RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow restorecond to read customizable_types 

When trying to remove files_read_non_auth_files(restorecond_t), the
following AVC denial occurs:

    type=AVC msg=audit(1550921968.443:654): avc:  denied  { open } for
    pid=281 comm="restorecond"
    path="/etc/selinux/refpolicy/contexts/customizable_types" dev="vda1"
    ino=928006 scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:default_context_t tclass=file
    permissive=1

    type=AVC msg=audit(1550921968.443:654): avc:  denied  { read } for
    pid=281 comm="restorecond" name="customizable_types" dev="vda1"
    ino=928006 scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:default_context_t tclass=file
    permissive=1

As /etc/selinux/${SELINUXTYPE}/contexts/customizable_types is needed by
restorecond, allow this access.
This commit is contained in:
Nicolas Iooss 2019-02-23 21:14:10 +01:00
parent 5986fdc4df
commit 7bb9172b67
No known key found for this signature in database
GPG Key ID: C191415F340DAAA0
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/system/selinuxutil.te
View File

@ -380,6 +380,7 @@ logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
seutil_read_default_contexts(restorecond_t)
ifdef(`distro_ubuntu',`
optional_policy(`