packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-init-delete-generic-tmp-named-pipes.patch
lujie54 738fcaf614 update upstream patches
2022-09-14 15:35:03 +08:00

65 lines
2.0 KiB
Diff
Raw Blame History

From da5328319db49846fb698d262c13f06230091bfb Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 28 Jan 2022 19:01:45 +0100
Subject: [PATCH] Allow init delete generic tmp named pipes
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/da5328319db49846fb698d262c13f06230091bfb
Conflict: NA
The files_delete_tmp_pipes() interface was added.
Addresses the following AVC denial:
type=AVC msg=audit(1628676879.222:1003): avc: denied { unlink } for pid=1 comm="systemd" name="controller_log_37116" dev="tmpfs" ino=1235 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=fifo_file permissive=0
Resolves: rhbz#1992562
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/kernel/files.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index bca6f15..53e463c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6153,6 +6153,24 @@ interface(`files_delete_tmp_sockets',`
########################################
## <summary>
+## Delete generic tmp named pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_tmp_pipes',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ delete_fifo_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
## Remove entries from the tmp directory.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a81f5da..09a6925 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -648,6 +648,7 @@ files_read_kernel_modules(init_t)
files_map_kernel_modules(init_t)
files_dontaudit_mounton_isid(init_t)
files_delete_tmp_files(init_t)
+files_delete_tmp_pipes(init_t)
files_delete_tmp_sockets(init_t)
fs_getattr_all_fs(init_t)
fs_manage_cgroup_dirs(init_t)
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink