* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/
@ 2012-09-28 17:57 Sven Vermeulen
0 siblings, 0 replies; 8+ messages in thread
From: Sven Vermeulen @ 2012-09-28 17:57 UTC (permalink / raw
To: gentoo-commits
commit: cd46d984ef7a811f699cff8190c8154bb87a1c78
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Sep 10 16:11:13 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Sep 28 17:53:18 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cd46d984
Add Debian locations for GDM 3
---
policy/modules/kernel/corecommands.fc | 1 +
policy/modules/services/xserver.fc | 15 +++++++++------
2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 4592f8a..2596ca3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -322,6 +322,7 @@ ifdef(`distro_gentoo',`
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0)
')
ifdef(`distro_gentoo', `
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 30fc0e8..433d690 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -19,9 +19,9 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
# /etc
#
-/etc/gdm/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/gdm/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/gdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/gdm(3)?/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/rc\.d/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -57,9 +57,10 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /usr
#
+/usr/(s)?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -90,18 +91,20 @@ ifndef(`distro_debian',`
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/gdm(3)?(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/
@ 2012-09-28 17:57 Sven Vermeulen
0 siblings, 0 replies; 8+ messages in thread
From: Sven Vermeulen @ 2012-09-28 17:57 UTC (permalink / raw
To: gentoo-commits
commit: eb2f042d2b9dfcb967c4fa77615da7997a0b7428
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Sep 17 15:08:42 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Sep 28 17:55:42 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eb2f042d
Module version bump for Debian file context updates from Laurent Bigonville.
---
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/services/xserver.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 1dd0427..43090a0 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.17.0)
+policy_module(corecommands, 1.17.3)
########################################
#
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8ec444d..c44a6c3 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.8.0)
+policy_module(xserver, 3.8.2)
gen_require(`
class x_drawable all_x_drawable_perms;
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/
@ 2014-06-10 18:17 Sven Vermeulen
0 siblings, 0 replies; 8+ messages in thread
From: Sven Vermeulen @ 2014-06-10 18:17 UTC (permalink / raw
To: gentoo-commits
commit: bfcca85f1b1f83d7c54e4f0b33aa40c027dc351e
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Jun 2 19:14:50 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 10 18:14:24 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bfcca85f
Module version bump for rcs2log and xserver updates from Sven Vermeulen.
---
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/services/xserver.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 99dc2dc..859b61d 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.19.1)
+policy_module(corecommands, 1.19.2)
########################################
#
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index c096bba..909782e 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.10.1)
+policy_module(xserver, 3.10.2)
gen_require(`
class x_drawable all_x_drawable_perms;
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/
@ 2016-01-30 17:21 Jason Zaman
0 siblings, 0 replies; 8+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
To: gentoo-commits
commit: 17d97f0a9bb787b5feb0fa8aaf23a87bfdc79d00
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Dec 20 15:28:49 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17d97f0a
Label OpenSSH files correctly on Arch Linux
On Arch Linux, OpenSSH installs these binary files in /usr/lib/ssh:
* sftp-server (labeled with ssh_keysign_exec_t type in refpolicy)
* ssh-askpass (symlink to x11-ssh-askpass)
* ssh-keysign
* ssh-pkcs11-helper
* x11-ssh-askpass (from x11-ssh-askpass package)
Label all these files but sftp-server as bin_t.
policy/modules/kernel/corecommands.fc | 1 +
policy/modules/services/ssh.fc | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 8f12446..beb3ad8 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -240,6 +240,7 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 8168244..fd6c218 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -7,7 +7,8 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
-/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/
@ 2016-01-30 17:21 Jason Zaman
0 siblings, 0 replies; 8+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
To: gentoo-commits
commit: 6955590361f01ea1554313ac3cd465194d73c1b2
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Jan 5 18:38:19 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=69555903
Module version bump for Xorg and SSH patches from Nicolas Iooss.
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/services/ssh.te | 2 +-
policy/modules/services/xserver.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 89fbb84..f8cd213 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.21.0)
+policy_module(corecommands, 1.21.1)
########################################
#
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 917187a..30c9987 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.7.0)
+policy_module(ssh, 2.7.1)
########################################
#
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 09c79bb..38d5623 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.11.0)
+policy_module(xserver, 3.11.1)
gen_require(`
class x_drawable all_x_drawable_perms;
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/
@ 2019-03-26 10:17 Jason Zaman
0 siblings, 0 replies; 8+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
To: gentoo-commits
commit: 10337c1339bd913a4bf477e994d9774b043cfcbd
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Mar 8 00:02:27 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=10337c13
filesystem, cron, authlogin: Module version bump.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/services/cron.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index f7d24342..3d321072 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.25.0)
+policy_module(filesystem, 1.25.1)
########################################
#
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 0a19e09c..f182cf92 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.15.0)
+policy_module(cron, 2.15.1)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/
@ 2021-01-11 1:27 Jason Zaman
0 siblings, 0 replies; 8+ messages in thread
From: Jason Zaman @ 2021-01-11 1:27 UTC (permalink / raw
To: gentoo-commits
commit: c0ba07217cbd68700912a61da9298aa029c371c7
Author: Daniel Burgener <dburgener <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Dec 15 15:29:52 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c0ba0721
Use self keyword when an AV rule source type matches destination
This is reported in a new SELint check in soon to be released selint version 1.2.0
Signed-off-by: Daniel Burgener <dburgener <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/kernel.te | 2 +-
policy/modules/services/xserver.te | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8a7c39df..9b847078 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -263,7 +263,7 @@ kernel_mounton_proc_dirs(kernel_t)
kernel_request_load_module(kernel_t)
# Allow unlabeled network traffic
-allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+allow unlabeled_t self:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index b380e583..e56dcac9 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -787,9 +787,9 @@ tunable_policy(`!xserver_object_manager',`
# should be xserver_unconfined(xserver_t),
# but typeattribute doesnt work in conditionals
- allow xserver_t xserver_t:x_server { getattr setattr record debug grab manage };
+ allow xserver_t self:x_server { getattr setattr record debug grab manage };
allow xserver_t { x_domain root_xdrawable_t }:x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive };
- allow xserver_t xserver_t:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show };
+ allow xserver_t self:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show };
allow xserver_t x_domain:x_gc { create destroy getattr setattr use };
allow xserver_t { x_domain root_xcolormap_t }:x_colormap { create destroy read write getattr add_color remove_color install uninstall use };
allow xserver_t xproperty_type:x_property { create destroy read write append getattr setattr };
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/
@ 2024-09-22 0:03 Jason Zaman
0 siblings, 0 replies; 8+ messages in thread
From: Jason Zaman @ 2024-09-22 0:03 UTC (permalink / raw
To: gentoo-commits
commit: e4de0cbe3903bc46af112502d405815875b55750
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 9 19:21:18 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e4de0cbe
container: allow spc various rules for kubevirt
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/services/container.te | 13 +++++++++++--
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 6bea5ccf9..085bd30f0 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5465,6 +5465,24 @@ interface(`dev_relabelfrom_vfio_dev',`
relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
')
+############################
+## <summary>
+## Get the attributes of the vhost devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_getattr_vhost_dev',`
+ gen_require(`
+ type device_t, vhost_device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, vhost_device_t)
+')
+
############################
## <summary>
## Allow read/write the vhost devices
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index cc700c038..2353092e4 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -978,7 +978,7 @@ allow spc_t self:process { getcap setrlimit };
# Normally triggered when rook-ceph executes lvm tools which creates noise.
# This can be allowed if actually needed.
dontaudit spc_t self:process setfscreate;
-allow spc_t self:capability { audit_write chown dac_read_search fowner fsetid ipc_lock mknod net_admin net_raw setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
+allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setuid setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
allow spc_t self:capability2 { bpf perfmon };
allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
allow spc_t self:key manage_key_perms;
@@ -1004,14 +1004,19 @@ allow spc_t container_engine_tmpfs_t:chr_file rw_chr_file_perms;
allow spc_t container_engine_tmpfs_t:lnk_file read_lnk_file_perms;
# for rook-ceph
allow spc_t container_engine_tmpfs_t:blk_file rw_blk_file_perms;
+# for multus and kubevirt
+allow spc_t container_engine_tmpfs_t:chr_file { relabelfrom setattr };
# for kubernetes storage class providers
allow spc_t container_file_t:{ dir file } mounton;
allow spc_t container_file_t:dir_file_class_set relabel_blk_file_perms;
# for rook-ceph
allow spc_t container_file_t:blk_file manage_blk_file_perms;
+# for multus and kubevirt
+allow spc_t container_file_t:chr_file setattr;
+allow spc_t container_file_t:filesystem unmount;
-allow spc_t container_runtime_t:dir { manage_dir_perms mounton };
+allow spc_t container_runtime_t:dir { manage_dir_perms mounton watch };
allow spc_t container_runtime_t:file manage_file_perms;
allow spc_t container_runtime_t:sock_file manage_sock_file_perms;
@@ -1034,6 +1039,10 @@ dev_filetrans(spc_t, container_device_t, blk_file)
dev_dontaudit_getattr_all_chr_files(spc_t)
dev_dontaudit_setattr_generic_symlinks(spc_t)
dev_dontaudit_relabelto_generic_blk_files(spc_t)
+# for multus and kubevirt
+dev_getattr_kvm_dev(spc_t)
+dev_getattr_vhost_dev(spc_t)
+dev_watch_dev_dirs(spc_t)
fs_read_nsfs_files(spc_t)
fs_mount_xattr_fs(spc_t)
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-09-22 0:03 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-28 17:57 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2012-09-28 17:57 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2019-03-26 10:17 Jason Zaman
2021-01-11 1:27 Jason Zaman
2024-09-22 0:03 Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox