Merge pull request #559 from yizhao1/fixes

Systemd fixes
SELinuxProject · Nov 1, 2022 · 89488a5 · 89488a5
2 parents eff8a2b + c572595
commit 89488a5
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 4 deletions.
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
@@ -3,6 +3,9 @@
 /usr/bin/bcfg2	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/bin/debuginfo-install	--	gen_context(system_u:object_r:debuginfo_exec_t,s0)
 /usr/bin/dnf	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf-[0-9]+		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf-automatic	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/dnf-automatic-[0-9]+	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/bin/fedora-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/bin/online_update	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/bin/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -360,7 +360,7 @@ systemd_log_parse_environment(systemd_backlight_t)
 # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
 dev_rw_sysfs(systemd_backlight_t)
 
-kernel_dontaudit_search_kernel_sysctl(systemd_backlight_t)
+kernel_read_kernel_sysctls(systemd_backlight_t)
 
 # for udev.conf
 files_read_etc_files(systemd_backlight_t)
@@ -370,6 +370,9 @@ udev_read_runtime_files(systemd_backlight_t)
 
 files_search_var_lib(systemd_backlight_t)
 
+fs_getattr_all_fs(systemd_backlight_t)
+fs_search_cgroup_dirs(systemd_backlight_t)
+
 #######################################
 #
 # Binfmt local policy
@@ -469,7 +472,7 @@ seutil_search_default_contexts(systemd_coredump_t)
 #
 
 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
-allow systemd_generator_t self:capability dac_override;
+allow systemd_generator_t self:capability { dac_override sys_admin };
 allow systemd_generator_t self:process setfscreate;
 
 corecmd_exec_shell(systemd_generator_t)
@@ -699,6 +702,7 @@ fs_getattr_all_fs(systemd_hostnamed_t)
 
 selinux_use_status_page(systemd_hostnamed_t)
 
+seutil_read_config(systemd_hostnamed_t)
 seutil_read_file_contexts(systemd_hostnamed_t)
 
 sysnet_etc_filetrans_config(systemd_hostnamed_t)
@@ -1391,8 +1395,7 @@ manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_v
 manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
 init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
 
-fs_getattr_cgroup(systemd_rfkill_t)
-fs_getattr_xattr_fs(systemd_rfkill_t)
+fs_getattr_all_fs(systemd_rfkill_t)
 
 kernel_getattr_proc(systemd_rfkill_t)
 kernel_read_kernel_sysctls(systemd_rfkill_t)