newrole: fix denials

dontaudit net_admin access due to setsockopt allow communication with systemd-logind
2017-01-05 11:32:17 +01:00 · 2017-01-05 11:32:17 +01:00 · 9b5d89fcf6
commit 9b5d89fcf6
parent ede0dadc05
1 changed files with 6 additions and 0 deletions
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@ -221,6 +221,7 @@ optional_policy(`
 #

 allow newrole_t self:capability { dac_override fowner setgid setuid };
+dontaudit newrole_t self:capability net_admin;
 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
@ -280,6 +281,7 @@ auth_use_nsswitch(newrole_t)
 auth_run_chk_passwd(newrole_t, newrole_roles)
 auth_run_upd_passwd(newrole_t, newrole_roles)
 auth_rw_faillog(newrole_t)
+auth_use_pam_systemd(newrole_t)

 # Write to utmp.
 init_rw_utmp(newrole_t)
@ -313,6 +315,10 @@ tunable_policy(`allow_polyinstantiation',`
 	files_polyinstantiate_all(newrole_t)
 ')

+optional_policy(`
+	systemd_use_logind_fds(newrole_t)
+')
+
 ########################################
 #
 # Restorecond local policy