minor nspawn, dnsmasq, and mon patches
Label some shell scripts from bridge-utils correctly. Maybe have ifdef distro_debian around this, not sure what upstream is doing. systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a labeled chroot. Another dontaudit for mon_local_test_t to stop it spamming the logs. Support a .d directory for dnsmasq config files.
This commit is contained in:
parent
4afbc35e79
commit
25a9bcb405
|
@ -165,6 +165,7 @@ ifdef(`distro_gentoo',`
|
|||
|
||||
/usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
|
@ -626,8 +626,10 @@ tunable_policy(`systemd_nspawn_labeled_namespace',`
|
|||
dev_mounton(systemd_nspawn_t)
|
||||
dev_setattr_generic_dirs(systemd_nspawn_t)
|
||||
|
||||
files_search_home(systemd_nspawn_t)
|
||||
# manage etc symlinks for /etc/localtime
|
||||
files_manage_etc_symlinks(systemd_nspawn_t)
|
||||
files_mounton_pid_dirs(systemd_nspawn_t)
|
||||
files_search_home(systemd_nspawn_t)
|
||||
|
||||
fs_getattr_cgroup(systemd_nspawn_t)
|
||||
fs_manage_cgroup_dirs(systemd_nspawn_t)
|
||||
|
|
|
@ -2866,6 +2866,25 @@ interface(`userdom_read_user_tmpfs_files',`
|
|||
fs_search_tmpfs($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit Read attempts of user tmpfs files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_read_user_tmpfs_files',`
|
||||
gen_require(`
|
||||
type user_tmpfs_t;
|
||||
')
|
||||
|
||||
dontaudit $1 user_tmpfs_t:file read_file_perms;
|
||||
dontaudit $1 user_tmpfs_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## relabel to/from user tmpfs dirs
|
||||
|
|
Loading…
Reference in New Issue