grant rpm_t permission to map security_t
type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 v2 - Create new interface to allow mapping security_t and use this interface by rpm_t Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
parent
b85c93b582
commit
2831598bb5
@ -185,6 +185,7 @@ selinux_compute_access_vector(rpm_t)
|
||||
selinux_compute_create_context(rpm_t)
|
||||
selinux_compute_relabel_context(rpm_t)
|
||||
selinux_compute_user_contexts(rpm_t)
|
||||
selinux_map_security_files(rpm_t)
|
||||
|
||||
storage_raw_write_fixed_disk(rpm_t)
|
||||
storage_raw_read_fixed_disk(rpm_t)
|
||||
|
@ -635,6 +635,26 @@ interface(`selinux_compute_user_contexts',`
|
||||
allow $1 security_t:security compute_user;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows caller to map secuirty_t files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
||||
interface(`selinux_map_security_files',`
|
||||
gen_require(`
|
||||
type security_t;
|
||||
')
|
||||
|
||||
dev_search_sysfs($1)
|
||||
allow $1 security_t:file map;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to the SELinux kernel security server.
|
||||
|
Loading…
Reference in New Issue
Block a user