Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:jsegitz:branches:security:SELinux_od
selinux-policy
fix_kernel.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File fix_kernel.patch of Package selinux-policy
Index: fedora-policy-20230125/policy/modules/kernel/kernel.te =================================================================== --- fedora-policy-20230125.orig/policy/modules/kernel/kernel.te +++ fedora-policy-20230125/policy/modules/kernel/kernel.te @@ -389,6 +389,13 @@ ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(kernel_t) ') +# this is a temporary fix. This permission doesn't make a lot of sense, but +# without a kernel change there's not much we can do about it. I don't want to +# audit it due to the unknown impact (happens e.g. during firewall changes) +optional_policy(` + modutils_execute_kmod_tmpfs_files(kernel_t) +') + optional_policy(` abrt_filetrans_named_content(kernel_t) abrt_dump_oops_domtrans(kernel_t) @@ -410,6 +417,7 @@ optional_policy(` init_dbus_chat(kernel_t) init_sigchld(kernel_t) init_dyntrans(kernel_t) + init_read_state(kernel_t) ') optional_policy(` Index: fedora-policy-20230125/policy/modules/system/modutils.if =================================================================== --- fedora-policy-20230125.orig/policy/modules/system/modutils.if +++ fedora-policy-20230125/policy/modules/system/modutils.if @@ -525,3 +525,21 @@ interface(`modutils_dontaudit_kmod_tmpfs dontaudit $1 kmod_tmpfs_t:file { getattr }; ') + +####################################### +## <summary> +## Execute accesses to tmp file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`modutils_execute_kmod_tmpfs_files',` + gen_require(` + type kmod_tmpfs_t; + ') + + allow $1 kmod_tmpfs_t:file { execute execute_no_trans }; +')
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor