forked from pool/selinux-policy
2c0c138859
- Update to version 20230206. Refreshed: * fix_entropyd.patch * fix_networkmanager.patch * fix_systemd_watch.patch * fix_unconfineduser.patch - Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn't run in it's own domain in early boot OBS-URL: https://build.opensuse.org/request/show/1063441 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=172
77 lines
2.5 KiB
Diff
77 lines
2.5 KiB
Diff
Index: fedora-policy-20230206/policy/modules/contrib/entropyd.te
|
|
===================================================================
|
|
--- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.te
|
|
+++ fedora-policy-20230206/policy/modules/contrib/entropyd.te
|
|
@@ -24,6 +24,9 @@ init_script_file(entropyd_initrc_exec_t)
|
|
type entropyd_var_run_t;
|
|
files_pid_file(entropyd_var_run_t)
|
|
|
|
+type entropyd_tmpfs_t;
|
|
+files_tmpfs_file(entropyd_tmpfs_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -36,6 +39,10 @@ allow entropyd_t self:process signal_per
|
|
manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
|
|
files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
|
|
|
|
+manage_dirs_pattern(entropyd_t, entropyd_tmpfs_t, entropyd_tmpfs_t)
|
|
+manage_files_pattern(entropyd_t, entropyd_tmpfs_t, entropyd_tmpfs_t)
|
|
+fs_tmpfs_filetrans(entropyd_t, entropyd_tmpfs_t, { file })
|
|
+
|
|
kernel_read_system_state(entropyd_t)
|
|
kernel_rw_kernel_sysctl(entropyd_t)
|
|
|
|
@@ -47,6 +54,8 @@ dev_write_rand(entropyd_t)
|
|
|
|
fs_getattr_all_fs(entropyd_t)
|
|
fs_search_auto_mountpoints(entropyd_t)
|
|
+# not great, but necessary for now since I can't get sem.haveged_sem to have a proper label
|
|
+fs_rw_tmpfs_files(entropyd_t)
|
|
|
|
domain_use_interactive_fds(entropyd_t)
|
|
|
|
Index: fedora-policy-20230206/policy/modules/contrib/entropyd.if
|
|
===================================================================
|
|
--- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.if
|
|
+++ fedora-policy-20230206/policy/modules/contrib/entropyd.if
|
|
@@ -33,3 +33,22 @@ interface(`entropyd_admin',`
|
|
files_search_pids($1)
|
|
admin_pattern($1, entropyd_var_run_t)
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition kernel created semaphore to correct type
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`entropyd_semaphore_filetrans',`
|
|
+ gen_require(`
|
|
+ type entropyd_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ fs_tmpfs_filetrans($1, entropyd_tmpfs_t, file, "sem.haveged_sem")
|
|
+')
|
|
Index: fedora-policy-20230206/policy/modules/kernel/kernel.te
|
|
===================================================================
|
|
--- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te
|
|
+++ fedora-policy-20230206/policy/modules/kernel/kernel.te
|
|
@@ -401,6 +401,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ entropyd_semaphore_filetrans(kernel_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
abrt_filetrans_named_content(kernel_t)
|
|
abrt_dump_oops_domtrans(kernel_t)
|
|
')
|