blob: a82400427dd84a388616cda9ff46a4714b624bea (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From bc821718f7e9575a67c4667decad937cbe5f8514 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Tue, 2 Mar 2021 14:25:03 +0800
Subject: [PATCH] policy/modules/system/selinux: allow setfiles_t to read
kernel sysctl
Fixes:
avc: denied { read } for pid=171 comm="restorecon" name="cap_last_cap"
dev="proc" ino=1241
scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
avc: denied { open } for pid=171 comm="restorecon"
path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=1241
scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0
avc: denied { getattr } for pid=171 comm="restorecon" name="/"
dev="proc" ino=1 scontext=system_u:system_r:setfiles_t:s0-s15:c0.c1023
tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/system/selinuxutil.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index a505b3987..a26f8db03 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -597,6 +597,8 @@ kernel_rw_unix_dgram_sockets(setfiles_t)
kernel_dontaudit_list_all_proc(setfiles_t)
kernel_dontaudit_list_all_sysctls(setfiles_t)
kernel_getattr_debugfs(setfiles_t)
+kernel_read_kernel_sysctls(setfiles_t)
+kernel_getattr_proc(setfiles_t)
dev_read_urand(setfiles_t)
dev_relabel_all_dev_nodes(setfiles_t)
--
2.17.1
|
