| 1 |
commit: a805901283fe872c7236336867701f1834274307 |
| 2 |
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be> |
| 3 |
AuthorDate: Mon Dec 14 21:19:24 2015 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sat Jan 30 16:45:01 2016 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a8059012 |
| 7 |
|
| 8 |
Give some systemd domain access to /proc/sys/kernel/random/boot_id |
| 9 |
|
| 10 |
policy/modules/system/systemd.te | 8 ++++++++ |
| 11 |
1 file changed, 8 insertions(+) |
| 12 |
|
| 13 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
| 14 |
index 1f70a93..2376af3 100644 |
| 15 |
--- a/policy/modules/system/systemd.te |
| 16 |
+++ b/policy/modules/system/systemd.te |
| 17 |
@@ -129,6 +129,8 @@ kernel_dgram_send(systemd_cgroups_t) |
| 18 |
# locale local policy |
| 19 |
# |
| 20 |
|
| 21 |
+kernel_read_kernel_sysctls(systemd_locale_t) |
| 22 |
+ |
| 23 |
files_read_etc_files(systemd_locale_t) |
| 24 |
|
| 25 |
logging_send_syslog_msg(systemd_locale_t) |
| 26 |
@@ -145,6 +147,8 @@ optional_policy(` |
| 27 |
# Hostnamed policy |
| 28 |
# |
| 29 |
|
| 30 |
+kernel_read_kernel_sysctls(systemd_hostnamed_t) |
| 31 |
+ |
| 32 |
files_read_etc_files(systemd_hostnamed_t) |
| 33 |
|
| 34 |
logging_send_syslog_msg(systemd_hostnamed_t) |
| 35 |
@@ -174,6 +178,8 @@ manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_lo |
| 36 |
manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) |
| 37 |
files_search_pids(systemd_logind_t) |
| 38 |
|
| 39 |
+kernel_read_kernel_sysctls(systemd_logind_t) |
| 40 |
+ |
| 41 |
auth_manage_faillog(systemd_logind_t) |
| 42 |
|
| 43 |
dev_rw_sysfs(systemd_logind_t) |
| 44 |
@@ -236,6 +242,8 @@ logging_send_syslog_msg(systemd_sessions_t) |
| 45 |
allow systemd_tmpfiles_t self:capability { fowner chown fsetid dac_override mknod }; |
| 46 |
allow systemd_tmpfiles_t self:process { setfscreate getcap }; |
| 47 |
|
| 48 |
+kernel_read_kernel_sysctls(systemd_tmpfiles_t) |
| 49 |
+ |
| 50 |
dev_relabel_all_sysfs(systemd_tmpfiles_t) |
| 51 |
dev_read_urand(systemd_tmpfiles_t) |
| 52 |
dev_manage_all_dev_nodes(systemd_tmpfiles_t) |
Archives