init/systemd: allow systemd to map the SELinux status page
systemd v247 will access the SELinux status page. This affects all domains currently opening the label database, having the permission seutil_read_file_contexts. see https://github.com/systemd/systemd/pull/16821 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
This commit is contained in:
parent
dcf7ae9f48
commit
1103350ee3
|
@ -439,6 +439,8 @@ ifdef(`init_systemd',`
|
|||
selinux_compute_access_vector(init_t)
|
||||
# for starting systemd --user in the right domain:
|
||||
selinux_compute_user_contexts(init_t)
|
||||
# mmap status page
|
||||
selinux_map_security_files(init_t)
|
||||
|
||||
storage_getattr_removable_dev(init_t)
|
||||
|
||||
|
|
|
@ -424,6 +424,9 @@ dev_read_sysfs(systemd_hostnamed_t)
|
|||
|
||||
files_read_etc_files(systemd_hostnamed_t)
|
||||
|
||||
selinux_get_enforce_mode(systemd_hostnamed_t)
|
||||
selinux_map_security_files(systemd_hostnamed_t)
|
||||
|
||||
seutil_read_file_contexts(systemd_hostnamed_t)
|
||||
|
||||
sysnet_etc_filetrans_config(systemd_hostnamed_t)
|
||||
|
@ -454,6 +457,8 @@ files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
|
|||
files_search_runtime(systemd_hw_t)
|
||||
|
||||
selinux_get_fs_mount(systemd_hw_t)
|
||||
selinux_get_enforce_mode(systemd_hw_t)
|
||||
selinux_map_security_files(systemd_hw_t)
|
||||
|
||||
init_read_state(systemd_hw_t)
|
||||
|
||||
|
@ -469,6 +474,9 @@ kernel_read_kernel_sysctls(systemd_locale_t)
|
|||
|
||||
files_read_etc_files(systemd_locale_t)
|
||||
|
||||
selinux_get_enforce_mode(systemd_locale_t)
|
||||
selinux_map_security_files(systemd_locale_t)
|
||||
|
||||
seutil_read_file_contexts(systemd_locale_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_locale_t)
|
||||
|
@ -561,6 +569,7 @@ fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
|
|||
fs_unmount_tmpfs(systemd_logind_t)
|
||||
|
||||
selinux_get_enforce_mode(systemd_logind_t)
|
||||
selinux_map_security_files(systemd_logind_t)
|
||||
|
||||
storage_getattr_removable_dev(systemd_logind_t)
|
||||
storage_getattr_scsi_generic_dev(systemd_logind_t)
|
||||
|
@ -1080,6 +1089,9 @@ corenet_udp_bind_generic_node(systemd_resolved_t)
|
|||
corenet_udp_bind_dns_port(systemd_resolved_t)
|
||||
corenet_udp_bind_llmnr_port(systemd_resolved_t)
|
||||
|
||||
selinux_get_enforce_mode(systemd_resolved_t)
|
||||
selinux_map_security_files(systemd_resolved_t)
|
||||
|
||||
auth_use_nsswitch(systemd_resolved_t)
|
||||
|
||||
files_watch_root_dirs(systemd_resolved_t)
|
||||
|
@ -1113,6 +1125,7 @@ kernel_read_kernel_sysctls(systemd_sessions_t)
|
|||
|
||||
selinux_get_enforce_mode(systemd_sessions_t)
|
||||
selinux_get_fs_mount(systemd_sessions_t)
|
||||
selinux_map_security_files(systemd_sessions_t)
|
||||
|
||||
seutil_read_config(systemd_sessions_t)
|
||||
seutil_read_default_contexts(systemd_sessions_t)
|
||||
|
@ -1134,6 +1147,9 @@ files_manage_etc_files(systemd_sysusers_t)
|
|||
|
||||
kernel_read_kernel_sysctls(systemd_sysusers_t)
|
||||
|
||||
selinux_get_enforce_mode(systemd_sysusers_t)
|
||||
selinux_map_security_files(systemd_sysusers_t)
|
||||
|
||||
auth_manage_shadow(systemd_sysusers_t)
|
||||
auth_etc_filetrans_shadow(systemd_sysusers_t)
|
||||
auth_use_nsswitch(systemd_sysusers_t)
|
||||
|
@ -1202,7 +1218,8 @@ fs_list_tmpfs(systemd_tmpfiles_t)
|
|||
fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
|
||||
|
||||
selinux_get_fs_mount(systemd_tmpfiles_t)
|
||||
selinux_search_fs(systemd_tmpfiles_t)
|
||||
selinux_get_enforce_mode(systemd_tmpfiles_t)
|
||||
selinux_map_security_files(systemd_tmpfiles_t)
|
||||
|
||||
auth_append_lastlog(systemd_tmpfiles_t)
|
||||
auth_manage_faillog(systemd_tmpfiles_t)
|
||||
|
@ -1287,6 +1304,9 @@ files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
|
|||
|
||||
kernel_read_kernel_sysctls(systemd_update_done_t)
|
||||
|
||||
selinux_get_enforce_mode(systemd_update_done_t)
|
||||
selinux_map_security_files(systemd_update_done_t)
|
||||
|
||||
seutil_read_file_contexts(systemd_update_done_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_update_done_t)
|
||||
|
@ -1381,6 +1401,7 @@ fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
|
|||
kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
|
||||
|
||||
selinux_get_enforce_mode(systemd_user_runtime_dir_t)
|
||||
selinux_map_security_files(systemd_user_runtime_dir_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_user_runtime_dir_t)
|
||||
systemd_dbus_chat_logind(systemd_user_runtime_dir_t)
|
||||
|
|
Loading…
Reference in New Issue