diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te index 13027bbbc..6dbf43888 100644 --- a/policy/modules/admin/quota.te +++ b/policy/modules/admin/quota.te @@ -33,7 +33,7 @@ files_pid_file(quota_nld_runtime_t) # Local policy # -allow quota_t self:capability { dac_override sys_admin }; +allow quota_t self:capability { dac_override sys_admin linux_immutable }; dontaudit quota_t self:capability sys_tty_config; allow quota_t self:process signal_perms; diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index e5646b0a7..2fa0609c9 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -166,6 +166,7 @@ ifdef(`distro_gentoo',` /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/atril/atrild -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/bluetooth/.* -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index 7d4a6cae6..b41e717b4 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -85,6 +85,7 @@ dev_read_urand(dnsmasq_t) domain_use_interactive_fds(dnsmasq_t) files_read_etc_runtime_files(dnsmasq_t) +files_watch_etc_dirs(dnsmasq_t) fs_getattr_all_fs(dnsmasq_t) fs_search_auto_mountpoints(dnsmasq_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 8a00275e1..9c62402ef 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -218,6 +218,7 @@ logging_rw_generic_logs(init_t) logging_create_devlog(init_t) seutil_read_config(init_t) +seutil_read_default_contexts(init_t) miscfiles_read_localization(init_t) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 967341f9e..662cbce50 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -212,6 +212,8 @@ read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) allow lvm_t lvm_etc_t:file map; read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) +# create /etc/lvm/archive +allow lvm_t lvm_etc_t:dir create_dir_perms; # Map for vgchange on /etc/lvm/backup/ files allow lvm_t lvm_metadata_t:file map; # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 25a286a52..91f40d215 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -527,6 +527,7 @@ miscfiles_read_localization(semanage_t) seutil_libselinux_linked(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) +seutil_manage_config_dirs(semanage_t) seutil_run_setfiles(semanage_t, semanage_roles) seutil_run_loadpolicy(semanage_t, semanage_roles) seutil_manage_bin_policy(semanage_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index e7b3babe8..bfdb4560a 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -24,7 +24,7 @@ template(`systemd_role_template',` gen_require(` attribute systemd_user_session_type, systemd_log_parse_env_type; type systemd_user_runtime_t, systemd_user_runtime_notify_t; - type systemd_run_exec_t; + type systemd_run_exec_t, systemd_analyze_exec_t; ') ################################# @@ -60,7 +60,7 @@ template(`systemd_role_template',` # Allow using file descriptors for user environment generators allow $3 $1_systemd_t:fd use; - can_exec($3, systemd_run_exec_t) + can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t }) ') ###################################### diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 9220b00f9..6a1cc0bc6 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -339,6 +339,8 @@ fs_list_efivars(systemd_efi_generator_t) dev_write_sysfs_dirs(systemd_fstab_generator_t) +files_search_all_mountpoints(systemd_fstab_generator_t) + fstools_exec(systemd_fstab_generator_t) systemd_log_parse_environment(systemd_fstab_generator_t)