diff options
| author |   Yi Zhao <yi.zhao@windriver.com> | 2021-03-02 14:25:03 +0800 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2021-10-31 15:52:22 -0700 |
| commit | 99cab1c32c2d7a005da63bd66a1837181139768d (patch) | |
| tree | 6b0f665c7cdc204c596af64ebc3d5391e9436bf8 /policy/modules/system/selinuxutil.te | |
| parent | usermanage: do not audit attempts to getattr of proc for passwd_t and useradd_t (diff) | |
| download | hardened-refpolicy-99cab1c32c2d7a005da63bd66a1837181139768d.tar.gz hardened-refpolicy-99cab1c32c2d7a005da63bd66a1837181139768d.tar.bz2 hardened-refpolicy-99cab1c32c2d7a005da63bd66a1837181139768d.zip | |
selinuxutil: allow setfiles_t to read kernel sysctl
Fixes:
avc: denied { read } for pid=171 comm="restorecon" name="cap_last_cap"
dev="proc" ino=1241
scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
avc: denied { open } for pid=171 comm="restorecon"
path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=1241
scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
avc: denied { getattr } for pid=171 comm="restorecon" name="/"
dev="proc" ino=1 scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy/modules/system/selinuxutil.te')
| -rw-r--r-- | policy/modules/system/selinuxutil.te | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 293f6817..859682b7 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -607,6 +607,8 @@ kernel_rw_unix_dgram_sockets(setfiles_t) kernel_dontaudit_list_all_proc(setfiles_t) kernel_dontaudit_list_all_sysctls(setfiles_t) kernel_getattr_debugfs(setfiles_t) +kernel_read_kernel_sysctls(setfiles_t) +kernel_dontaudit_getattr_proc(setfiles_t) dev_read_urand(setfiles_t) dev_relabel_all_dev_nodes(setfiles_t) |