Allow map access to cjdns_exec_t. lvrabec@redhat.com says it's legit.
This commit is contained in:
parent
66beed5a14
commit
07af323c93
|
@ -1,6 +1,6 @@
|
||||||
diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
|
diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
|
||||||
--- ./contrib/selinux/cjdns.te.selinux 2015-11-02 17:59:41.000000000 -0500
|
--- ./contrib/selinux/cjdns.te.selinux 2018-01-30 19:04:59.000000000 -0500
|
||||||
+++ ./contrib/selinux/cjdns.te 2015-11-03 00:10:49.098890187 -0500
|
+++ ./contrib/selinux/cjdns.te 2018-03-05 01:15:40.302169785 -0500
|
||||||
@@ -7,8 +7,8 @@ require {
|
@@ -7,8 +7,8 @@ require {
|
||||||
type port_t;
|
type port_t;
|
||||||
type unreserved_port_t;
|
type unreserved_port_t;
|
||||||
|
@ -11,11 +11,13 @@ diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
|
||||||
}
|
}
|
||||||
|
|
||||||
type cjdns_t;
|
type cjdns_t;
|
||||||
@@ -18,23 +18,23 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
|
@@ -17,24 +17,24 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
|
||||||
|
|
||||||
#============= cjdns_t ==============
|
#============= cjdns_t ==============
|
||||||
# Let master process run further restricted subprocess
|
# Let master process run further restricted subprocess
|
||||||
allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod };
|
-allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod };
|
||||||
-allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot sys_module };
|
-allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot sys_module };
|
||||||
|
+allow cjdns_t cjdns_exec_t:file { execute_no_trans execmod map };
|
||||||
+allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot };
|
+allow cjdns_t self:capability { net_admin net_raw setuid setgid sys_chroot };
|
||||||
allow cjdns_t self:process { signal getcap setrlimit setcap };
|
allow cjdns_t self:process { signal getcap setrlimit setcap };
|
||||||
-allow cjdns_t kernel_t:system module_request;
|
-allow cjdns_t kernel_t:system module_request;
|
||||||
|
|
Loading…
Reference in New Issue