diff --git a/policy-F15.patch b/policy-F15.patch index 422d55e..9844784 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -1242,10 +1242,10 @@ index 47c4723..4866a08 100644 + domtrans_pattern($1, readahead_exec_t, readahead_t) +') diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te -index b4ac57e..e2d07b1 100644 +index b4ac57e..c00f4d9 100644 --- a/policy/modules/admin/readahead.te +++ b/policy/modules/admin/readahead.te -@@ -16,6 +16,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; +@@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t; type readahead_var_run_t; files_pid_file(readahead_var_run_t) @@ -1253,6 +1253,14 @@ index b4ac57e..e2d07b1 100644 ######################################## # + # Local policy + # + +-allow readahead_t self:capability { fowner dac_override dac_read_search }; ++allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search }; + dontaudit readahead_t self:capability { net_admin sys_tty_config }; + allow readahead_t self:process { setsched signal_perms }; + @@ -31,7 +32,9 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t) files_search_var_lib(readahead_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 5b210af..3e2e399 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -476,6 +476,7 @@ exit 0 - Update to ref policy - cgred needs chown capability - Add /dev/crash crash_dev_t +- systemd-readahead wants to use fanotify which means readahead_t needs sys_admin capability * Tue Feb 8 2011 Miroslav Grepl 3.9.13-10 - New labeling for postfmulti #675654