cards need to load their firmware) and it should not audit attempts
to load kernel modules directly.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
the dhcp client (another separate patch makes changes to the
ifconfig part).
Create auxiliary interfaces in the ntp module.
The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.
Include revisions from Chris PeBenito.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
domains (e.g. gnome session).
Thanks to Jason Zaman for pointing out the correct interface to
achieve this.
This new version fixes a typographic error in the previous version.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).
The following patch updates the Reference Policy so that the new
permission can be used to create SELinux policies.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The following has been in my tree for a few years. It allows initrc_t to stat
devices early in the boot process.
>From ad46ce856a1a780cf6c3a0bb741794019e03edc2 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Sat, 9 Nov 2013 10:45:09 +0100
Subject: [PATCH] init: startpar (initrc_t) gets attributes of /dev/dm-0
(device_t) early on boot, soon later the node context is properly reset
(debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
/etc/sysconfig/libvirtd does not have the executable bit set, so it does
not make sense for it to be labelled bin_t. I can't seem to find the
reason it was set that way originally.
Signed-off-by: Garrett Holmstrom <gholms@devzero.com>
The Portable Hardware Locality (hwloc) software package provides a
portable abstraction (across OS, versions, architectures, ...) of the
hierarchical topology of modern architectures, including NUMA memory
nodes, sockets, shared caches, cores and simultaneous multithreading. It
also gathers various system attributes such as cache and memory
information as well as the locality of I/O devices such as network
interfaces, InfiniBand HCAs or GPUs.
Following changes enable:
- add interface to change dirs in /var/run
- add optional policies for hwloc-dump-hwdata
V3:
Remove files_rw_pid_dirs()
Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
Adjust calls to renamed hwloc dhwd run and exec interfaces
Signed-off-by: Dominick Grift <dac.override@gmail.com>
With the new "cgroup2" system added in kernel 4.5, systemd is getting
selinux denials when manipulating the cgroup hierarchy.
Pull request in systemd with cgroup2 support:
https://github.com/systemd/systemd/pull/2903
AVC when writing process numbers to move them to the right cgroup:
Mar 29 19:58:30 rawhide kernel: audit: type=1400
audit(1459295910.257:68): avc: denied { write } for pid=1
comm="systemd" name="cgroup.procs" dev="cgroup2" ino=6
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
In this case new filesystem "cgroup2" need to be labeled as cgroup_t.
Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>