systemd-boot's bootctl utility is used to install and update its EFI
binaries in the EFI partition. If it is mounted with boot_t, bootctl
needs to be able to manage boot_t files.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Associate the type memory_pressure_t with the attribute file_type, so
all attribute based rules apply, e.g. for unconfined_t.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
SELint version 1.5 emits issues for missing or unused declarations of
userspace classes:
init.te: 270: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001)
init.te: 312: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001)
init.te: 1116: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001)
init.te: 1124: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001)
init.te: 1132: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001)
init.te: 1136: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001)
init.te: 1137: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001)
unconfined.te: 64: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001)
systemd.te: 1250: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001)
systemd.te: 1377: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001)
devicekit.te: 56: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001)
devicekit.te: 157: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001)
devicekit.te: 297: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001)
kernel.te: 566: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001)
chromium.if: 139: (W): Class dbus is listed in require block but not used in interface (W-003)
init.if: 1192: (W): Class system is used in interface but not required (W-002)
init.if: 1210: (W): Class system is used in interface but not required (W-002)
init.if: 1228: (W): Class system is used in interface but not required (W-002)
init.if: 1246: (W): Class system is used in interface but not required (W-002)
init.if: 1264: (W): Class system is used in interface but not required (W-002)
init.if: 1282: (W): Class system is used in interface but not required (W-002)
init.if: 1300: (W): Class system is used in interface but not required (W-002)
init.if: 1318: (W): Class system is used in interface but not required (W-002)
init.if: 1393: (W): Class bpf is listed in require block but is not a userspace class (W-003)
unconfined.if: 34: (W): Class service is listed in require block but not used in interface (W-003)
systemd.if: 144: (W): Class system is used in interface but not required (W-002)
systemd.if: 159: (W): Class service is used in interface but not required (W-002)
systemd.if: 160: (W): Class service is used in interface but not required (W-002)
systemd.if: 413: (W): Class system is used in interface but not required (W-002)
systemd.if: 437: (W): Class system is used in interface but not required (W-002)
systemd.if: 461: (W): Class system is used in interface but not required (W-002)
postgresql.if: 31: (W): Class db_database is listed in require block but not used in interface (W-003)
postgresql.if: 37: (W): Class db_language is listed in require block but not used in interface (W-003)
postgresql.if: 465: (W): Class db_database is listed in require block but not used in interface (W-003)
postgresql.if: 471: (W): Class db_language is listed in require block but not used in interface (W-003)
xserver.if: 370: (W): Class x_property is listed in require block but not used in interface (W-003)
Found the following issue counts:
W-001: 14
W-002: 14
W-003: 8
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Cilium is a kubernetes CNI powered by BPF. Its daemon pods run as super
privileged containers which require various accesses in order to load
BPF programs and modify the host network.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
When start up adbd by adb initscript, there's a command like:
mount -o uid=2000,gid=2000 -t functionfs adb /dev/usb-ffs/adb
will cause below deny because lack of functionfs related contexts.
avc: denied { mount } for pid=346 comm="mount" name="/"
dev="functionfs" ino=17700 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
Signed-off-by: Kai Meng <quic_kmeng@quicinc.com>
* patches to nspawn policy.
Allow it netlink operations and creating udp sockets
Allow remounting and reading sysfs
Allow stat cgroup filesystem
Make it create fifos and sock_files in the right context
Allow mounting the selinux fs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Use the new mounton_dir_perms and mounton_file_perms macros
Signed-off-by: Russell Coker <russell@coker.com.au>
* Corrected macro name
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed description of files_mounton_kernel_symbol_table
Signed-off-by: Russell Coker <russell@coker.com.au>
* systemd: Move lines in nspawn.
No rule changes.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
* Patches for mon, mostly mon local monitoring.
Also added the fsdaemon_read_lib() interface and fstools patch because it
also uses fsdaemon_read_lib() and it's called by monitoring scripts
Signed-off-by: Russell Coker <russell@coker.com.au>
* Added the files_dontaudit_tmpfs_file_getattr() and
storage_dev_filetrans_fixed_disk_control() interfaces needed
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed the issues from the review
Signed-off-by: Russell Coker <russell@coker.com.au>
* Specify name to avoid conflicting file trans
Signed-off-by: Russell Coker <russell@coker.com.au>
* fixed dontaudi_ typo
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class
Signed-off-by: Russell Coker <russell@coker.com.au>
* Remove fsdaemon_read_lib as it was already merged
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changes to storage.fc, smartmon, samba and lvm
Signed-off-by: Russell Coker <russell@coker.com.au>
* Add the interfaces this patch needs
Signed-off-by: Russell Coker <russell@coker.com.au>
* use manage_sock_file_perms for sock_file
Signed-off-by: Russell Coker <russell@coker.com.au>
* Renamed files_watch_all_file_type_dir to files_watch_all_dirs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Use read_files_pattern
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
file saved before shutting down or rebooting the system
and rework the interface needed to manage such file.
Use the newly created interface to fix the init policy
and deprecate the old one in the kernel files module.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/kernel/files.if | 29 +++++++++++++++++++++++------
policy/modules/system/init.fc | 3 ++-
policy/modules/system/init.if | 24 ++++++++++++++++++++++++
policy/modules/system/init.te | 7 +++++--
4 files changed, 54 insertions(+), 9 deletions(-)
IIO sensors to D-Bus proxy
Industrial I/O subsystem is intended to provide support for devices
that in some sense are analog to digital or digital to analog convertors
.
Devices that fall into this category are:
* ADCs
* Accelerometers
* Gyros
* IMUs
* Capacitance to Digital Converters (CDCs)
* Pressure Sensors
* Color, Light and Proximity Sensors
* Temperature Sensors
* Magnetometers
* DACs
* DDS (Direct Digital Synthesis)
* PLLs (Phase Locked Loops)
* Variable/Programmable Gain Amplifiers (VGA, PGA)
Signed-off-by: Russell Coker <russell@coker.com.au>
and monitoring the Quectel EG25 modem on a running system. It is used on the
PinePhone (Pro) and performs the following functions:
* power on/off
* startup configuration using AT commands
* AGPS data upload
* status monitoring (and restart if it becomes unavailable)
Homepage: https://gitlab.com/mobian1/eg25-manager
Signed-off-by: Russell Coker <russell@coker.com.au>
