RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #127 from pebenito/unconfined-cap_userns

This commit is contained in:
Chris PeBenito 2019-11-23 09:48:16 -05:00
parent 04a83b9616 53a76d3fb7
commit e05c589ae6
5 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/admin/alsa.fc
View File

@ -4,6 +4,7 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/etc/asound\.conf -- gen_context(system_u:object_r:alsa_etc_t,s0) /etc/asound\.conf -- gen_context(system_u:object_r:alsa_etc_t,s0)
/run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0) /run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0)
/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_runtime_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) /usr/bin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)

4
policy/modules/admin/alsa.te
View File

@ -44,6 +44,7 @@ files_lock_file(alsa_var_lock_t)
allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid }; allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid };
# kill : kill pulseaudio # kill : kill pulseaudio
dontaudit alsa_t self:capability { kill sys_admin }; dontaudit alsa_t self:capability { kill sys_admin };
allow alsa_t self:process { getsched setsched signal };
allow alsa_t self:sem create_sem_perms; allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms; allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen }; allow alsa_t self:unix_stream_socket { accept listen };
@ -58,8 +59,9 @@ allow alsa_t alsa_etc_t:file map;
can_exec(alsa_t, alsa_exec_t) can_exec(alsa_t, alsa_exec_t)
allow alsa_t alsa_runtime_t:dir manage_dir_perms; allow alsa_t alsa_runtime_t:dir manage_dir_perms;
allow alsa_t alsa_runtime_t:file manage_file_perms;
allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms; allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms;
files_pid_filetrans(alsa_t, alsa_runtime_t, dir) files_pid_filetrans(alsa_t, alsa_runtime_t, { dir file })
manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)

3
policy/modules/services/dbus.te
View File

@ -159,6 +159,9 @@ ifdef(`init_systemd', `
# for /run/systemd/dynamic-uid/ # for /run/systemd/dynamic-uid/
init_list_pids(system_dbusd_t) init_list_pids(system_dbusd_t)
init_read_runtime_symlinks(system_dbusd_t) init_read_runtime_symlinks(system_dbusd_t)
# Recent versions of dbus are started as Type=notify
init_write_runtime_socket(system_dbusd_t)
') ')
optional_policy(` optional_policy(`

2
policy/modules/services/geoclue.te
View File

@ -30,6 +30,8 @@ dev_read_urand(geoclue_t)
auth_use_nsswitch(geoclue_t) auth_use_nsswitch(geoclue_t)
logging_send_syslog_msg(geoclue_t)
miscfiles_read_generic_certs(geoclue_t) miscfiles_read_generic_certs(geoclue_t)
miscfiles_read_localization(geoclue_t) miscfiles_read_localization(geoclue_t)

3
policy/modules/services/realmd.te
View File

@ -44,6 +44,9 @@ auth_use_nsswitch(realmd_t)
logging_send_syslog_msg(realmd_t) logging_send_syslog_msg(realmd_t)
# Read /etc/locale.alias
miscfiles_read_localization(realmd_t)
optional_policy(` optional_policy(`
dbus_system_domain(realmd_t, realmd_exec_t) dbus_system_domain(realmd_t, realmd_exec_t)