minissdpd: Revoke kernel module loading permissions.
This domain also calls kernel_request_load_module(), which should be sufficent. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
This commit is contained in:
parent
5671390e2c
commit
1c20c002cd
|
@ -23,7 +23,7 @@ files_runtime_file(minissdpd_runtime_t)
|
||||||
# Local policy
|
# Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow minissdpd_t self:capability { net_admin sys_module };
|
allow minissdpd_t self:capability net_admin;
|
||||||
allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
|
allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||||
allow minissdpd_t self:udp_socket create_socket_perms;
|
allow minissdpd_t self:udp_socket create_socket_perms;
|
||||||
allow minissdpd_t self:unix_dgram_socket create_socket_perms;
|
allow minissdpd_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
@ -33,7 +33,6 @@ allow minissdpd_t minissdpd_runtime_t:file manage_file_perms;
|
||||||
allow minissdpd_t minissdpd_runtime_t:sock_file manage_sock_file_perms;
|
allow minissdpd_t minissdpd_runtime_t:sock_file manage_sock_file_perms;
|
||||||
files_runtime_filetrans(minissdpd_t, minissdpd_runtime_t, { file sock_file })
|
files_runtime_filetrans(minissdpd_t, minissdpd_runtime_t, { file sock_file })
|
||||||
|
|
||||||
kernel_load_module(minissdpd_t)
|
|
||||||
kernel_read_network_state(minissdpd_t)
|
kernel_read_network_state(minissdpd_t)
|
||||||
kernel_request_load_module(minissdpd_t)
|
kernel_request_load_module(minissdpd_t)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue