From ec0ebc8b11e145e2d990c070d18c5d511d73d73d Mon Sep 17 00:00:00 2001 From: Jonathan Davies Date: Sun, 23 Aug 2020 19:48:39 +0000 Subject: [PATCH 1/2] acpi.te: Allow acpid_t to shutdown the system - this is required to handle shutdown calls from libvirt. Fixes #298. Signed-off-by: Jonathan Davies --- policy/modules/services/acpi.te | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te index 711b4fa90..e514909c8 100644 --- a/policy/modules/services/acpi.te +++ b/policy/modules/services/acpi.te @@ -108,6 +108,7 @@ dev_dontaudit_getattr_all_blk_files(acpid_t) files_exec_etc_files(acpid_t) files_read_etc_runtime_files(acpid_t) +files_read_usr_files(acpid_t) files_dontaudit_getattr_all_files(acpid_t) files_dontaudit_getattr_all_symlinks(acpid_t) files_dontaudit_getattr_all_pipes(acpid_t) @@ -135,6 +136,8 @@ domain_dontaudit_list_all_domains_state(acpid_t) auth_use_nsswitch(acpid_t) init_domtrans_script(acpid_t) +init_telinit(acpid_t) +init_write_initctl(acpid_t) libs_exec_ld_so(acpid_t) libs_exec_lib_files(acpid_t) @@ -223,6 +226,12 @@ optional_policy(` sysnet_domtrans_ifconfig(acpid_t) ') +optional_policy(` + init_list_unit_dirs(acpid_t) + systemd_start_power_units(acpid_t) + systemd_status_power_units(acpid_t) +') + optional_policy(` udev_read_db(acpid_t) udev_read_state(acpid_t) From 99ad37186864f1d31bd78ce10fd7da6a8fe6683c Mon Sep 17 00:00:00 2001 From: Jonathan Davies Date: Tue, 25 Aug 2020 22:53:07 +0000 Subject: [PATCH 2/2] acpi.te: Removed unnecessary init_write_initctl(). Signed-off-by: Jonathan Davies --- policy/modules/services/acpi.te | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te index e514909c8..a30123e14 100644 --- a/policy/modules/services/acpi.te +++ b/policy/modules/services/acpi.te @@ -137,7 +137,6 @@ auth_use_nsswitch(acpid_t) init_domtrans_script(acpid_t) init_telinit(acpid_t) -init_write_initctl(acpid_t) libs_exec_ld_so(acpid_t) libs_exec_lib_files(acpid_t)