diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch new file mode 100644 index 0000000..7cf3763 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-roles-sysadm-allow-sysadm_t-to-watch-.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | From 7fd830d6b2c60dcf5b8ee0b2ff94436de63d5b8c Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 29 Jun 2020 10:32:25 +0800 | ||
4 | Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm_t to watch runtime | ||
5 | dirs | ||
6 | |||
7 | Fixes: | ||
8 | Failed to add a watch for /run/systemd/ask-password: Permission denied | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
13 | --- | ||
14 | policy/modules/roles/sysadm.te | 6 ++++++ | ||
15 | 1 file changed, 6 insertions(+) | ||
16 | |||
17 | diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te | ||
18 | index fc0945fe4..07b9faf30 100644 | ||
19 | --- a/policy/modules/roles/sysadm.te | ||
20 | +++ b/policy/modules/roles/sysadm.te | ||
21 | @@ -83,6 +83,12 @@ ifdef(`init_systemd',` | ||
22 | # Allow sysadm to resolve the username of dynamic users by calling | ||
23 | # LookupDynamicUserByUID on org.freedesktop.systemd1. | ||
24 | init_dbus_chat(sysadm_t) | ||
25 | + | ||
26 | + fs_watch_cgroup_files(sysadm_t) | ||
27 | + files_watch_etc_symlinks(sysadm_t) | ||
28 | + mount_watch_runtime_dirs(sysadm_t) | ||
29 | + systemd_filetrans_passwd_runtime_dirs(sysadm_t) | ||
30 | + allow sysadm_t systemd_passwd_runtime_t:dir watch; | ||
31 | ') | ||
32 | |||
33 | tunable_policy(`allow_ptrace',` | ||
34 | -- | ||
35 | 2.17.1 | ||
36 | |||