From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 29 Apr 2017 20:17:30 +0200 Subject: [refpolicy] [PATCH 3/7] init: smoother system boot Message-ID: <1493489850.7586.11.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Improve the initrc domain within the init module with some permissions needed for a smoother boot. Let the iptables init scripts read the iptables configuration. Signed-off-by: Guido Trentalancia --- policy/modules/system/init.te | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/policy/modules/system/init.te 2017-02-04 19:30:18.000000000 +0100 +++ b/policy/modules/system/init.te 2017-04-29 19:26:48.542410646 +0200 @@ -420,6 +420,7 @@ kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) kernel_rw_all_sysctls(initrc_t) +kernel_use_fds(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) # cjp: not sure why these are here; should use mount policy @@ -427,6 +428,7 @@ kernel_list_unlabeled(initrc_t) kernel_mounton_unlabeled_dirs(initrc_t) files_create_lock_dirs(initrc_t) +files_manage_all_locks(initrc_t) files_pid_filetrans_lock_dir(initrc_t, "lock") files_read_kernel_symbol_table(initrc_t) files_setattr_lock_dirs(initrc_t) @@ -905,6 +906,10 @@ optional_policy(` ') optional_policy(` + iptables_read_config(initrc_t) +') + +optional_policy(` iscsi_stream_connect(initrc_t) iscsi_read_lib_files(initrc_t) ')