On 1/2/19 3:45 AM, Russell Coker wrote:
Lots of little stuff.
Also the sysnet_dns_name_resolve() change the previous patch needed.
[...]
--- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
+++ refpolicy-2.20180701/policy/modules/services/consolekit.te
@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
# Local policy
#
-allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
+allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
Since you're getting the dac_read_search denial, the dac_override
probably isn't necessary anymore. Can you retest without it?
[...]
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/udev.te
+++ refpolicy-2.20180701/policy/modules/system/udev.te
[...]
@@ -328,6 +324,11 @@ optional_policy(`
')
optional_policy(`
+ iptables_domtrans(udev_t)
+ iptables_write_pipe(udev_t)
I'm not clear why this separate pipe interface is necessary, as that
access should be provided by the domtrans interface already.
--- refpolicy-2.20180701.orig/policy/modules/system/iptables.if
+++ refpolicy-2.20180701/policy/modules/system/iptables.if
@@ -25,6 +25,24 @@ interface(`iptables_domtrans',`
########################################
## <summary>
+## Allow iptables to write to a pipe
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be written to
+## </summary>
+## </param>
+#
+interface(`iptables_write_pipe',`
Should be iptables_write_inherited_pipe().
+ gen_require(`
+ type iptables_t;
+ ')
+
+ allow iptables_t $1:fifo_file write;
+')
+
--
Chris PeBenito
