From 07af323c930b1750014628bf8b0882ef044df8c5 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Mon, 5 Mar 2018 11:40:01 -0500 Subject: [PATCH] Allow map access to cjdns_exec_t. lvrabec@redhat.com says it's legit. --- cjdns.selinux.patch | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/cjdns.selinux.patch b/cjdns.selinux.patch index 34680df..77d3052 100644 --- a/cjdns.selinux.patch +++ b/cjdns.selinux.patch @@ -1,6 +1,6 @@ diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te ---- ./contrib/selinux/cjdns.te.selinux 2015-11-02 17:59:41.000000000 -0500 -+++ ./contrib/selinux/cjdns.te 2015-11-03 00:10:49.098890187 -0500 +--- ./contrib/selinux/cjdns.te.selinux 2018-01-30 19:04:59.000000000 -0500 ++++ ./contrib/selinux/cjdns.te 2018-03-05 01:15:40.302169785 -0500 @@ -7,8 +7,8 @@ require { type port_t; type unreserved_port_t; @@ -11,11 +11,13 @@ diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te } type cjdns_t; -@@ -18,23 +18,23 @@ init_daemon_domain(cjdns_t,cjdns_exec_t) +@@ -17,24 +17,24 @@ init_daemon_domain(cjdns_t,cjdns_exec_t) + #============= cjdns_t ============== # Let master process run further restricted subprocess - allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod }; +-allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod }; -allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot sys_module }; ++allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod map }; +allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot }; allow cjdns_t self:process { signal getcap setrlimit setcap }; -allow cjdns_t kernel_t:system module_request;