summaryrefslogtreecommitdiffstats
path: root/recipes-security/refpolicy/refpolicy/0088-policy-modules-services-bind-make-named_t-domain-MLS.patch
blob: 5be48df49dfea3138f152bc4d3deb9e026c353c6 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

From 0e93ad162cda033935fbac584787417b97b4bc17 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Fri, 3 Jul 2020 09:42:21 +0800
Subject: [PATCH] policy/modules/services/bind: make named_t domain MLS trusted
 for reading from files up to its clearance

Allow named_t to search /run/systemd/journal

Fixes:
avc:  denied  { search } for  pid=295 comm="isc-worker0000"
name="journal" dev="tmpfs" ino=10990
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
permissive=0

Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 policy/modules/services/bind.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index bf50763bd..be1813cb9 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -165,6 +165,8 @@ miscfiles_read_generic_tls_privkey(named_t)
 userdom_dontaudit_use_unpriv_user_fds(named_t)
 userdom_dontaudit_search_user_home_dirs(named_t)
 
+mls_file_read_to_clearance(named_t)
+
 tunable_policy(`named_tcp_bind_http_port',`
 	corenet_sendrecv_http_server_packets(named_t)
 	corenet_tcp_bind_http_port(named_t)
-- 
2.17.1
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-11 09:44:07 +0000