diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch | 38 |
1 files changed, 0 insertions, 38 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch b/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch deleted file mode 100644 index 5be48df..0000000 --- a/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From 0e93ad162cda033935fbac584787417b97b4bc17 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 3 Jul 2020 09:42:21 +0800 | ||
4 | Subject: [PATCH] policy/modules/services/bind: make named_t domain MLS trusted | ||
5 | for reading from files up to its clearance | ||
6 | |||
7 | Allow named_t to search /run/systemd/journal | ||
8 | |||
9 | Fixes: | ||
10 | avc: denied { search } for pid=295 comm="isc-worker0000" | ||
11 | name="journal" dev="tmpfs" ino=10990 | ||
12 | scontext=system_u:system_r:named_t:s0-s15:c0.c1023 | ||
13 | tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir | ||
14 | permissive=0 | ||
15 | |||
16 | Upstream-Status: Inappropriate [embedded specific] | ||
17 | |||
18 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
19 | --- | ||
20 | policy/modules/services/bind.te | 2 ++ | ||
21 | 1 file changed, 2 insertions(+) | ||
22 | |||
23 | diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te | ||
24 | index bf50763bd..be1813cb9 100644 | ||
25 | --- a/policy/modules/services/bind.te | ||
26 | +++ b/policy/modules/services/bind.te | ||
27 | @@ -165,6 +165,8 @@ miscfiles_read_generic_tls_privkey(named_t) | ||
28 | userdom_dontaudit_use_unpriv_user_fds(named_t) | ||
29 | userdom_dontaudit_search_user_home_dirs(named_t) | ||
30 | |||
31 | +mls_file_read_to_clearance(named_t) | ||
32 | + | ||
33 | tunable_policy(`named_tcp_bind_http_port',` | ||
34 | corenet_sendrecv_http_server_packets(named_t) | ||
35 | corenet_tcp_bind_http_port(named_t) | ||
36 | -- | ||
37 | 2.17.1 | ||
38 | |||