diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 2b71fe1..83e3fb6 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -368,14 +368,14 @@ interface(`bootloader_write_kernel_modules',` # interface(`bootloader_manage_kernel_modules',` gen_require(` - attribute rw_kern_modules; +# attribute rw_kern_modules; type modules_object_t; ') allow $1 modules_object_t:file { rw_file_perms create setattr unlink }; allow $1 modules_object_t:dir rw_dir_perms; - typeattribute $1 rw_kern_modules; +# typeattribute $1 rw_kern_modules; ') ######################################## diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 6982495..cf4337d 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -49,7 +49,7 @@ dev_node(bootloader_tmp_t) type modules_object_t; files_type(modules_object_t) -neverallow ~rw_kern_modules modules_object_t:file { create append write }; +#neverallow ~rw_kern_modules modules_object_t:file { create append write }; # # system_map_t is for the system.map files in /boot diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index bfed2fb..cf06c86 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -258,9 +258,9 @@ optional_policy(`rpc.te',` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) -# auth_read_all_dirs_except_shadow(kernel_t) -# auth_read_all_files_except_shadow(kernel_t) -# auth_read_all_symlinks_except_shadow(kernel_t) + auth_read_all_dirs_except_shadow(kernel_t) + auth_read_all_files_except_shadow(kernel_t) + auth_read_all_symlinks_except_shadow(kernel_t) ') tunable_policy(`nfs_export_all_rw',` @@ -268,7 +268,7 @@ optional_policy(`rpc.te',` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) -# auth_manage_all_files_except_shadow(kernel_t) + auth_manage_all_files_except_shadow(kernel_t) ') ') diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 3498ce3..7f7b26e 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -584,7 +584,7 @@ interface(`seutil_read_binary_pol',` # interface(`seutil_create_binary_pol',` gen_require(` - attribute can_write_binary_policy; +# attribute can_write_binary_policy; type selinux_config_t, policy_config_t; class dir ra_dir_perms; class file { getattr create write }; @@ -594,7 +594,7 @@ interface(`seutil_create_binary_pol',` allow $1 selinux_config_t:dir search; allow $1 policy_config_t:dir ra_dir_perms; allow $1 policy_config_t:file { getattr create write }; - typeattribute $1 can_write_binary_policy; +# typeattribute $1 can_write_binary_policy; ') ######################################## diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 10da914..071446b 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -60,7 +60,7 @@ kernel_list_from(policy_config_t) kernel_read_file_from(policy_config_t) neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; -neverallow ~can_write_binary_policy policy_config_t:file { write append }; +#neverallow ~can_write_binary_policy policy_config_t:file { write append }; # # policy_src_t is the type of the policy source