fs, init: allow systemd-init to set the attributes of efivarfs files
avc: denied { setattr } for pid=1 comm="systemd" name="LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=1049 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
parent
48af8ca656
commit
104e2014ea
@ -2439,6 +2439,26 @@ interface(`fs_read_efivarfs_files',`
|
||||
read_files_pattern($1, efivarfs_t, efivarfs_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Set the attributes of files in efivarfs
|
||||
## - contains Linux Kernel configuration options for UEFI systems
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fs_setattr_efivarfs_files',`
|
||||
gen_require(`
|
||||
type efivarfs_t;
|
||||
')
|
||||
|
||||
setattr_files_pattern($1, efivarfs_t, efivarfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files
|
||||
|
@ -463,6 +463,7 @@ ifdef(`init_systemd',`
|
||||
fs_relabel_tmpfs_chr_files(init_t)
|
||||
fs_relabel_tmpfs_fifo_files(init_t)
|
||||
fs_read_efivarfs_files(init_t)
|
||||
fs_setattr_efivarfs_files(init_t)
|
||||
# for privatetmp functions
|
||||
fs_relabel_tmpfs_dirs(init_t)
|
||||
fs_relabel_tmpfs_files(init_t)
|
||||
|
Loading…
Reference in New Issue
Block a user