blob: 5be48df49dfea3138f152bc4d3deb9e026c353c6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From 0e93ad162cda033935fbac584787417b97b4bc17 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Fri, 3 Jul 2020 09:42:21 +0800
Subject: [PATCH] policy/modules/services/bind: make named_t domain MLS trusted
for reading from files up to its clearance
Allow named_t to search /run/systemd/journal
Fixes:
avc: denied { search } for pid=295 comm="isc-worker0000"
name="journal" dev="tmpfs" ino=10990
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
permissive=0
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/services/bind.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index bf50763bd..be1813cb9 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -165,6 +165,8 @@ miscfiles_read_generic_tls_privkey(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
+mls_file_read_to_clearance(named_t)
+
tunable_policy(`named_tcp_bind_http_port',`
corenet_sendrecv_http_server_packets(named_t)
corenet_tcp_bind_http_port(named_t)
--
2.17.1
|