Merge pull request #307 from atenart/buildroot-fixes
This commit is contained in:
commit
4ac187dba2
|
@ -155,6 +155,7 @@ ifdef(`distro_gentoo',`
|
|||
/usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/bin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/bin/sh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/bin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
|
|
@ -143,6 +143,8 @@ interface(`dbus_system_bus_client',`
|
|||
stream_connect_pattern($1, system_dbusd_runtime_t, system_dbusd_runtime_t, system_dbusd_t)
|
||||
|
||||
dbus_read_config($1)
|
||||
dbus_list_system_bus_runtime($1)
|
||||
dbus_read_system_bus_runtime_named_sockets($1)
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
@ -594,6 +596,24 @@ interface(`dbus_watch_system_bus_runtime_dirs',`
|
|||
allow $1 system_dbusd_runtime_t:dir watch;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List system bus runtime directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dbus_list_system_bus_runtime',`
|
||||
gen_require(`
|
||||
type system_dbusd_runtime_t;
|
||||
')
|
||||
|
||||
allow $1 system_dbusd_runtime_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Watch system bus runtime named sockets.
|
||||
|
@ -612,6 +632,24 @@ interface(`dbus_watch_system_bus_runtime_named_sockets',`
|
|||
allow $1 system_dbusd_runtime_t:sock_file watch;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read system bus runtime named sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`dbus_read_system_bus_runtime_named_sockets',`
|
||||
gen_require(`
|
||||
type system_dbusd_runtime_t;
|
||||
')
|
||||
|
||||
allow $1 system_dbusd_runtime_t:sock_file read;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to DBUS.
|
||||
|
|
|
@ -59,6 +59,7 @@ kernel_read_system_state(local_login_t)
|
|||
kernel_read_kernel_sysctls(local_login_t)
|
||||
kernel_search_key(local_login_t)
|
||||
kernel_link_key(local_login_t)
|
||||
kernel_getattr_proc(local_login_t)
|
||||
|
||||
corecmd_list_bin(local_login_t)
|
||||
# cjp: these are probably not needed:
|
||||
|
|
|
@ -524,7 +524,7 @@ ifdef(`init_systemd',`
|
|||
allow syslogd_t self:netlink_audit_socket connected_socket_perms;
|
||||
allow syslogd_t self:capability2 audit_read;
|
||||
allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
|
||||
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
|
||||
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
|
||||
|
||||
# remove /run/log/journal when switching to permanent storage
|
||||
allow syslogd_t var_log_t:dir rmdir;
|
||||
|
|
|
@ -346,6 +346,8 @@ interface(`sysnet_read_config',`
|
|||
')
|
||||
|
||||
files_search_etc($1)
|
||||
files_search_runtime($1)
|
||||
allow $1 net_conf_t:dir list_dir_perms;
|
||||
allow $1 net_conf_t:file read_file_perms;
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
|
|
|
@ -362,6 +362,8 @@ seutil_search_default_contexts(systemd_coredump_t)
|
|||
#
|
||||
|
||||
allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
|
||||
allow systemd_generator_t self:capability dac_override;
|
||||
allow systemd_generator_t self:process setfscreate;
|
||||
|
||||
corecmd_getattr_bin_files(systemd_generator_t)
|
||||
|
||||
|
@ -459,6 +461,7 @@ selinux_get_fs_mount(systemd_hw_t)
|
|||
selinux_use_status_page(systemd_hw_t)
|
||||
|
||||
init_read_state(systemd_hw_t)
|
||||
init_search_runtime(systemd_hw_t)
|
||||
|
||||
seutil_read_config(systemd_hw_t)
|
||||
seutil_read_file_contexts(systemd_hw_t)
|
||||
|
@ -782,6 +785,7 @@ dev_write_kmsg(systemd_networkd_t)
|
|||
files_read_etc_files(systemd_networkd_t)
|
||||
files_watch_runtime_dirs(systemd_networkd_t)
|
||||
files_watch_root_dirs(systemd_networkd_t)
|
||||
fs_getattr_xattr_fs(systemd_networkd_t)
|
||||
|
||||
auth_use_nsswitch(systemd_networkd_t)
|
||||
|
||||
|
@ -1091,6 +1095,7 @@ auth_use_nsswitch(systemd_resolved_t)
|
|||
|
||||
files_watch_root_dirs(systemd_resolved_t)
|
||||
files_watch_runtime_dirs(systemd_resolved_t)
|
||||
files_list_runtime(systemd_resolved_t)
|
||||
|
||||
init_dgram_send(systemd_resolved_t)
|
||||
|
||||
|
|
|
@ -421,3 +421,5 @@ kernel_read_kernel_sysctls(udevadm_t)
|
|||
kernel_read_system_state(udevadm_t)
|
||||
|
||||
seutil_read_file_contexts(udevadm_t)
|
||||
|
||||
fs_getattr_xattr_fs(udevadm_t)
|
||||
|
|
Loading…
Reference in New Issue