packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/add-allowed-avc-for-systemd-1.patch
guoxiaoqi 32ea5da141 update avc for openEuler
2020-02-26 17:40:12 +08:00

77 lines
2.5 KiB
Diff
Raw Blame History

From 9592c9a75c610109c17eb8591611826715e3c969 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Wed, 26 Feb 2020 17:20:57 +0800
Subject: [PATCH] add avc for systemd
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
policy/modules/contrib/dbus.te | 4 ++++
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 1 +
policy/modules/system/systemd.te | 5 +++++
4 files changed, 28 insertions(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 3bcff01..848342e 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -386,3 +386,7 @@ allow session_bus_type dbusd_unconfined:dbus send_msg;
kernel_stream_connect(session_bus_type)
systemd_login_read_pid_files(session_bus_type)
+
+# avc for openEuler
+allow init_t session_dbusd_tmp_t:dir { read remove_name rmdir write };
+allow init_t system_dbusd_var_run_t:sock_file read;
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 2378f06..c3659c7 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -7276,3 +7276,21 @@ type kmsg_device_t;
allow $1 kmsg_device_t:chr_file read;
')
+
+########################################
+## <summary>
+## Allow to read the clock device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow.
+## </summary>
+## </param>
+#
+interface(`dev_read_clock_device',`
+gen_require(`
+type clock_device_t;
+')
+
+allow $1 clock_device_t:chr_file read;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index afd20b0..8de5b08 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1874,3 +1874,4 @@ systemd_manage_faillog(init_t)
kernel_netlink_audit_socket(init_t, getattr)
dev_read_kernel_msg(init_t)
logging_journal(init_t)
+dev_read_clock_device(init_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f2919f0..3634510 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1148,3 +1148,8 @@ allow init_t systemd_logind_var_lib_t:dir { create mounton read };
allow init_t systemd_logind_var_run_t:dir mounton;
init_nnp_daemon_domain(systemd_hostnamed_t)
init_nnp_daemon_domain(systemd_logind_t)
+init_nnp_daemon_domain(systemd_coredump_t)
+init_nnp_daemon_domain(systemd_initctl_t)
+init_nnp_daemon_domain(systemd_localed_t)
+init_nnp_daemon_domain(systemd_machined_t)
+init_nnp_daemon_domain(systemd_timedated_t)
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink