nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f865919872
selinux-refpolicy/policy/modules/system
History
Dave Sugar f865919872 Interface to read /run/systemd/resolve/resolv.conf 
With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file.
Please note, this can't be in optional due to tunable_policy in nis_authenticate interface.

type=AVC msg=audit(1523455881.596:214): avc:  denied  { search } for  pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir
type=AVC msg=audit(1523455881.596:214): avc:  denied  { read } for  pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:214): avc:  denied  { open } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:215): avc:  denied  { getattr } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-17 20:14:50 -04:00
..
application.fc
application.if
application.te
authlogin.fc Move the use of var_log_t from authlogin.fc to logging.fc 2018-04-12 18:44:50 -04:00
authlogin.if
authlogin.te Module version bumps for patches from James Carter. 2018-04-12 18:49:46 -04:00
clock.fc
clock.if
clock.te
fstools.fc dphysswapfile: add interfaces and sysadm access 2017-09-14 17:19:55 -04:00
fstools.if dphysswapfile: add interfaces and sysadm access 2017-09-14 17:19:55 -04:00
fstools.te Bump module versions for release. 2018-01-14 14:08:09 -05:00
getty.fc
getty.if
getty.te
hostname.fc
hostname.if
hostname.te Bump module versions for release. 2018-01-14 14:08:09 -05:00
hotplug.fc
hotplug.if
hotplug.te
init.fc Move use of systemd_unit_t from systemd.fc to init.fc 2018-04-12 18:44:50 -04:00
init.if init: add init_rw_inherited_stream_socket 2018-01-05 15:35:06 -05:00
init.te Fix problems booting with fips=1 2018-04-17 20:14:50 -04:00
ipsec.fc
ipsec.if
ipsec.te Module version bumps for patches from James Carter. 2018-04-12 18:49:46 -04:00
iptables.fc
iptables.if
iptables.te iptables: Module version bump. 2018-03-09 17:09:50 -05:00
libraries.fc libraries: Add fc entry for musl's ld.so config 2017-11-14 18:32:46 -05:00
libraries.if Add new mmap permission set and pattern support macros. 2017-12-13 18:58:34 -05:00
libraries.te Bump module versions for release. 2018-01-14 14:08:09 -05:00
locallogin.fc
locallogin.if
locallogin.te Misc dbus fixes from Russell Coker. 2018-02-15 17:07:08 -05:00
logging.fc Move the use of var_log_t from authlogin.fc to logging.fc 2018-04-12 18:44:50 -04:00
logging.if logging: Various audit tools (auditctl, ausearch, etc) map their config and logs 2017-09-12 19:29:34 -04:00
logging.te Fix problems booting with fips=1 2018-04-17 20:14:50 -04:00
lvm.fc
lvm.if
lvm.te Simple map patch from Russell Coker. 2018-02-15 17:10:34 -05:00
metadata.xml
miscfiles.fc base: create a type for SSL private keys 2017-11-09 17:28:26 -05:00
miscfiles.if base: create a type for SSL private keys 2017-11-09 17:28:26 -05:00
miscfiles.te Bump module versions for release. 2018-01-14 14:08:09 -05:00
modutils.fc
modutils.if modutils: libkmod mmap()s modules.dep and *.ko's 2017-09-11 20:31:23 -04:00
modutils.te Simple map patch from Russell Coker. 2018-02-15 17:10:34 -05:00
mount.fc
mount.if
mount.te
netlabel.fc
netlabel.if
netlabel.te
selinuxutil.fc
selinuxutil.if selinuxutil: Add map permissions neccessary for semanage 2017-09-11 20:31:23 -04:00
selinuxutil.te Bump module versions for release. 2018-01-14 14:08:09 -05:00
setrans.fc
setrans.if
setrans.te
sysnetwork.fc policy for systemd-networkd 2017-10-12 18:38:54 -04:00
sysnetwork.if Interface to read /run/systemd/resolve/resolv.conf 2018-04-17 20:14:50 -04:00
sysnetwork.te Bump module versions for release. 2018-01-14 14:08:09 -05:00
systemd.fc Move use of systemd_unit_t from systemd.fc to init.fc 2018-04-12 18:44:50 -04:00
systemd.if Interface to read /run/systemd/resolve/resolv.conf 2018-04-17 20:14:50 -04:00
systemd.te Module version bumps for patches from James Carter. 2018-04-12 18:49:46 -04:00
udev.fc
udev.if init: allow systemd to relabel /dev and /run 2017-09-11 20:03:31 -04:00
udev.te Fix problems booting with fips=1 2018-04-17 20:14:50 -04:00
unconfined.fc
unconfined.if
unconfined.te Misc dbus fixes from Russell Coker. 2018-02-15 17:07:08 -05:00
userdomain.fc Move use of user_devpts_t from terminal.fc to userdomain.fc 2018-04-12 18:44:50 -04:00
userdomain.if Mark unused parameters as unused 2018-04-12 18:44:50 -04:00
userdomain.te Module version bumps for patches from James Carter. 2018-04-12 18:49:46 -04:00