From b025e0ec4f04a8e5d9e5b65824a48cda90568a8f Mon Sep 17 00:00:00 2001 From: Nicolas PARLANT Date: Sat, 1 Mar 2025 23:00:20 +0000 Subject: [PATCH] Add setcap to knotd / add knotc_initrc_domtrans allow capabilities as it's the default behavior now allow knotc cmd in init script: knotc conf-check (by default) Signed-off-by: Nicolas PARLANT --- policy/modules/services/knot.if | 19 +++++++++++++++++++ policy/modules/services/knot.te | 2 +- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/knot.if b/policy/modules/services/knot.if index 247bb6c94..af98c44ee 100644 --- a/policy/modules/services/knot.if +++ b/policy/modules/services/knot.if @@ -45,6 +45,25 @@ interface(`knot_run_client',` roleattribute $2 knot_roles; ') +######################################## +## +## Execute knotc in knot init +## scripts in the initrc domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`knotc_initrc_domtrans',` + gen_require(` + type knot_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, knot_initrc_exec_t) +') + ######################################## ## ## Read knot config files. diff --git a/policy/modules/services/knot.te b/policy/modules/services/knot.te index d658d973c..9b5b83173 100644 --- a/policy/modules/services/knot.te +++ b/policy/modules/services/knot.te @@ -38,7 +38,7 @@ files_type(knot_var_lib_t) # allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid }; -allow knotd_t self:process { getcap getsched setsched signal_perms }; +allow knotd_t self:process { getcap getsched setcap setsched signal_perms }; allow knotd_t self:tcp_socket create_stream_socket_perms; allow knotd_t self:udp_socket create_socket_perms; allow knotd_t self:unix_stream_socket create_stream_socket_perms;