Improve the initrc domain within the init module with some permissions
needed for a smoother boot.
Let the iptables init scripts read the iptables configuration.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/init.te | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/policy/modules/system/init.te 2017-02-04 19:30:18.000000000 +0100
+++ b/policy/modules/system/init.te 2017-04-29 19:26:48.542410646 +0200
@@ -420,6 +420,7 @@ kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
kernel_rw_all_sysctls(initrc_t)
+kernel_use_fds(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
# cjp: not sure why these are here; should use mount policy
@@ -427,6 +428,7 @@ kernel_list_unlabeled(initrc_t)
kernel_mounton_unlabeled_dirs(initrc_t)
files_create_lock_dirs(initrc_t)
+files_manage_all_locks(initrc_t)
files_pid_filetrans_lock_dir(initrc_t, "lock")
files_read_kernel_symbol_table(initrc_t)
files_setattr_lock_dirs(initrc_t)
@@ -905,6 +906,10 @@ optional_policy(`
')
optional_policy(`
+ iptables_read_config(initrc_t)
+')
+
+optional_policy(`
iscsi_stream_connect(initrc_t)
iscsi_read_lib_files(initrc_t)
')
On Sun, 30 Apr 2017 04:17:30 AM Guido Trentalancia via refpolicy wrote:
> +kernel_use_fds(initrc_t)
Why is this needed?
If a kernel fd is inherited by init_t and then passed on to initrc_t then it's
probably a fd leak which should be fixed.
Maybe this is a candidate for ifdef(`hide_broken_symptoms',`...
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Hi!
I don't think so. It is the file descriptor of the pseudo terminal.
It is required for printing out boot stage information (such as status of launched services) to the correct terminal...
I hope this helps.
Regards,
Guido
On the 30th of April 2017 08:06:08 CEST, Russell Coker <[email protected]> wrote:
>On Sun, 30 Apr 2017 04:17:30 AM Guido Trentalancia via refpolicy wrote:
>> +kernel_use_fds(initrc_t)
>
>Why is this needed?
>
>If a kernel fd is inherited by init_t and then passed on to initrc_t
>then it's
>probably a fd leak which should be fixed.
>
>Maybe this is a candidate for ifdef(`hide_broken_symptoms',`...