Apply direct_initrc to unconfined_r:unconfined_t
Make it consistent with sysadm_r:sysadm_t. If you build targeted policy then consider direct_initrc=y If you build with direct_initrc=n then both unconfined_r:unconfined_t, as well as sysadm_r:sysadm_t rely on run_init for running services on behalf of the system. Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
This commit is contained in:
parent
2be58db792
commit
493ca67e54
@ -33,8 +33,6 @@ files_create_boot_flag(unconfined_t)
|
||||
mcs_killall(unconfined_t)
|
||||
mcs_ptrace_all(unconfined_t)
|
||||
|
||||
init_run_daemon(unconfined_t, unconfined_r)
|
||||
|
||||
libs_run_ldconfig(unconfined_t, unconfined_r)
|
||||
|
||||
logging_send_syslog_msg(unconfined_t)
|
||||
@ -49,9 +47,15 @@ unconfined_domain(unconfined_t)
|
||||
|
||||
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
seutil_run_runinit(unconfined_t, unconfined_r)
|
||||
seutil_init_script_run_runinit(unconfined_t, unconfined_r)
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
optional_policy(`
|
||||
init_run_daemon(unconfined_t, unconfined_r)
|
||||
')
|
||||
',`
|
||||
ifdef(`distro_gentoo',`
|
||||
seutil_run_runinit(unconfined_t, unconfined_r)
|
||||
seutil_init_script_run_runinit(unconfined_t, unconfined_r)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_
|
||||
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
|
||||
# Until order dependence is fixed for users:
|
||||
gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
',`
|
||||
gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
|
||||
')
|
||||
|
||||
#
|
||||
# The following users correspond to Unix identities.
|
||||
|
Loading…
Reference in New Issue
Block a user