diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 15b8699c68..4a9771faa6 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -125,6 +125,7 @@ files_watch_runtime_dirs(ntpd_t) fs_getattr_all_fs(ntpd_t) fs_search_auto_mountpoints(ntpd_t) +fs_getattr_nsfs_files(ntpd_t) term_use_ptmx(ntpd_t) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index eea78ffc51..b4e6995d62 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -532,6 +532,7 @@ ifdef(`init_systemd',` fs_list_cgroup_dirs(syslogd_t) fs_watch_memory_pressure(syslogd_t) + fs_getattr_nsfs_files(syslogd_t) init_create_runtime_dirs(syslogd_t) init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd") diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 1f7049b1d8..ab60cdc461 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -302,6 +302,8 @@ init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t) type systemd_sysusers_t; type systemd_sysusers_exec_t; init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t) +# create /etc/group +domain_obj_id_change_exemption(systemd_sysusers_t) role systemd_sysusers_roles types systemd_sysusers_t; type systemd_tmpfiles_t; @@ -450,6 +452,7 @@ fs_check_write_binfmt_misc_dirs(systemd_binfmt_t) fs_getattr_cgroup(systemd_binfmt_t) fs_search_cgroup_dirs(systemd_binfmt_t) +fs_getattr_nsfs_files(systemd_binfmt_t) ###################################### # @@ -565,6 +568,7 @@ files_dontaudit_read_etc_runtime_files(systemd_generator_t) fs_list_efivars(systemd_generator_t) fs_getattr_all_fs(systemd_generator_t) +fs_getattr_nsfs_files(systemd_generator_t) init_create_runtime_files(systemd_generator_t) init_manage_runtime_dirs(systemd_generator_t) @@ -862,6 +866,7 @@ manage_files_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_ fs_getattr_all_fs(systemd_journal_init_t) fs_search_cgroup_dirs(systemd_journal_init_t) +fs_getattr_nsfs_files(systemd_journal_init_t) kernel_getattr_proc(systemd_journal_init_t) kernel_read_kernel_sysctls(systemd_journal_init_t) @@ -999,6 +1004,7 @@ fs_relabelfrom_tmpfs_dirs(systemd_logind_t) fs_unmount_tmpfs(systemd_logind_t) fs_getattr_xattr_fs(systemd_logind_t) fs_watch_memory_pressure(systemd_logind_t) +fs_getattr_nsfs_files(systemd_logind_t) selinux_use_status_page(systemd_logind_t) @@ -1226,6 +1232,7 @@ init_read_state(systemd_machine_id_setup_t) fs_getattr_cgroup(systemd_modules_load_t) fs_getattr_xattr_fs(systemd_modules_load_t) +fs_getattr_nsfs_files(systemd_modules_load_t) kernel_load_module(systemd_modules_load_t) kernel_read_kernel_sysctls(systemd_modules_load_t) @@ -1787,6 +1794,7 @@ fs_getattr_all_fs(systemd_sessions_t) fs_search_cgroup_dirs(systemd_sessions_t) fs_search_tmpfs(systemd_sessions_t) fs_search_ramfs(systemd_sessions_t) +fs_getattr_nsfs_files(systemd_sessions_t) kernel_read_kernel_sysctls(systemd_sessions_t) kernel_dontaudit_getattr_proc(systemd_sessions_t) @@ -1821,6 +1829,7 @@ fs_getattr_all_fs(systemd_sysctl_t) fs_search_cgroup_dirs(systemd_sysctl_t) fs_search_ramfs(systemd_sysctl_t) fs_search_tmpfs(systemd_sysctl_t) +fs_getattr_nsfs_files(systemd_sysctl_t) systemd_log_parse_environment(systemd_sysctl_t) @@ -1935,6 +1944,7 @@ fs_list_tmpfs(systemd_tmpfiles_t) fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t) fs_getattr_all_fs(systemd_tmpfiles_t) fs_search_cgroup_dirs(systemd_tmpfiles_t) +fs_getattr_nsfs_files(systemd_tmpfiles_t) selinux_get_fs_mount(systemd_tmpfiles_t) selinux_use_status_page(systemd_tmpfiles_t) @@ -2185,6 +2195,7 @@ fs_read_cgroup_files(systemd_user_runtime_dir_t) fs_getattr_cgroup(systemd_user_runtime_dir_t) fs_search_cgroup_dirs(systemd_user_runtime_dir_t) fs_getattr_xattr_fs(systemd_user_runtime_dir_t) +fs_getattr_nsfs_files(systemd_user_runtime_dir_t) kernel_read_kernel_sysctls(systemd_user_runtime_dir_t) kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index b2e43aa7d2..620de7e2e7 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -273,6 +273,7 @@ ifdef(`init_systemd',` fs_create_cgroup_dirs(udev_t) fs_create_cgroup_files(udev_t) fs_rw_cgroup_files(udev_t) + fs_getattr_nsfs_files(udev_t) init_dgram_send(udev_t) init_get_generic_units_status(udev_t)