Skip to content

Commit 89488a5

Browse files
pebenitopebenito
authored
Merge pull request #559 from yizhao1/fixes
Systemd fixes
2 parents eff8a2b + c572595 commit 89488a5

File tree

2 files changed

+10
-4
lines changed

2 files changed

+10
-4
lines changed

policy/modules/admin/rpm.fc

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@
33
/usr/bin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
44
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
55
/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0)
6+
/usr/bin/dnf-[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0)
7+
/usr/bin/dnf-automatic -- gen_context(system_u:object_r:rpm_exec_t,s0)
8+
/usr/bin/dnf-automatic-[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0)
69
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
710
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
811
/usr/bin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)

policy/modules/system/systemd.te

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -360,7 +360,7 @@ systemd_log_parse_environment(systemd_backlight_t)
360360
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
361361
dev_rw_sysfs(systemd_backlight_t)
362362

363-
kernel_dontaudit_search_kernel_sysctl(systemd_backlight_t)
363+
kernel_read_kernel_sysctls(systemd_backlight_t)
364364

365365
# for udev.conf
366366
files_read_etc_files(systemd_backlight_t)
@@ -370,6 +370,9 @@ udev_read_runtime_files(systemd_backlight_t)
370370

371371
files_search_var_lib(systemd_backlight_t)
372372

373+
fs_getattr_all_fs(systemd_backlight_t)
374+
fs_search_cgroup_dirs(systemd_backlight_t)
375+
373376
#######################################
374377
#
375378
# Binfmt local policy
@@ -469,7 +472,7 @@ seutil_search_default_contexts(systemd_coredump_t)
469472
#
470473

471474
allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
472-
allow systemd_generator_t self:capability dac_override;
475+
allow systemd_generator_t self:capability { dac_override sys_admin };
473476
allow systemd_generator_t self:process setfscreate;
474477

475478
corecmd_exec_shell(systemd_generator_t)
@@ -699,6 +702,7 @@ fs_getattr_all_fs(systemd_hostnamed_t)
699702

700703
selinux_use_status_page(systemd_hostnamed_t)
701704

705+
seutil_read_config(systemd_hostnamed_t)
702706
seutil_read_file_contexts(systemd_hostnamed_t)
703707

704708
sysnet_etc_filetrans_config(systemd_hostnamed_t)
@@ -1391,8 +1395,7 @@ manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_v
13911395
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
13921396
init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
13931397

1394-
fs_getattr_cgroup(systemd_rfkill_t)
1395-
fs_getattr_xattr_fs(systemd_rfkill_t)
1398+
fs_getattr_all_fs(systemd_rfkill_t)
13961399

13971400
kernel_getattr_proc(systemd_rfkill_t)
13981401
kernel_read_kernel_sysctls(systemd_rfkill_t)

0 commit comments

Comments
 (0)