2017-09-07 14:50:37

by Sugar, David

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Label RHEL specific systemd binaries

Label RHEL specific systemd binaries /usr/lib/systemd/rhel* as initrc_exec_t.

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/init.fc | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index f7c2e367..0c10ca94 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -34,6 +34,10 @@ ifdef(`distro_gentoo',`
/usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)

+ifdef(`distro_redhat',`
+/usr/lib/systemd/rhel[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+')
+
ifdef(`distro_gentoo', `
/usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
')
--
2.13.5


2017-09-08 15:50:00

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Label RHEL specific systemd binaries

On 09/07/2017 10:50 AM, David Sugar via refpolicy wrote:
> Label RHEL specific systemd binaries /usr/lib/systemd/rhel* as initrc_exec_t.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/init.fc | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
> index f7c2e367..0c10ca94 100644
> --- a/policy/modules/system/init.fc
> +++ b/policy/modules/system/init.fc
> @@ -34,6 +34,10 @@ ifdef(`distro_gentoo',`
> /usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
> /usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
>
> +ifdef(`distro_redhat',`
> +/usr/lib/systemd/rhel[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
> +')
> +

This should be after the distro_gentoo block.

> ifdef(`distro_gentoo', `
> /usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
> ')
>


--
Chris PeBenito