diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index ba189bf..9ad2232 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -11,7 +11,7 @@ terminal_use_console(kernel_t) domain_signal_all_domains(kernel_t) # Use capabilities. need to investigate which capabilities are actually used -#allow kernel_t self:capability *; +allow kernel_t self:capability *; # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 7fec32b..a53af29 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -79,14 +79,13 @@ authlogin_modify_login_records(init_t) logging_modify_system_logs(init_t) # Use capabilities. old rule: -#allow init_t self:capability ~sys_module; +allow init_t self:capability ~sys_module; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config # kill: now provided by domain_kill_all_domains() # setuid (from /sbin/shutdown) # sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot() -allow init_t self:capability { sys_boot sys_tty_config setuid }; # Modify utmp. allow init_t initrc_var_run_t:file { getattr read write setattr };