RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

systemd: allow systemd-modules-load.service to read sysfs 

systemd-modules-load.service needs to read file
/sys/module/${MODULE}/initstate for each ${MODULE} defined in
/etc/modules-load.d/. These files are labeled sysfs_t.

This fixes:

    type=AVC msg=audit(1567804818.331:138713): avc:  denied  { read }
    for  pid=31153 comm="systemd-modules" name="initstate" dev="sysfs"
    ino=14778 scontext=system_u:system_r:systemd_modules_load_t
    tcontext=system_u:object_r:sysfs_t tclass=file permissive=0

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2019-09-06 23:28:40 +02:00
parent 51c4812c23
commit 233e13cb44
No known key found for this signature in database
GPG Key ID: C191415F340DAAA0
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
policy/modules/system/systemd.te
View File

@ -626,6 +626,8 @@ optional_policy(`
kernel_load_module(systemd_modules_load_t)
kernel_request_load_module(systemd_modules_load_t)
dev_read_sysfs(systemd_modules_load_t)
files_read_etc_files(systemd_modules_load_t)
modutils_read_module_config(systemd_modules_load_t)