38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
From 36a7559c14a33b8ae867acaf3a724529ef2aa7ea Mon Sep 17 00:00:00 2001
|
|
From: "GONG, Ruiqi" <gongruiqi1@huawei.com>
|
|
Date: Mon, 20 Mar 2023 20:42:49 +0800
|
|
Subject: [PATCH] Revert "Don't allow kernel_t to execute bin_t/usr_t binaries
|
|
without a transition"
|
|
|
|
This reverts commit 18c5559222ea3ca3588c8d32c06cddc41b66f688.
|
|
---
|
|
policy/modules/kernel/kernel.te | 12 +++---------
|
|
1 file changed, 3 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
|
index f7ac8cd1f..2df33b0ac 100644
|
|
--- a/policy/modules/kernel/kernel.te
|
|
+++ b/policy/modules/kernel/kernel.te
|
|
@@ -347,16 +347,10 @@ selinux_compute_create_context(kernel_t)
|
|
term_use_all_terms(kernel_t)
|
|
term_use_ptmx(kernel_t)
|
|
|
|
+corecmd_exec_shell(kernel_t)
|
|
corecmd_list_bin(kernel_t)
|
|
-
|
|
-# /proc/sys/kernel/modprobe is set to /bin/true if not using modules,
|
|
-# thus allow a transition into a minimal helper domain through generic bin
|
|
-# types.
|
|
-type kernel_generic_helper_t;
|
|
-domain_type(kernel_generic_helper_t)
|
|
-role system_r types kernel_generic_helper_t;
|
|
-corecmd_bin_entry_type(kernel_generic_helper_t)
|
|
-corecmd_bin_domtrans(kernel_t, kernel_generic_helper_t)
|
|
+# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
|
|
+corecmd_exec_bin(kernel_t)
|
|
|
|
domain_use_all_fds(kernel_t)
|
|
domain_signal_all_domains(kernel_t)
|
|
--
|
|
2.25.1
|