LinuxLists.cc - [refpolicy] [PATCH] mandb: fixes for systemd timer and /usr/local/man label

2017-09-10 15:26:11

Subject: [refpolicy] [PATCH] mandb: fixes for systemd timer and /usr/local/man label

---
mandb.te | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/mandb.te b/mandb.te
index 5c759da..27d5fff 100644
--- a/mandb.te
+++ b/mandb.te
@@ -16,6 +16,11 @@ role mandb_roles types mandb_t;
type mandb_unit_t;
init_unit_file(mandb_unit_t)

+ifdef(`init_systemd',`
+ # run as systemd timer
+ init_system_domain(mandb_t, mandb_exec_t)
+')
+
########################################
#
# Local policy
@@ -40,6 +45,8 @@ domain_use_interactive_fds(mandb_t)

files_dontaudit_search_home(mandb_t)
files_read_etc_files(mandb_t)
+# /usr/local/man
+files_read_usr_symlinks(mandb_t)
# search /var/run/nscd/socket
files_search_pids(mandb_t)

--
2.14.1

2017-09-11 23:16:10

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH] mandb: fixes for systemd timer and /usr/local/man label

On 09/10/2017 11:26 AM, Christian G?ttsche via refpolicy wrote:
> ---
> mandb.te | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/mandb.te b/mandb.te
> index 5c759da..27d5fff 100644
> --- a/mandb.te
> +++ b/mandb.te
> @@ -16,6 +16,11 @@ role mandb_roles types mandb_t;
> type mandb_unit_t;
> init_unit_file(mandb_unit_t)
>
> +ifdef(`init_systemd',`
> + # run as systemd timer
> + init_system_domain(mandb_t, mandb_exec_t)
> +')

I don't think this needs to be a build option.

> ########################################
> #
> # Local policy
> @@ -40,6 +45,8 @@ domain_use_interactive_fds(mandb_t)
>
> files_dontaudit_search_home(mandb_t)
> files_read_etc_files(mandb_t)
> +# /usr/local/man
> +files_read_usr_symlinks(mandb_t)
> # search /var/run/nscd/socket
> files_search_pids(mandb_t)
>
>

--
Chris PeBenito