systemd: Minor coredump fixes.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
This commit is contained in:
Chris PeBenito
Chris PeBenito
parent
21d7f4415e
commit
59136d8a7c
|
|
@ -720,6 +720,26 @@ interface(`corecmd_read_all_executables',`
|
|||
read_files_pattern($1, exec_type, exec_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mmap read-only all executable files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`corecmd_mmap_read_all_executables',`
|
||||
gen_require(`
|
||||
attribute exec_type;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
mmap_read_files_pattern($1, exec_type, exec_type)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute all executable files.
|
||||
|
|
|
|||
|
|
@ -443,14 +443,14 @@ ifdef(`enable_mls',`
|
|||
# coredump local policy
|
||||
#
|
||||
|
||||
allow systemd_coredump_t self:capability { setgid setuid setpcap sys_ptrace };
|
||||
allow systemd_coredump_t self:capability { dac_read_search setgid setuid setpcap sys_ptrace };
|
||||
dontaudit systemd_coredump_t self:capability { dac_override net_admin };
|
||||
allow systemd_coredump_t self:cap_userns { sys_admin sys_ptrace };
|
||||
allow systemd_coredump_t self:process { getcap setcap setfscreate };
|
||||
allow systemd_coredump_t self:user_namespace create;
|
||||
allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
|
||||
allow systemd_coredump_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow systemd_coredump_t self:fifo_file rw_inherited_fifo_file_perms;
|
||||
dontaudit systemd_coredump_t self:capability net_admin;
|
||||
|
||||
mmap_manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
|
||||
|
||||
|
|
@ -461,7 +461,7 @@ kernel_rw_pipes(systemd_coredump_t)
|
|||
kernel_use_fds(systemd_coredump_t)
|
||||
|
||||
corecmd_exec_bin(systemd_coredump_t)
|
||||
corecmd_read_all_executables(systemd_coredump_t)
|
||||
corecmd_mmap_read_all_executables(systemd_coredump_t)
|
||||
|
||||
dev_write_kmsg(systemd_coredump_t)
|
||||
|
||||
|
|
@ -472,12 +472,9 @@ files_read_etc_files(systemd_coredump_t)
|
|||
files_search_var_lib(systemd_coredump_t)
|
||||
files_mounton_root(systemd_coredump_t)
|
||||
|
||||
fs_getattr_xattr_fs(systemd_coredump_t)
|
||||
fs_getattr_all_fs(systemd_coredump_t)
|
||||
fs_getattr_nsfs_files(systemd_coredump_t)
|
||||
fs_search_cgroup_dirs(systemd_coredump_t)
|
||||
fs_getattr_cgroup(systemd_coredump_t)
|
||||
|
||||
selinux_getattr_fs(systemd_coredump_t)
|
||||
|
||||
init_list_var_lib_dirs(systemd_coredump_t)
|
||||
init_read_state(systemd_coredump_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue