Blame SOURCES/fapolicyd-selinux-watch-perm.patch
|
 |
afdf34 |
From 6a966a3ee89233a0a055712f39ca564ba91183bf Mon Sep 17 00:00:00 2001
|
|
|
afdf34 |
From: Zdenek Pytela <zpytela@redhat.com>
|
|
|
afdf34 |
Date: Thu, 15 Apr 2021 16:56:08 +0200
|
|
|
afdf34 |
Subject: [PATCH] Allow fapolicyd watch_mount/watch_with_perm all files and
|
|
|
afdf34 |
directories
|
|
|
afdf34 |
|
|
|
afdf34 |
For the fanotify_mark() syscall, fapolicyd uses the FAN_MARK_MOUNT flag
|
|
|
afdf34 |
to mark the file's mount point to monitor. As this can be any file or
|
|
|
afdf34 |
directory on the filesystem, the SELinux watch_mount and watch_with_perm
|
|
|
afdf34 |
permissions are allowed for the file_type attribute.
|
|
|
afdf34 |
---
|
|
|
afdf34 |
fapolicyd.te | 6 ++++++
|
|
|
afdf34 |
1 file changed, 6 insertions(+)
|
|
|
afdf34 |
|
|
|
afdf34 |
diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
|
|
|
afdf34 |
index c12f385..582e03f 100644
|
|
|
afdf34 |
--- a/fapolicyd-selinux-0.4/fapolicyd.te
|
|
|
afdf34 |
+++ b/fapolicyd-selinux-0.4/fapolicyd.te
|
|
|
afdf34 |
@@ -36,6 +36,12 @@ allow fapolicyd_t self:process { setcap setsched };
|
|
|
afdf34 |
allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
afdf34 |
allow fapolicyd_t self:unix_dgram_socket create_socket_perms;
|
|
|
afdf34 |
|
|
|
afdf34 |
+gen_require(`
|
|
|
afdf34 |
+ attribute file_type;
|
|
|
afdf34 |
+')
|
|
|
afdf34 |
+allow fapolicyd_t file_type:dir { watch_mount watch_with_perm };
|
|
|
afdf34 |
+allow fapolicyd_t file_type:file { watch_mount watch_with_perm };
|
|
|
afdf34 |
+
|
|
|
afdf34 |
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
|
|
|
afdf34 |
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
|
|
|
afdf34 |
|