selinux-refpolicy

mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-19 09:44:27 +00:00

History

Sugar, David e1ccf0ce02 Allow systemd to getattr all files Systemd has ConditionPath., ConditionFile. and ConditionDir* which are used to check various path/file/directory to control starting a service. But this requires getattr permissions on the types. Example denials that fit the problem. The first example is from lvm where accessing config file. type=AVC msg=audit(1575427946.229:1624): avc: denied { getattr } for pid=1 comm="systemd" path="/etc/lvm/lvm.conf" dev="dm-0" ino=51799 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file permissive=0 This second example is from chronyd, but it is happening becuase I added the conditional in a drop-in file. type=AVC msg=audit(1575427959.882:1901): avc: denied { getattr } for pid=1 comm="systemd" path="/etc/chrony.conf" dev="dm-0" ino=53824 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:chronyd_conf_t:s0 tclass=file permissive=1 v3 - rework to not use interface and allow getattr for all files Signed-off-by: Dave Sugar <dsugar@tresys.com>		2020-02-08 09:38:25 -05:00
..
flask	Add perf_event access vectors.	2020-01-29 09:58:40 -05:00
modules	Allow systemd to getattr all files	2020-02-08 09:38:25 -05:00
support	Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes	2020-01-16 09:17:56 -05:00
constraints	Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes	2020-01-16 09:17:56 -05:00
context_defaults
global_booleans
global_tunables
mcs	refpolicy: Update for kernel sctp support	2018-03-21 14:14:37 -04:00
mls	Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes	2020-01-16 09:17:56 -05:00
policy_capabilities	Enable cgroup_seclabel and nnp_nosuid_transition.	2018-01-16 18:52:39 -05:00
users