From 0f71792c8c35059df52f33efc9ac38c700bf2361 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 23 Feb 2024 15:57:52 -0500 Subject: [PATCH] uml: Remove excessive access from user domains on uml_exec_t. The user domains were allowed to modify uml_exec_t files. Signed-off-by: Chris PeBenito --- policy/modules/apps/uml.if | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if index 60033cc40..b690cbdfb 100644 --- a/policy/modules/apps/uml.if +++ b/policy/modules/apps/uml.if @@ -45,8 +45,8 @@ template(`uml_role',` ps_process_pattern($3, uml_t) allow $3 uml_t:process { ptrace signal_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { uml_ro_t uml_rw_t uml_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t }:file { manage_file_perms relabel_file_perms }; allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };