev(initrc_t)
|
||||
dev_create_zero_dev(initrc_t)
|
||||
@ -36284,7 +36287,7 @@ index 17eda24..1f4dc71 100644
|
||||
term_create_console_dev(initrc_t)
|
||||
|
||||
# unfortunately /sbin/rc does stupid tricks
|
||||
@@ -486,6 +943,10 @@ ifdef(`distro_gentoo',`
|
||||
@@ -486,6 +946,10 @@ ifdef(`distro_gentoo',`
|
||||
sysnet_setattr_config(initrc_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -36295,7 +36298,7 @@ index 17eda24..1f4dc71 100644
|
||||
alsa_read_lib(initrc_t)
|
||||
')
|
||||
|
||||
@@ -506,7 +967,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -506,7 +970,7 @@ ifdef(`distro_redhat',`
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
@ -36304,7 +36307,7 @@ index 17eda24..1f4dc71 100644
|
||||
files_dontaudit_read_root_files(initrc_t)
|
||||
|
||||
# These seem to be from the initrd
|
||||
@@ -521,6 +982,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -521,6 +985,7 @@ ifdef(`distro_redhat',`
|
||||
files_create_boot_dirs(initrc_t)
|
||||
files_create_boot_flag(initrc_t)
|
||||
files_rw_boot_symlinks(initrc_t)
|
||||
@ -36312,7 +36315,7 @@ index 17eda24..1f4dc71 100644
|
||||
# wants to read /.fonts directory
|
||||
files_read_default_files(initrc_t)
|
||||
files_mountpoint(initrc_tmp_t)
|
||||
@@ -541,6 +1003,7 @@ ifdef(`distro_redhat',`
|
||||
@@ -541,6 +1006,7 @@ ifdef(`distro_redhat',`
|
||||
miscfiles_rw_localization(initrc_t)
|
||||
miscfiles_setattr_localization(initrc_t)
|
||||
miscfiles_relabel_localization(initrc_t)
|
||||
@ -36320,7 +36323,7 @@ index 17eda24..1f4dc71 100644
|
||||
|
||||
miscfiles_read_fonts(initrc_t)
|
||||
miscfiles_read_hwdata(initrc_t)
|
||||
@@ -550,8 +1013,44 @@ ifdef(`distro_redhat',`
|
||||
@@ -550,8 +1016,44 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36365,7 +36368,7 @@ index 17eda24..1f4dc71 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -559,14 +1058,31 @@ ifdef(`distro_redhat',`
|
||||
@@ -559,14 +1061,31 @@ ifdef(`distro_redhat',`
|
||||
rpc_write_exports(initrc_t)
|
||||
rpc_manage_nfs_state_data(initrc_t)
|
||||
')
|
||||
@ -36397,7 +36400,7 @@ index 17eda24..1f4dc71 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -577,6 +1093,39 @@ ifdef(`distro_suse',`
|
||||
@@ -577,6 +1096,39 @@ ifdef(`distro_suse',`
|
||||
')
|
||||
')
|
||||
|
||||
@ -36437,7 +36440,7 @@ index 17eda24..1f4dc71 100644
|
||||
optional_policy(`
|
||||
amavis_search_lib(initrc_t)
|
||||
amavis_setattr_pid_files(initrc_t)
|
||||
@@ -589,6 +1138,8 @@ optional_policy(`
|
||||
@@ -589,6 +1141,8 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
apache_read_config(initrc_t)
|
||||
apache_list_modules(initrc_t)
|
||||
@ -36446,7 +36449,7 @@ index 17eda24..1f4dc71 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -610,6 +1161,7 @@ optional_policy(`
|
||||
@@ -610,6 +1164,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
cgroup_stream_connect_cgred(initrc_t)
|
||||
@ -36454,7 +36457,7 @@ index 17eda24..1f4dc71 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -626,6 +1178,17 @@ optional_policy(`
|
||||
@@ -626,6 +1181,17 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36472,7 +36475,7 @@ index 17eda24..1f4dc71 100644
|
||||
dev_getattr_printer_dev(initrc_t)
|
||||
|
||||
cups_read_log(initrc_t)
|
||||
@@ -642,9 +1205,13 @@ optional_policy(`
|
||||
@@ -642,9 +1208,13 @@ optional_policy(`
|
||||
dbus_connect_system_bus(initrc_t)
|
||||
dbus_system_bus_client(initrc_t)
|
||||
dbus_read_config(initrc_t)
|
||||
@ -36486,7 +36489,7 @@ index 17eda24..1f4dc71 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -657,15 +1224,11 @@ optional_policy(`
|
||||
@@ -657,15 +1227,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36504,7 +36507,7 @@ index 17eda24..1f4dc71 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -686,6 +1249,15 @@ optional_policy(`
|
||||
@@ -686,6 +1252,15 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36520,7 +36523,7 @@ index 17eda24..1f4dc71 100644
|
||||
inn_exec_config(initrc_t)
|
||||
')
|
||||
|
||||
@@ -726,6 +1298,7 @@ optional_policy(`
|
||||
@@ -726,6 +1301,7 @@ optional_policy(`
|
||||
lpd_list_spool(initrc_t)
|
||||
|
||||
lpd_read_config(initrc_t)
|
||||
@ -36528,7 +36531,7 @@ index 17eda24..1f4dc71 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -743,7 +1316,13 @@ optional_policy(`
|
||||
@@ -743,7 +1319,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36543,7 +36546,7 @@ index 17eda24..1f4dc71 100644
|
||||
mta_dontaudit_read_spool_symlinks(initrc_t)
|
||||
')
|
||||
|
||||
@@ -766,6 +1345,10 @@ optional_policy(`
|
||||
@@ -766,6 +1348,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36554,7 +36557,7 @@ index 17eda24..1f4dc71 100644
|
||||
postgresql_manage_db(initrc_t)
|
||||
postgresql_read_config(initrc_t)
|
||||
')
|
||||
@@ -775,10 +1358,20 @@ optional_policy(`
|
||||
@@ -775,10 +1361,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36575,7 +36578,7 @@ index 17eda24..1f4dc71 100644
|
||||
quota_manage_flags(initrc_t)
|
||||
')
|
||||
|
||||
@@ -787,6 +1380,10 @@ optional_policy(`
|
||||
@@ -787,6 +1383,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36586,7 +36589,7 @@ index 17eda24..1f4dc71 100644
|
||||
fs_write_ramfs_sockets(initrc_t)
|
||||
fs_search_ramfs(initrc_t)
|
||||
|
||||
@@ -808,8 +1405,6 @@ optional_policy(`
|
||||
@@ -808,8 +1408,6 @@ optional_policy(`
|
||||
# bash tries ioctl for some reason
|
||||
files_dontaudit_ioctl_all_pids(initrc_t)
|
||||
|
||||
@ -36595,7 +36598,7 @@ index 17eda24..1f4dc71 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -818,6 +1413,10 @@ optional_policy(`
|
||||
@@ -818,6 +1416,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36606,7 +36609,7 @@ index 17eda24..1f4dc71 100644
|
||||
# shorewall-init script run /var/lib/shorewall/firewall
|
||||
shorewall_lib_domtrans(initrc_t)
|
||||
')
|
||||
@@ -827,10 +1426,12 @@ optional_policy(`
|
||||
@@ -827,10 +1429,12 @@ optional_policy(`
|
||||
squid_manage_logs(initrc_t)
|
||||
')
|
||||
|
||||
@ -36619,7 +36622,7 @@ index 17eda24..1f4dc71 100644
|
||||
|
||||
optional_policy(`
|
||||
ssh_dontaudit_read_server_keys(initrc_t)
|
||||
@@ -857,21 +1458,62 @@ optional_policy(`
|
||||
@@ -857,21 +1461,62 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36683,7 +36686,7 @@ index 17eda24..1f4dc71 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -887,6 +1529,10 @@ optional_policy(`
|
||||
@@ -887,6 +1532,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -36694,7 +36697,7 @@ index 17eda24..1f4dc71 100644
|
||||
# Set device ownerships/modes.
|
||||
xserver_setattr_console_pipes(initrc_t)
|
||||
|
||||
@@ -897,3 +1543,218 @@ optional_policy(`
|
||||
@@ -897,3 +1546,218 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
zebra_read_config(initrc_t)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user