forked from pool/selinux-policy
b8952f6e0d
- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units that trigger on changes in those. - own /usr/share/selinux/packages/$SELINUXTYPE/ and /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install files there OBS-URL: https://build.opensuse.org/request/show/894639 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=108
39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
Index: fedora-policy-20210419/policy/modules/system/systemd.te
|
|
===================================================================
|
|
--- fedora-policy-20210419.orig/policy/modules/system/systemd.te
|
|
+++ fedora-policy-20210419/policy/modules/system/systemd.te
|
|
@@ -1357,3 +1357,10 @@ fstools_rw_swap_files(systemd_sleep_t)
|
|
|
|
# systemd-sleep needs to getattr swap partitions
|
|
storage_getattr_fixed_disk_dev(systemd_sleep_t)
|
|
+
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# Allow systemd to watch certificate dir for ca-certificates
|
|
+#
|
|
+watch_dirs_pattern(init_t,cert_t,cert_t)
|
|
Index: fedora-policy-20210419/policy/modules/system/init.te
|
|
===================================================================
|
|
--- fedora-policy-20210419.orig/policy/modules/system/init.te
|
|
+++ fedora-policy-20210419/policy/modules/system/init.te
|
|
@@ -317,7 +317,10 @@ files_etc_filetrans_etc_runtime(init_t,
|
|
# Run /etc/X11/prefdm:
|
|
files_exec_etc_files(init_t)
|
|
files_watch_etc_dirs(init_t)
|
|
+files_watch_etc_files(init_t)
|
|
files_read_usr_files(init_t)
|
|
+files_watch_usr_dirs(init_t)
|
|
+files_watch_usr_files(init_t)
|
|
files_watch_root_dirs(init_t)
|
|
files_write_root_dirs(init_t)
|
|
files_watch_var_dirs(init_t)
|
|
@@ -334,6 +337,7 @@ files_remount_rootfs(init_t)
|
|
files_create_var_dirs(init_t)
|
|
files_watch_home(init_t)
|
|
files_watch_all_pid(init_t)
|
|
+watch_dirs_pattern(init_t,lib_t,lib_t)
|
|
|
|
fs_list_inotifyfs(init_t)
|
|
# cjp: this may be related to /dev/log
|