|
 |
afdf34 |
From a1a9a59f93ebfe6d0c9d725ed0712210994e6d64 Mon Sep 17 00:00:00 2001
|
|
|
afdf34 |
From: Zdenek Pytela <zpytela@redhat.com>
|
|
|
afdf34 |
Date: Tue, 6 Apr 2021 16:06:48 +0200
|
|
|
afdf34 |
Subject: [PATCH] Allow fapolicyd watch boot and home directories
|
|
|
afdf34 |
|
|
|
afdf34 |
The fapolicyd service needs watch_mount and watch_with_perm permissions
|
|
|
afdf34 |
for fanotify/inotify/dnotify calls on the following directories:
|
|
|
afdf34 |
- /boot and /boot/efi directories
|
|
|
afdf34 |
- /home directories
|
|
|
afdf34 |
|
|
|
afdf34 |
Note the /boot/efi directory has the dosfs_t label.
|
|
|
afdf34 |
---
|
|
|
afdf34 |
fapolicyd.te | 6 ++++++
|
|
|
afdf34 |
1 file changed, 6 insertions(+)
|
|
|
afdf34 |
|
|
|
afdf34 |
diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
|
|
|
afdf34 |
index f5d0052..c12f385 100644
|
|
|
afdf34 |
--- a/fapolicyd-selinux-0.4/fapolicyd.te
|
|
|
afdf34 |
+++ b/fapolicyd-selinux-0.4/fapolicyd.te
|
|
|
afdf34 |
@@ -63,14 +63,20 @@ domain_read_all_domains_state(fapolicyd_t)
|
|
|
afdf34 |
|
|
|
afdf34 |
files_mmap_usr_files(fapolicyd_t)
|
|
|
afdf34 |
files_read_all_files(fapolicyd_t)
|
|
|
afdf34 |
+files_watch_mount_boot_dirs(fapolicyd_t)
|
|
|
afdf34 |
+files_watch_with_perm_boot_dirs(fapolicyd_t)
|
|
|
afdf34 |
files_watch_mount_generic_tmp_dirs(fapolicyd_t)
|
|
|
afdf34 |
files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
|
|
|
afdf34 |
+files_watch_mount_home(fapolicyd_t)
|
|
|
afdf34 |
+files_watch_with_perm_home(fapolicyd_t)
|
|
|
afdf34 |
files_watch_mount_root_dirs(fapolicyd_t)
|
|
|
afdf34 |
files_watch_with_perm_root_dirs(fapolicyd_t)
|
|
|
afdf34 |
|
|
|
afdf34 |
fs_getattr_xattr_fs(fapolicyd_t)
|
|
|
afdf34 |
fs_watch_mount_tmpfs_dirs(fapolicyd_t)
|
|
|
afdf34 |
fs_watch_with_perm_tmpfs_dirs(fapolicyd_t)
|
|
|
afdf34 |
+fs_watch_mount_dos_dirs(fapolicyd_t)
|
|
|
afdf34 |
+fs_watch_with_perm_dos_dirs(fapolicyd_t)
|
|
|
afdf34 |
|
|
|
afdf34 |
logging_send_syslog_msg(fapolicyd_t)
|
|
|
afdf34 |
dbus_system_bus_client(fapolicyd_t)
|