IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

SELinux Policy: make interfaces for kernel modules non-optional

Browse Source 
Interfaces for kernel modules do not need to be in an optional module.
Also make sure ipa_custodia_t can log.
Suggested by Lukas Vrabec.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
This commit is contained in:
François Cami 2020-09-22 13:12:05 +02:00
parent 4b3c4b84d4
commit f774642b63
1 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
selinux/ipa.te
View File

@ -78,10 +78,9 @@ type pki_tomcat_cert_t;
type node_t;
type ipa_pki_retrieve_key_exec_t;
domain_type(ipa_pki_retrieve_key_exec_t)
init_script_file(ipa_pki_retrieve_key_exec_t)
type ipa_pki_retrieve_key_t;
domain_type(ipa_pki_retrieve_key_t)
init_script_file(ipa_pki_retrieve_key_exec_t)
########################################
#
@ -356,6 +355,7 @@ mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
kernel_dgram_send(ipa_custodia_t)
kernel_read_network_state(ipa_custodia_t)
auth_read_passwd(ipa_custodia_t)
@ -366,6 +366,10 @@ can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t)
corecmd_exec_bin(ipa_custodia_t)
corecmd_mmap_bin_files(ipa_custodia_t)
dev_read_urand(ipa_custodia_t)
dev_read_rand(ipa_custodia_t)
dev_read_sysfs(ipa_custodia_t)
domain_use_interactive_fds(ipa_custodia_t)
files_mmap_usr_files(ipa_custodia_t)
@ -377,6 +381,8 @@ files_read_etc_files(ipa_custodia_t)
libs_exec_ldconfig(ipa_custodia_t)
libs_ldconfig_exec_entry_type(ipa_custodia_t)
logging_send_syslog_msg(ipa_custodia_t)
miscfiles_read_generic_certs(ipa_custodia_t)
miscfiles_read_localization(ipa_custodia_t)
@ -441,8 +447,4 @@ optional_policy(`
optional_policy(`
java_exec(ipa_custodia_pki_tomcat_t)
# allow Java to read system status and RNG
dev_read_urand(ipa_custodia_t)
dev_read_rand(ipa_custodia_t)
kernel_read_network_state(ipa_custodia_t)
dev_read_sysfs(ipa_custodia_t)
')