RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #473 from pebenito/allow-lockdown 

domain: Allow lockdown for all domains.
This commit is contained in:
Chris PeBenito 2022-02-04 08:37:02 -05:00 committed by GitHub
parent 6f947e604a ffe2f2294f
commit d96d8b5977
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
policy/modules/kernel/domain.te
View File

@ -103,6 +103,11 @@ kernel_dontaudit_link_key(domain)
# create child processes in the domain
allow domain self:process { fork sigchld };
# lockdown checks were removed in 5.16. The class will be removed
# from the policy in the future. For reference:
# https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly
allow domain self:lockdown { integrity confidentiality };
# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
dev_read_cpu_online(domain)