Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
audit.log shows that journald needs to read the kernel read buffer:
avc: denied { syslog_read } for pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
On ArchLinux the directory name of Network Manager in /usr/lib is
written in lowercase but not the files in /usr/bin, /var/lib, etc.
While at it, remove a useless backslash before a minus character.
The kernel_delete_unlabeled_chr_files interface is called by the
(deprecated) files_delete_isid_type_chr_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_blk_files interface is called by the
(deprecated) files_delete_isid_type_blk_files in kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_sockets interface is called by the
(deprecated) files_delete_isid_type_sock_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_pipes interface is called by the
(deprecated) files_delete_isid_type_fifo_files interface in
kernel/files.if.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The kernel_delete_unlabeled_symlinks interface is called by the
files_delete_isid_type_symlinks interface (in kernel/files.if). This
interface is deprecated (and calls kernel_delete_unlabeled_symlinks).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The dropbox application has a feature called "LAN Sync" which works on
TCP & UDP port 17500. Marking this port as dropbox_port_t (instead of
the currently default unreserved_port_t) allows for more fine-grained
access control to this resource.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Currently, the /usr/share/cvs/contrib/rcs2log is only labeled as bin_t
for redhat distributions. Moving this to the general one as it is also
in use on other distributions
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>