diff options
author | Guido Trentalancia <guido@trentalancia.net> | 2017-01-02 22:11:32 +0100 |
---|---|---|
committer | Sven Vermeulen <swift@gentoo.org> | 2017-01-13 19:38:51 +0100 |
commit | 55f60d30e606f695662113f02acc45a78e3433a3 (patch) | |
tree | f1017742a694e43ea9dc9070002837a80ea5fad2 | |
parent | xserver: restrict executable memory permissions (diff) | |
download | hardened-refpolicy-55f60d30.tar.gz hardened-refpolicy-55f60d30.tar.bz2 hardened-refpolicy-55f60d30.zip |
init: support sysvinit
Add a permission needed for the correct functioning of sysvinit
on systems using the initramfs.
Without the selinux_get_fs_mount() interface call, the call to
libselinux:is_selinux_enabled() fails and sysvinit tries to do
the initial policy load again.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
-rw-r--r-- | policy/modules/system/init.te | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index bd97a7c8..ce6f2f9a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -162,6 +162,7 @@ files_exec_etc_files(init_t) files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) +fs_getattr_xattr_fs(init_t) fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -174,6 +175,10 @@ mls_file_write_all_levels(init_t) mls_process_write_all_levels(init_t) mls_fd_use_all_levels(init_t) +# the following one is needed for libselinux:is_selinux_enabled() +# otherwise the call fails and sysvinit tries to load the policy +# again when using the initramfs +selinux_get_fs_mount(init_t) selinux_set_all_booleans(init_t) term_use_all_terms(init_t) |